rancher/dynamiclistener
1
0
Fork 0
forked from github/dynamiclistener
Code Issues Pull Requests Projects Releases Wiki Activity

Add LoadOrGenClient to handle client cert generation

Browse Source
This commit is contained in:
Darren Shepherd
2020-08-01 23:37:32 -07:00
parent bafb051656
commit ebebb82b9b
2 changed files with 73 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

48
storage/kubernetes/ca.go
View File

@@ -19,6 +19,23 @@ func LoadOrGenCA(secrets v1controller.SecretClient, namespace, name string) (*x5
return factory.LoadCA(secret.Data[v1.TLSCertKey], secret.Data[v1.TLSPrivateKeyKey])
}
func LoadOrGenClient(secrets v1controller.SecretClient, namespace, name, cn string, ca *x509.Certificate, key crypto.Signer) (*x509.Certificate, crypto.Signer, error) {
secret, err := getClientSecret(secrets, namespace, name, cn, ca, key)
if err != nil {
return nil, nil, err
}
return factory.LoadCA(secret.Data[v1.TLSCertKey], secret.Data[v1.TLSPrivateKeyKey])
}
func getClientSecret(secrets v1controller.SecretClient, namespace, name, cn string, caCert *x509.Certificate, caKey crypto.Signer) (*v1.Secret, error) {
s, err := secrets.Get(namespace, name, metav1.GetOptions{})
if !errors.IsNotFound(err) {
return s, err
}
return createAndStoreClientCert(secrets, namespace, name, cn, caCert, caKey)
}
func getSecret(secrets v1controller.SecretClient, namespace, name string) (*v1.Secret, error) {
s, err := secrets.Get(namespace, name, metav1.GetOptions{})
if !errors.IsNotFound(err) {
@@ -28,6 +45,37 @@ func getSecret(secrets v1controller.SecretClient, namespace, name string) (*v1.S
return createAndStore(secrets, namespace, name)
}
func createAndStoreClientCert(secrets v1controller.SecretClient, namespace string, name, cn string, caCert *x509.Certificate, caKey crypto.Signer) (*v1.Secret, error) {
key, err := factory.NewPrivateKey()
if err != nil {
return nil, err
}
cert, err := factory.NewSignedClientCert(key, caCert, caKey, cn)
if err != nil {
return nil, err
}
certPem, keyPem, err := factory.Marshal(cert, key)
if err != nil {
return nil, err
}
secret := &v1.Secret{
ObjectMeta: metav1.ObjectMeta{
Name: name,
Namespace: namespace,
},
Data: map[string][]byte{
v1.TLSCertKey: certPem,
v1.TLSPrivateKeyKey: keyPem,
},
Type: v1.SecretTypeTLS,
}
return secrets.Create(secret)
}
func createAndStore(secrets v1controller.SecretClient, namespace string, name string) (*v1.Secret, error) {
ca, cert, err := factory.GenCA()
if err != nil {