diff --git a/go.mod b/go.mod index 1f004ffc0..eb710d1f5 100644 --- a/go.mod +++ b/go.mod @@ -9,8 +9,8 @@ require ( github.com/onsi/ginkgo v1.15.0 github.com/onsi/gomega v1.10.5 github.com/pkg/errors v0.9.1 - github.com/qinqon/kube-admission-webhook v0.14.0 - go.uber.org/zap v1.15.0 + github.com/qinqon/kube-admission-webhook v0.13.1-0.20210428050423-7d316ca9d803 + go.uber.org/zap v1.15.0 // indirect gomodules.xyz/jsonpatch/v2 v2.1.0 k8s.io/api v0.20.2 k8s.io/apimachinery v0.20.2 diff --git a/go.sum b/go.sum index 0529734c5..9f7506327 100644 --- a/go.sum +++ b/go.sum @@ -704,6 +704,8 @@ github.com/prometheus/procfs v0.2.0/go.mod h1:lV6e/gmhEcM9IjHGsFOCxxuZ+z1YqCvr4O github.com/prometheus/prometheus v2.3.2+incompatible/go.mod h1:oAIUtOny2rjMX0OWN5vPR5/q/twIROJvdqnQKDdil/s= github.com/prometheus/tsdb v0.7.1/go.mod h1:qhTCs0VvXwvX/y3TZrWD7rabWM+ijKTux40TwIPHuXU= github.com/prometheus/tsdb v0.8.0/go.mod h1:fSI0j+IUQrDd7+ZtR9WKIGtoYAYAJUKcKhYLG25tN4g= +github.com/qinqon/kube-admission-webhook v0.13.1-0.20210428050423-7d316ca9d803 h1:CKTj9AnN/xj6cM0m+WtlCUtbQHu4775lYlE2V83LMWA= +github.com/qinqon/kube-admission-webhook v0.13.1-0.20210428050423-7d316ca9d803/go.mod h1:eYJw+S+JSprEMLzGNmE0GFIlSrBQw0lAVES/ZjgM2FI= github.com/qinqon/kube-admission-webhook v0.14.0 h1:6xISgqhwTv3WKhHDT5Iypc72m6rqw700A4VMzqTymwk= github.com/qinqon/kube-admission-webhook v0.14.0/go.mod h1:eYJw+S+JSprEMLzGNmE0GFIlSrBQw0lAVES/ZjgM2FI= github.com/remyoudompheng/bigfft v0.0.0-20170806203942-52369c62f446/go.mod h1:uYEyJGbgTkfkS4+E/PavXkNJcbFIpEtjt2B0KDQ5+9M= diff --git a/vendor/github.com/qinqon/kube-admission-webhook/pkg/certificate/manager.go b/vendor/github.com/qinqon/kube-admission-webhook/pkg/certificate/manager.go index 781eb34f9..ffc9950a1 100644 --- a/vendor/github.com/qinqon/kube-admission-webhook/pkg/certificate/manager.go +++ b/vendor/github.com/qinqon/kube-admission-webhook/pkg/certificate/manager.go @@ -120,7 +120,7 @@ func (m *Manager) getCACertsFromCABundle() ([]*x509.Certificate, error) { return cas, nil } -func (m *Manager) getLastAppendedCACertFromCABundle() (*x509.Certificate, error) { +func (m *Manager) getLastPrependedCACertFromCABundle() (*x509.Certificate, error) { cas, err := m.getCACertsFromCABundle() if err != nil { return nil, errors.Wrap(err, "failed getting CA certificates from CA bundle") @@ -128,7 +128,7 @@ func (m *Manager) getLastAppendedCACertFromCABundle() (*x509.Certificate, error) if len(cas) == 0 { return nil, nil } - return cas[len(cas)-1], nil + return cas[0], nil } func (m *Manager) rotateAll() error { @@ -262,7 +262,7 @@ func (m *Manager) nextRotationDeadlineForCA() time.Time { // Last rotated CA cert at CABundle is the last at the slice so this // calculate deadline from it. - caCert, err := m.getLastAppendedCACertFromCABundle() + caCert, err := m.getLastPrependedCACertFromCABundle() if err != nil { m.log.Info("Failed reading last CA cert from CABundle, forcing rotation", "err", err) return m.now() diff --git a/vendor/github.com/qinqon/kube-admission-webhook/pkg/certificate/secret.go b/vendor/github.com/qinqon/kube-admission-webhook/pkg/certificate/secret.go index e8fb961dd..ddc3a0db0 100644 --- a/vendor/github.com/qinqon/kube-admission-webhook/pkg/certificate/secret.go +++ b/vendor/github.com/qinqon/kube-admission-webhook/pkg/certificate/secret.go @@ -166,7 +166,7 @@ func (m *Manager) verifyTLSSecret(secretKey types.NamespacedName, caKeyPair *tri return errors.New("CA bundle has no certificates") } - lastCertFromCABundle := getLastCert(certsFromCABundle) + lastCertFromCABundle := getFirstCert(certsFromCABundle) if !reflect.DeepEqual(*lastCertFromCABundle, *caKeyPair.Cert) { return errors.New("CA bundle and CA secret certificate are different") @@ -236,9 +236,9 @@ func (m *Manager) getTLSKeyPair(secretKey types.NamespacedName) (*triple.KeyPair return nil, errors.Wrapf(err, "failed parsing TLS private key PEM at secret %s", secretKey) } - lastAppendedCert := getLastCert(certs) + lastPrependedCert := getFirstCert(certs) - return &triple.KeyPair{Key: privateKey.(*rsa.PrivateKey), Cert: lastAppendedCert}, nil + return &triple.KeyPair{Key: privateKey.(*rsa.PrivateKey), Cert: lastPrependedCert}, nil } func (m *Manager) getTLSCerts(secretKey types.NamespacedName) ([]*x509.Certificate, error) { @@ -265,11 +265,11 @@ func (m *Manager) caSecretKey() types.NamespacedName { return types.NamespacedName{Namespace: m.namespace, Name: m.webhookName + "-ca"} } -// Certs are appended to implement overlap so we take the last one +// Certs are prepended to implement overlap so we take the first one // it will match with the key -func getLastCert(certs []*x509.Certificate) *x509.Certificate { +func getFirstCert(certs []*x509.Certificate) *x509.Certificate { if len(certs) == 0 { return nil } - return certs[len(certs)-1] + return certs[0] } diff --git a/vendor/github.com/qinqon/kube-admission-webhook/pkg/certificate/triple/cert.go b/vendor/github.com/qinqon/kube-admission-webhook/pkg/certificate/triple/cert.go index 55aabf77b..808e77658 100644 --- a/vendor/github.com/qinqon/kube-admission-webhook/pkg/certificate/triple/cert.go +++ b/vendor/github.com/qinqon/kube-admission-webhook/pkg/certificate/triple/cert.go @@ -23,6 +23,7 @@ import ( "crypto/rand" cryptorand "crypto/rand" "crypto/rsa" + "crypto/tls" "crypto/x509" "crypto/x509/pkix" "encoding/pem" @@ -177,6 +178,11 @@ func VerifyTLS(certsPEM, keyPEM, caBundle []byte) error { return errors.Wrap(err, "failed to verify certificate") } + _, err = tls.X509KeyPair(certsPEM, keyPEM) + if err != nil { + return errors.Wrap(err, "failed parsing TLS public/private key") + } + logger.Info("TLS certificates chain verified") return nil } diff --git a/vendor/github.com/qinqon/kube-admission-webhook/pkg/certificate/triple/pem.go b/vendor/github.com/qinqon/kube-admission-webhook/pkg/certificate/triple/pem.go index f34666f12..206fd57f4 100644 --- a/vendor/github.com/qinqon/kube-admission-webhook/pkg/certificate/triple/pem.go +++ b/vendor/github.com/qinqon/kube-admission-webhook/pkg/certificate/triple/pem.go @@ -197,7 +197,9 @@ func AddCertToPEM(cert *x509.Certificate, pemCerts []byte) ([]byte, error) { return nil, fmt.Errorf("failed parsing current certs PEM: %w", err) } } - certs = append(certs, cert) + // Prepend cert since it's what TLS expects [1] + // [1] https://github.com/golang/go/blob/master/src/crypto/tls/tls.go#L292-L294 + certs = append([]*x509.Certificate{cert}, certs...) return EncodeCertsPEM(certs), nil } diff --git a/vendor/modules.txt b/vendor/modules.txt index 6b0573104..e05928d60 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -161,7 +161,7 @@ github.com/prometheus/common/model github.com/prometheus/procfs github.com/prometheus/procfs/internal/fs github.com/prometheus/procfs/internal/util -# github.com/qinqon/kube-admission-webhook v0.14.0 +# github.com/qinqon/kube-admission-webhook v0.13.1-0.20210428050423-7d316ca9d803 ## explicit github.com/qinqon/kube-admission-webhook/pkg/certificate github.com/qinqon/kube-admission-webhook/pkg/certificate/triple