rancher/dynamiclistener
1
0
Fork 0
forked from github/dynamiclistener
Code Issues Pull Requests Projects Releases Wiki Activity

Compare commits

base: rancher:release-0.2
Branches Tags
rancher:master rancher:gm rancher:release-0.2 rancher:v0.2.3-patch
rancher:v0.3.4-gm rancher:v0.3.4 rancher:v0.3.3 rancher:v0.3.2 rancher:v0.2.3-k3s1 rancher:v0.3.1 rancher:v0.2.7 rancher:v0.2.6 rancher:v0.2.5 rancher:v0.2.4 rancher:v0.3.0 rancher:v0.2.3 rancher:v0.2.2 rancher:before-revert rancher:v0.2.1 rancher:v0.2.0 rancher:v0.1.0 github:before-revert github:v0.1.0 github:v0.2.0 github:v0.2.1 github:v0.2.2 github:v0.2.3 github:v0.2.3-k3s1 github:v0.2.4 github:v0.2.5 github:v0.2.6 github:v0.2.7 github:v0.3.0 github:v0.3.1 github:v0.3.2 github:v0.3.3 github:v0.3.4 github:v0.3.5 github:v0.3.6 github:v0.3.6-rc1 github:v0.3.6-rc2 github:v0.3.6-rc3-deadlock-fix-revert github:v0.4.0 github:v0.4.0-rc1 github:v0.4.0-rc2 github:v0.5.0-rc1 github:v0.5.0-rc2 github:v0.5.0-rc3 github:v0.5.0-rc4 github:v0.5.0-rc5 github:v0.5.0-rc6 github:v0.6.0 github:v0.6.0-rc1 github:v0.6.0-rc2 github:v0.6.1 github:v0.6.1-rc.1 github:v0.6.1-rc.2 github:v0.6.2 github:v0.6.2-rc.3 github:v0.6.2-rc1 github:v0.6.2-rc2 github:v0.6.3 github:v0.6.3-rc1 github:v0.6.3-rc2 github:v0.7.0 github:v0.7.0-rc1
..
compare: rancher:v0.3.1
Branches Tags
rancher:gm rancher:master rancher:release-0.2 rancher:v0.2.3-patch github:renovate/release/v0.5-github.com-stretchr-testify-1.x github:renovate/release/v0.4-github.com-stretchr-testify-1.x github:renovate/release/v0.3-github.com-stretchr-testify-1.x github:renovate/main-github.com-stretchr-testify-1.x github:renovate/main-wrangler-lasso github:renovate/release/v0.5-major-github-actions github:renovate/main-major-github-actions github:main github:renovate/release/v0.4-major-github-actions github:renovate/release/v0.3-major-github-actions github:renovate/release/v0.5-github-actions github:renovate/release/v0.4-github-actions github:renovate/release/v0.3-github-actions github:renovate/release/v0.5-golang.org-x-crypto-0.x github:renovate/release/v0.4-golang.org-x-crypto-0.x github:renovate/release/v0.3-golang.org-x-crypto-0.x github:renovate/main-golang.org-x-crypto-0.x github:renovate/release/v0.4-go-1.x github:renovate/release/v0.3-go-1.x github:renovate/main-go-1.x github:renovate/migrate-config github:release/v0.6 github:release/v0.4 github:release/v0.3 github:release/v0.5 github:master github:k8s-1.30 github:rancher-k8s-1.27 github:dependabot/go_modules/golang.org/x/net-0.7.0 github:release-0.2 github:v0.2.3-patch
rancher:v0.3.4-gm rancher:v0.3.4 rancher:v0.3.3 rancher:v0.3.2 rancher:v0.2.3-k3s1 rancher:v0.3.1 rancher:v0.2.7 rancher:v0.2.6 rancher:v0.2.5 rancher:v0.2.4 rancher:v0.3.0 rancher:v0.2.3 rancher:v0.2.2 rancher:before-revert rancher:v0.2.1 rancher:v0.2.0 rancher:v0.1.0 github:before-revert github:v0.1.0 github:v0.2.0 github:v0.2.1 github:v0.2.2 github:v0.2.3 github:v0.2.3-k3s1 github:v0.2.4 github:v0.2.5 github:v0.2.6 github:v0.2.7 github:v0.3.0 github:v0.3.1 github:v0.3.2 github:v0.3.3 github:v0.3.4 github:v0.3.5 github:v0.3.6 github:v0.3.6-rc1 github:v0.3.6-rc2 github:v0.3.6-rc3-deadlock-fix-revert github:v0.4.0 github:v0.4.0-rc1 github:v0.4.0-rc2 github:v0.5.0-rc1 github:v0.5.0-rc2 github:v0.5.0-rc3 github:v0.5.0-rc4 github:v0.5.0-rc5 github:v0.5.0-rc6 github:v0.6.0 github:v0.6.0-rc1 github:v0.6.0-rc2 github:v0.6.1 github:v0.6.1-rc.1 github:v0.6.1-rc.2 github:v0.6.2 github:v0.6.2-rc.3 github:v0.6.2-rc1 github:v0.6.2-rc2 github:v0.6.3 github:v0.6.3-rc1 github:v0.6.3-rc2 github:v0.7.0 github:v0.7.0-rc1

33 Commits
release-0. ... v0.3.1

Author SHA1 Message Date
Brad Davidson
43f9c3ae0a Fix handling of IPv6 addresses and long hostnames 
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
 2021-11-23 23:38:49 -08:00
Brad Davidson
284cc004e8 Fix listenAndServe certificate expiration by preloading certs 
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
 2021-11-23 23:38:49 -08:00
Kinara Shah
120a37b97a Merge pull request #51 from nickgerace/quick-fix 
Add README
 2021-11-19 14:29:09 -08:00
Nick Gerace
bbac29e0fa Add README 2021-11-19 13:50:48 -05:00
Kinara Shah
962b635269 Merge pull request #50 from nickgerace/quick-fix 
Fix defaultNewSignedCertExpirationDays const
 2021-11-19 10:28:49 -08:00
Nick Gerace
f147aa4166 Fix defaultNewSignedCertExpirationDays const 
This a quick fix for 2644a6ed16
 2021-11-19 12:31:47 -05:00
Kinara Shah
63157c59ce Merge pull request #46 from nickgerace/days 
Allow for default expiration days to be loaded from env
 2021-11-19 08:59:57 -08:00
Nick Gerace
2644a6ed16 Allow for default expiration days to be loaded from env 2021-11-18 12:38:35 -05:00
Brian Downs
27f4642299 Add ability to force cert regeneration (#43) 
* add ability to force cert regeneration
 2021-11-15 13:50:26 -07:00
Caleb Bron
cd5d71f2fe Merge pull request #44 from cmurphy/fix-type 
Fix net.Conn type assertion
 2021-11-04 13:09:48 -07:00
Colleen Murphy
fb66484384 Fix net.Conn type assertion 
Don't assert that all connections are wrapped, as they won't be if
the CloseConnOnCertChange setting is false. Only run the assertion
within a conditional for wrapped connections, where it is safe. This
prevents a panic from happening when CloseConnOnCertChange is not used.
 2021-10-29 11:03:02 -07:00
Darren Shepherd
6b37dc1212 Merge pull request #42 from cmurphy/fix-close-conn 
Skip closing an initializing connection
 2021-10-27 08:35:21 -07:00
Colleen Murphy
c7dd355394 Skip closing an initializing connection 
Without this change, if a cert is updated (e.g. to add CNs) while the
listener is in the middle of Accept()ing a new connection, the
connection gets dropped, we'll see a message like this in the server
logs:

  http: TLS handshake error from 127.0.0.1:51232: write tcp 127.0.7.1:8443->127.0.0.1:51232: use of closed network connection

and the client (like a browser) won't necessarily reconnect. This change
modifies the GetCertificate routine in the listener's tls.Config to
keep track of the state of the incoming connections and only close
connections that have completed GetCertificate and therefore are
finished with their TLS handshake, so that only old established
connections are closed.
 2021-10-25 13:17:24 -07:00
Darren Shepherd
94e22490cf Merge pull request #41 from weihanglo/nil-defer-storage-tls 
Merge TLS only if TLS factory is set
 2021-08-03 10:23:59 -07:00
Weihang Lo
b45d8a455e Merge TLS only if TLS factory is set 
Since `storage.tls` is optional, we should check it existence before
calling its methods.
 2021-07-12 18:25:01 +08:00
Darren Shepherd
9865ae859c Don't reset connections on the first load of the certs 2021-06-16 01:00:09 -07:00
Darren Shepherd
db883ae66a Don't reset connections on the first load of the certs 2021-06-16 00:23:14 -07:00
Darren Shepherd
9dfd7df057 Pass context to http server as BaseContext 2021-06-15 22:42:42 -07:00
Darren Shepherd
ff22834bde Avoid panic when secret is nil 2021-06-15 22:42:42 -07:00
Sjoerd Simons
dc7452dbb8 Accept IPv6 address as CN names 
Expand the cnRegexp to also accept ipv6 addresses such as:
  * ::1
  * 2a00:1450:400e:80e::
  * 2a00:1450:400e:80e::200e

Fixes: #37

Signed-off-by: Sjoerd Simons <sjoerd@collabora.com>
 2021-06-14 11:07:13 -07:00
Dan Ramich
86af265dcd Merge pull request #35 from dramich/panic 
Update IsStatic to check for nil annotations
 2021-04-26 09:21:45 -06:00
Dan Ramich
f373fc1c7c Update IsStatic to check for nil annotations 2021-04-23 14:56:14 -06:00
Darren Shepherd
e7b1adba70 Update to wrangler v0.8.0 and merge v0.2.x to master 2021-04-12 15:09:30 -07:00
Darren Shepherd
a60200ab9e Merge tag 'v0.2.3' 2021-04-12 15:00:05 -07:00
Darren Shepherd
9b1b7d3132 Add filter helper method 2020-11-09 21:52:17 -07:00
Darren Shepherd
85f32491cb Add dumb hook to set the organization in the client cert 2020-09-10 13:32:14 -07:00
Darren Shepherd
ebebb82b9b Add LoadOrGenClient to handle client cert generation 2020-08-01 23:37:51 -07:00
Darren Shepherd
bafb051656 Merge pull request #27 from ibuildthecloud/master 
Fix error masking issue
 2020-07-27 22:48:58 -07:00
Darren Shepherd
3b42c52bec Fix error masking issue 
Also don't do an extra lookup of TLS secret after update.
 2020-07-27 22:48:13 -07:00
Darren Shepherd
207e8a5c14 Merge pull request #23 from KnicKnic/fix_certpath_windows 
fix certpath generation for windows
 2020-07-27 22:48:06 -07:00
Darren Shepherd
9c1939da3a Merge pull request #25 from ibuildthecloud/master 
Stop using wrangler-api project
 2020-07-14 13:10:33 -07:00
Darren Shepherd
5529139fbe Update vendor 2020-07-14 13:09:07 -07:00
Darren Shepherd
bcbb612b24 Stop using wrangler-api project 2020-07-14 13:09:07 -07:00
4 changed files with 18 additions and 15 deletions
Expand all files Collapse all files

18
cert/cert.go
View File

@@ -45,15 +45,16 @@ const (
duration365d = time.Hour * 24 * 365
)
var ErrStaticCert = errors.New("cannot renew static certificate")
var (
ErrStaticCert = errors.New("cannot renew static certificate")
)
// Config contains the basic fields required for creating a certificate.
// Config contains the basic fields required for creating a certificate
type Config struct {
CommonName string
Organization []string
AltNames AltNames
Usages []x509.ExtKeyUsage
ExpiresAt time.Duration
}
// AltNames contains the domain names and IP addresses that will be added
@@ -96,8 +97,7 @@ func NewSelfSignedCACert(cfg Config, key crypto.Signer) (*x509.Certificate, erro
return x509.ParseCertificate(certDERBytes)
}
// NewSignedCert creates a signed certificate using the given CA certificate and key based
// on the given configuration.
// NewSignedCert creates a signed certificate using the given CA certificate and key
func NewSignedCert(cfg Config, key crypto.Signer, caCert *x509.Certificate, caKey crypto.Signer) (*x509.Certificate, error) {
serial, err := rand.Int(rand.Reader, new(big.Int).SetInt64(math.MaxInt64))
if err != nil {
@@ -109,12 +109,6 @@ func NewSignedCert(cfg Config, key crypto.Signer, caCert *x509.Certificate, caKe
if len(cfg.Usages) == 0 {
return nil, errors.New("must specify at least one ExtKeyUsage")
}
var expiresAt time.Duration
if cfg.ExpiresAt > 0 {
expiresAt = time.Duration(cfg.ExpiresAt)
} else {
expiresAt = duration365d
}
certTmpl := x509.Certificate{
Subject: pkix.Name{
@@ -125,7 +119,7 @@ func NewSignedCert(cfg Config, key crypto.Signer, caCert *x509.Certificate, caKe
IPAddresses: cfg.AltNames.IPs,
SerialNumber: serial,
NotBefore: caCert.NotBefore,
NotAfter: time.Now().Add(expiresAt).UTC(),
NotAfter: time.Now().Add(duration365d).UTC(),
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
ExtKeyUsage: cfg.Usages,
}

5
factory/gen.go
View File

@@ -208,7 +208,10 @@ func populateCN(secret *v1.Secret, cn ...string) *v1.Secret {
// IsStatic returns true if the Secret has an attribute indicating that it contains
// a static (aka user-provided) certificate, which should not be modified.
func IsStatic(secret *v1.Secret) bool {
return secret.Annotations[Static] == "true"
if secret != nil && secret.Annotations != nil {
return secret.Annotations[Static] == "true"
}
return false
}
// NeedsUpdate returns true if any of the CNs are not currently present on the

2
go.mod
View File

@@ -1,6 +1,6 @@
module github.com/rancher/dynamiclistener
go 1.16
go 1.12
require (
github.com/rancher/wrangler v0.8.9

8
server/server.go
View File

@@ -64,7 +64,10 @@ func ListenAndServe(ctx context.Context, httpsPort, httpPort int, handler http.H
}
tlsServer := http.Server{
Handler: handler,
Handler: handler,
BaseContext: func(listener net.Listener) context.Context {
return ctx
},
ErrorLog: errorLog,
}
@@ -86,6 +89,9 @@ func ListenAndServe(ctx context.Context, httpsPort, httpPort int, handler http.H
Addr: fmt.Sprintf("%s:%d", opts.BindHost, httpPort),
Handler: handler,
ErrorLog: errorLog,
BaseContext: func(listener net.Listener) context.Context {
return ctx
},
}
go func() {
logrus.Infof("Listening on %s:%d", opts.BindHost, httpPort)