forked from kelseyhightower/certificate-init-container
-
Notifications
You must be signed in to change notification settings - Fork 3
/
main.go
328 lines (286 loc) · 11.1 KB
/
main.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
// Copyright 2017 Google Inc. All Rights Reserved.
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
// http://www.apache.org/licenses/LICENSE-2.0
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package main
import (
"context"
"crypto/rand"
"crypto/rsa"
"crypto/x509"
"crypto/x509/pkix"
"encoding/pem"
"flag"
"fmt"
"io/ioutil"
"log"
"net"
"os"
"path"
"strings"
"time"
certificates "github.com/onedata/k8s/apis/certificates/v1"
corev1 "github.com/onedata/k8s/apis/core/v1"
"github.com/onedata/k8s"
v1 "github.com/onedata/k8s/apis/meta/v1"
)
var (
additionalDNSNames string
certDir string
clusterDomain string
hostname string
namespace string
podIP string
podName string
serviceIPs string
serviceNames string
subdomain string
labels string
secretName string
signerName string
signerSecret string
signerNamespace string
createSecret bool
)
func main() {
flag.StringVar(&additionalDNSNames, "additional-dnsnames", "", "additional dns names; comma separated")
flag.StringVar(&certDir, "cert-dir", "/etc/tls", "The directory where the TLS certs should be written")
flag.StringVar(&clusterDomain, "cluster-domain", "cluster.local", "Kubernetes cluster domain")
flag.StringVar(&hostname, "hostname", "", "hostname as defined by pod.spec.hostname")
flag.StringVar(&namespace, "namespace", "default", "namespace as defined by pod.metadata.namespace")
flag.StringVar(&podName, "pod-name", "", "name as defined by pod.metadata.name")
flag.StringVar(&podIP, "pod-ip", "", "IP address as defined by pod.status.podIP")
flag.StringVar(&serviceNames, "service-names", "", "service names that resolve to this Pod; comma separated")
flag.StringVar(&serviceIPs, "service-ips", "", "service IP addresses that resolve to this Pod; comma separated")
flag.StringVar(&subdomain, "subdomain", "", "subdomain as defined by pod.spec.subdomain")
flag.StringVar(&labels, "labels", "", "labels to include in CertificateSigningRequest object; comma seprated list of key=value")
flag.StringVar(&secretName, "secret-name", "", "secret name to store generated files")
flag.StringVar(&signerName, "signer-name", "", "signer name in CertificateSigningRequest object")
flag.StringVar(&signerSecret, "signer-secret", "", "secret with certificate of a signer")
flag.StringVar(&signerNamespace, "signer-namespace", "default", "namespace where to find secret with certificate of a signer")
flag.BoolVar(&createSecret, "create-secret", false, "create a new secret instead of waiting for one to update")
flag.Parse()
certificateSigningRequestName := fmt.Sprintf("%s-%s", podName, namespace)
client, err := k8s.NewInClusterClient()
if err != nil {
log.Fatalf("unable to create a Kubernetes client: %s", err)
}
// Generate a private key, pem encode it, and save it to the filesystem.
// The private key will be used to create a certificate signing request (csr)
// that will be submitted to a Kubernetes CA to obtain a TLS certificate.
key, err := rsa.GenerateKey(rand.Reader, 2048)
if err != nil {
log.Fatalf("unable to genarate the private key: %s", err)
}
pemKeyBytes := pem.EncodeToMemory(&pem.Block{
Type: "RSA PRIVATE KEY",
Bytes: x509.MarshalPKCS1PrivateKey(key),
})
keyFile := path.Join(certDir, "tls.key")
if err := ioutil.WriteFile(keyFile, pemKeyBytes, 0644); err != nil {
log.Fatalf("unable to write to %s: %s", keyFile, err)
}
log.Printf("wrote %s", keyFile)
// Gather the list of labels that will be added to the CreateCertificateSigningRequest object
labelsMap := make(map[string]string)
for _, n := range strings.Split(labels, ",") {
if n == "" {
continue
}
s := strings.Split(n, "=")
label, key := s[0], s[1]
if label == "" {
continue
}
labelsMap[label] = key
}
// Gather the list of IP addresses for the certificate's IP SANs field which
// include:
// - the pod IP address
// - 127.0.0.1 for localhost access
// - each service IP address that maps to this pod
ip := net.ParseIP(podIP)
if ip.To4() == nil && ip.To16() == nil {
log.Fatal("invalid pod IP address")
}
ipaddresses := []net.IP{ip, net.ParseIP("127.0.0.1")}
for _, s := range strings.Split(serviceIPs, ",") {
if s == "" {
continue
}
ip := net.ParseIP(s)
if ip.To4() == nil && ip.To16() == nil {
log.Fatal("invalid service IP address")
}
ipaddresses = append(ipaddresses, ip)
}
// Gather a list of DNS names that resolve to this pod which include the
// default DNS name:
// - ${pod-ip-address}.${namespace}.pod.${cluster-domain}
//
// For each service that maps to this pod a dns name will be added using
// the following template:
// - ${service-name}.${namespace}.svc.${cluster-domain}
//
// A dns name will be added for each additional DNS name provided via the
// `-additional-dnsnames` flag.
dnsNames := defaultDNSNames(podIP, hostname, subdomain, namespace, clusterDomain)
for _, n := range strings.Split(additionalDNSNames, ",") {
if n == "" {
continue
}
dnsNames = append(dnsNames, n)
}
for _, n := range strings.Split(serviceNames, ",") {
if n == "" {
continue
}
dnsNames = append(dnsNames, serviceDomainName(n, namespace, clusterDomain))
}
// Generate the certificate request, pem encode it, and save it to the filesystem.
certificateRequestTemplate := x509.CertificateRequest{
Subject: pkix.Name{
CommonName: dnsNames[0],
},
SignatureAlgorithm: x509.SHA256WithRSA,
DNSNames: dnsNames,
IPAddresses: ipaddresses,
}
certificateRequest, err := x509.CreateCertificateRequest(rand.Reader, &certificateRequestTemplate, key)
if err != nil {
log.Fatalf("unable to generate the certificate request: %s", err)
}
certificateRequestBytes := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE REQUEST", Bytes: certificateRequest})
csrFile := path.Join(certDir, "tls.csr")
if err := ioutil.WriteFile(csrFile, certificateRequestBytes, 0644); err != nil {
log.Fatal("unable to %s, error: %s", csrFile, err)
}
log.Printf("wrote %s", csrFile)
// Submit a certificate signing request, wait for it to be approved, then save
// the signed certificate to the file system.
certificateSigningRequest := &certificates.CertificateSigningRequest{
Metadata: &v1.ObjectMeta{
Name: k8s.String(certificateSigningRequestName),
Labels: labelsMap,
},
Spec: &certificates.CertificateSigningRequestSpec{
Groups: []string{"system:authenticated"},
Request: certificateRequestBytes,
SignerName: k8s.String(signerName),
Usages: []string{"digital signature", "key encipherment", "server auth", "client auth"},
},
}
log.Printf("Deleting certificate signing request %s", certificateSigningRequestName)
client.Delete(context.Background(), certificateSigningRequest)
log.Printf("Removed approved request %s", certificateSigningRequestName)
err = client.Create(context.Background(), certificateSigningRequest)
if err != nil {
err := client.Create(context.Background(), certificateSigningRequest)
if err != nil {
log.Fatalf("unable to create the certificate signing request: %s", err)
}
log.Println("waiting for certificate...")
} else {
log.Println("signing request already exists")
}
var certificate []byte
for {
var csr certificates.CertificateSigningRequest
err := client.Get(context.Background(), "", certificateSigningRequestName, &csr)
if err != nil {
log.Printf("unable to retrieve certificate signing request (%s): %s", certificateSigningRequestName, err)
time.Sleep(5 * time.Second)
continue
}
if len(csr.GetStatus().GetConditions()) > 0 {
if *csr.GetStatus().GetConditions()[0].Type == "Approved" {
certificate = csr.GetStatus().Certificate
if len(certificate) > 1 {
log.Printf("got crt %s", certificate)
break
} else {
log.Printf("cert length still less than 1, wait to populate. Cert: %s", csr.GetStatus())
}
}
} else {
log.Printf("certificate signing request (%s) not approved; trying again in 5 seconds", certificateSigningRequestName)
}
time.Sleep(5 * time.Second)
}
certFile := path.Join(certDir, "tls.crt")
if err := ioutil.WriteFile(certFile, certificate, 0644); err != nil {
log.Fatalf("unable to write to %s: %s", certFile, err)
}
log.Printf("wrote %s", certFile)
log.Printf("Deleting certificate signing request %s", certificateSigningRequestName)
client.Delete(context.Background(), certificateSigningRequest)
log.Printf("Removed approved request %s", certificateSigningRequestName)
if secretName != "" {
for {
var ks corev1.Secret
err := client.Get(context.Background(), namespace, secretName, &ks)
if err != nil {
if createSecret {
log.Fatalf("TODO: cannot create secrets")
} else {
log.Printf("Secret to store credentials (%s) not found; trying again in 5 seconds", secretName)
time.Sleep(5 * time.Second)
continue
}
}
var k8sCrt[] byte ;
if signerSecret != "" {
for {
var ss corev1.Secret
err := client.Get(context.Background(), signerNamespace, signerSecret, &ss)
if err != nil {
log.Printf("Secret with signer certificate (%s) not found; trying again in 5 seconds", signerSecret)
time.Sleep(5 * time.Second)
continue
}
k8sCrt = ss.GetData()["tls.crt"]
log.Printf("CA of signer from secret %s/%s :\n%s", signerNamespace, signerSecret, ss.GetData()["tls.crt"])
break
}
}
if k8sCrt == nil {
k8sCrt, err = ioutil.ReadFile("/var/run/secrets/kubernetes.io/serviceaccount/ca.crt")
}
stringData := make(map[string]string)
stringData["tls.key"] = string(pemKeyBytes)
stringData["tls.crt"] = string(certificate)
stringData["k8s.crt"] = string(k8sCrt) // ok
stringData["tlsAndK8s.crt"] = string(certificate) + "\n" + string(k8sCrt) // ok
ks.StringData = stringData
err = client.Update(context.TODO(), &ks)
log.Printf("Stored credentials in secret: (%s)", secretName)
break
}
}
os.Exit(0)
}
func defaultDNSNames(ip, hostname, subdomain, namespace, clusterDomain string) []string {
ns := []string{podDomainName(ip, namespace, clusterDomain)}
if hostname != "" && subdomain != "" {
ns = append(ns, podHeadlessDomainName(hostname, subdomain, namespace, clusterDomain))
}
return ns
}
func serviceDomainName(name, namespace, domain string) string {
return fmt.Sprintf("%s.%s.svc.%s", name, namespace, domain)
}
func podDomainName(ip, namespace, domain string) string {
return fmt.Sprintf("%s.%s.pod.%s", strings.Replace(ip, ".", "-", -1), namespace, domain)
}
func podHeadlessDomainName(hostname, subdomain, namespace, domain string) string {
if hostname == "" || subdomain == "" {
return ""
}
return fmt.Sprintf("%s.%s.%s.svc.%s", hostname, subdomain, namespace, domain)
}