Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Submit feedback
Contribute to GitLab
Sign in
Toggle navigation
K
k8s-crt-dnldr
Project
Project
Details
Activity
Releases
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Wiki
Wiki
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
k8s
k8s-crt-dnldr
Commits
b8cebbe8
Commit
b8cebbe8
authored
Aug 05, 2022
by
Geoff Simmons
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Bugfixes
parent
a058f234
Changes
9
Expand all
Hide whitespace changes
Inline
Side-by-side
Showing
9 changed files
with
573 additions
and
798 deletions
+573
-798
main.go
cmd/main.go
+2
-2
cacrt.go
pkg/cacrt/cacrt.go
+134
-196
cacrt_test.go
pkg/cacrt/cacrt_test.go
+121
-201
ca-bundle.crt
pkg/cacrt/testdata/ca-bundle.crt
+1
-0
client.go
pkg/k8s/client.go
+6
-6
worker.go
pkg/k8s/worker.go
+27
-64
bndl_handler_test.go
pkg/rest/bndl_handler_test.go
+265
-293
handlers.go
pkg/rest/handlers.go
+9
-26
server.go
pkg/rest/server.go
+8
-10
No files found.
cmd/main.go
View file @
b8cebbe8
...
...
@@ -192,10 +192,10 @@ func main() {
}
crtGetter
:=
watcher
.
GetCrtGetter
()
files
:=
watcher
.
GetFiles
()
bndl
s
:=
watcher
.
GetBundles
()
bndl
:=
watcher
.
GetBundle
()
server
:=
rest
.
NewServer
(
*
addrF
,
version
,
*
udsGidF
,
int
(
udsMode
),
log
,
files
,
bndl
s
,
crtGetter
)
files
,
bndl
,
crtGetter
)
watcher
.
Run
(
uint16
(
*
metricsPortF
))
if
err
=
server
.
Start
();
err
!=
nil
{
...
...
pkg/cacrt/cacrt.go
View file @
b8cebbe8
This diff is collapsed.
Click to expand it.
pkg/cacrt/cacrt_test.go
View file @
b8cebbe8
This diff is collapsed.
Click to expand it.
pkg/cacrt/testdata/ca-bundle.crt
0 → 120000
View file @
b8cebbe8
foo_bar.crt
\ No newline at end of file
pkg/k8s/client.go
View file @
b8cebbe8
...
...
@@ -109,7 +109,7 @@ type Watcher struct {
cancel
context
.
CancelFunc
getter
*
crt
.
Getter
files
*
pem
.
Files
bndl
s
*
cacrt
.
Bundles
bndl
*
cacrt
.
Bundle
}
// NewWatcher creates an API client.
...
...
@@ -165,13 +165,13 @@ func NewWatcher(
if
err
!=
nil
{
return
nil
,
err
}
watcher
.
bndl
s
,
err
=
cacrt
.
NewBundles
(
caBase
,
distroCABundle
,
gid
,
watcher
.
bndl
,
err
=
cacrt
.
NewBundle
(
caBase
,
distroCABundle
,
gid
,
watcher
.
getter
)
if
err
!=
nil
{
return
nil
,
err
}
watcher
.
nsQs
=
NewNamespaceQueues
(
watcher
.
log
,
watcher
.
files
,
watcher
.
bndl
s
,
recorder
)
watcher
.
bndl
,
recorder
)
// InitMetrics()
...
...
@@ -190,10 +190,10 @@ func (watcher *Watcher) GetFiles() *pem.Files {
return
watcher
.
files
}
// GetBundle
s returns a cacrt.Bundles
that manages CA certificate
// GetBundle
returns a cacrt.Bundle
that manages CA certificate
// bundle files and their metadata
func
(
watcher
*
Watcher
)
GetBundle
s
()
*
cacrt
.
Bundles
{
return
watcher
.
bndl
s
func
(
watcher
*
Watcher
)
GetBundle
()
*
cacrt
.
Bundle
{
return
watcher
.
bndl
}
func
(
watcher
*
Watcher
)
getSecret
(
obj
interface
{})
(
*
api_v1
.
Secret
,
bool
)
{
...
...
pkg/k8s/worker.go
View file @
b8cebbe8
...
...
@@ -31,7 +31,6 @@ package k8s
import
(
"fmt"
"os"
"strings"
"sync"
"code.uplex.de/k8s/k8s-crt-dnldr/pkg/cacrt"
...
...
@@ -56,7 +55,7 @@ type NamespaceWorker struct {
log
*
logrus
.
Logger
queue
workqueue
.
RateLimitingInterface
files
*
pem
.
Files
bndl
s
*
cacrt
.
Bundles
bndl
*
cacrt
.
Bundle
recorder
record
.
EventRecorder
wg
*
sync
.
WaitGroup
}
...
...
@@ -107,72 +106,36 @@ func (worker *NamespaceWorker) deleteTLS(secret *api_v1.Secret) Status {
}
func
(
worker
*
NamespaceWorker
)
updateSecret
(
secret
*
api_v1
.
Secret
)
Status
{
have
,
upToDate
,
updated
:=
[]
string
{},
[]
string
{},
[]
string
{}
for
_
,
f
:=
range
worker
.
bndls
.
Files
{
if
!
f
.
HaveSecret
(
secret
.
Namespace
,
secret
.
Name
,
string
(
secret
.
UID
),
secret
.
ResourceVersion
)
{
continue
}
have
=
append
(
have
,
f
.
Namespace
+
"/"
+
f
.
Name
)
if
worker
.
bndls
.
Check
(
f
.
Namespace
,
f
.
Name
)
{
upToDate
=
append
(
upToDate
,
f
.
Namespace
+
"/"
+
f
.
Name
)
continue
}
if
err
:=
worker
.
bndls
.
Write
(
f
.
Namespace
,
f
.
Name
);
err
!=
nil
{
if
os
.
IsPermission
(
err
)
{
return
MakeFatal
(
"cannot update CA bundle for Service "
+
"%s/%s: %s"
,
f
.
Namespace
,
f
.
Name
,
err
)
}
return
MakeRecoverable
(
"updating CA bundle for Service %s/%s: %v"
,
f
.
Namespace
,
f
.
Name
,
err
)
}
updated
=
append
(
updated
,
f
.
Namespace
+
"/"
+
f
.
Name
)
if
!
worker
.
bndl
.
HaveSecret
(
secret
.
Namespace
,
secret
.
Name
,
string
(
secret
.
UID
),
secret
.
ResourceVersion
)
{
return
MakeNoop
(
"Secret not in a CA certificate bundle"
)
}
if
len
(
have
)
==
0
{
return
MakeNoop
(
"
no Service has the Secret in a CA bundl
e"
)
if
worker
.
bndl
.
Check
()
{
return
MakeNoop
(
"
CA certificate bundle is already up to dat
e"
)
}
if
len
(
updated
)
==
0
{
return
MakeNoop
(
"already up to date in CA bundle(s) for "
+
"Service(s): ["
+
strings
.
Join
(
have
,
","
)
+
"] "
)
if
err
:=
worker
.
bndl
.
Write
();
err
!=
nil
{
if
os
.
IsPermission
(
err
)
{
return
MakeFatal
(
"cannot update CA bundle: %+v"
,
err
)
}
return
MakeRecoverable
(
"updating CA bundle: %+v"
,
err
)
}
return
MakeSuccess
(
"Secret in CA bundle(s) for Service(s): ["
+
strings
.
Join
(
have
,
","
)
+
"], already up to date in: "
+
"["
+
strings
.
Join
(
upToDate
,
","
)
+
"], "
+
"successfully updated for: ["
+
strings
.
Join
(
updated
,
","
)
+
"]"
)
return
MakeSuccess
(
"CA cerificate bundle successfully updated"
)
}
func
(
worker
*
NamespaceWorker
)
deleteSecret
(
secret
*
api_v1
.
Secret
)
Status
{
have
:=
[]
string
{}
for
_
,
f
:=
range
worker
.
bndls
.
Files
{
if
!
f
.
HaveSecret
(
secret
.
Namespace
,
secret
.
Name
,
string
(
secret
.
UID
),
secret
.
ResourceVersion
)
{
continue
}
have
=
append
(
have
,
f
.
Namespace
+
"/"
+
f
.
Name
)
if
err
:=
worker
.
bndls
.
DeleteSecret
(
f
.
Namespace
,
f
.
Name
,
secret
.
Namespace
,
secret
.
Name
);
err
!=
nil
{
if
os
.
IsPermission
(
err
)
{
return
MakeFatal
(
"cannot update CA bundle for Service "
+
"%s/%s: %s"
,
f
.
Namespace
,
f
.
Name
,
err
)
}
return
MakeRecoverable
(
"updating CA bundle for Service %s/%s: %v"
,
f
.
Namespace
,
f
.
Name
,
err
)
}
if
!
worker
.
bndl
.
HaveSecret
(
secret
.
Namespace
,
secret
.
Name
,
string
(
secret
.
UID
),
secret
.
ResourceVersion
)
{
return
MakeNoop
(
"Secret not in CA certificate bundle"
)
}
if
len
(
have
)
==
0
{
return
MakeNoop
(
"no Service has the Secret in a CA bundle"
)
if
err
:=
worker
.
bndl
.
DeleteSecret
(
secret
.
Namespace
,
secret
.
Name
);
err
!=
nil
{
if
os
.
IsPermission
(
err
)
{
return
MakeFatal
(
"cannot update CA bundle: %+v"
,
err
)
}
return
MakeRecoverable
(
"updating CA bundle: %v"
,
err
)
}
return
MakeSuccess
(
"successfully deleted in CA bundle(s) for Service(s): ["
+
strings
.
Join
(
have
,
","
)
+
"]"
)
return
MakeSuccess
(
"successfully deleted in CA certificate bundle"
)
}
func
(
worker
*
NamespaceWorker
)
syncSuccess
(
syncType
SyncType
,
...
...
@@ -266,7 +229,7 @@ type NamespaceQueues struct {
log
*
logrus
.
Logger
workers
map
[
string
]
*
NamespaceWorker
files
*
pem
.
Files
bndl
s
*
cacrt
.
Bundles
bndl
*
cacrt
.
Bundle
recorder
record
.
EventRecorder
wg
*
sync
.
WaitGroup
}
...
...
@@ -279,7 +242,7 @@ type NamespaceQueues struct {
func
NewNamespaceQueues
(
log
*
logrus
.
Logger
,
files
*
pem
.
Files
,
bndl
s
*
cacrt
.
Bundles
,
bndl
*
cacrt
.
Bundle
,
recorder
record
.
EventRecorder
,
)
*
NamespaceQueues
{
q
:=
workqueue
.
NewRateLimitingQueue
(
...
...
@@ -289,7 +252,7 @@ func NewNamespaceQueues(
log
:
log
,
workers
:
make
(
map
[
string
]
*
NamespaceWorker
),
files
:
files
,
bndl
s
:
bndls
,
bndl
:
bndl
,
recorder
:
recorder
,
wg
:
new
(
sync
.
WaitGroup
),
}
...
...
@@ -318,7 +281,7 @@ func (qs *NamespaceQueues) next() {
log
:
qs
.
log
,
queue
:
q
,
files
:
qs
.
files
,
bndl
s
:
qs
.
bndls
,
bndl
:
qs
.
bndl
,
recorder
:
qs
.
recorder
,
wg
:
qs
.
wg
,
}
...
...
pkg/rest/bndl_handler_test.go
View file @
b8cebbe8
This diff is collapsed.
Click to expand it.
pkg/rest/handlers.go
View file @
b8cebbe8
...
...
@@ -63,7 +63,6 @@ type ErrorDetails struct {
var
(
pemsRegex
=
regexp
.
MustCompile
(
"^"
+
pemsPfx
+
"([^/]+)/([^/]+)$"
)
bndlRegex
=
regexp
.
MustCompile
(
"^"
+
bndlPfx
+
"([^/]+)/([^/]+)$"
)
allowedRdonly
=
map
[
string
]
struct
{}{
http
.
MethodGet
:
struct
{}{},
...
...
@@ -131,12 +130,6 @@ var (
Detail
:
""
,
}
errBndlPattern
=
ErrorDetails
{
Type
:
"/errors/ca-bndl/urlPattern"
,
Title
:
"Invalid /v1/ca-bndl/ URL path"
,
Detail
:
"/v1/ca-bndl/ URL path does not match "
+
"/v1/ca-bndl/{namespace}/{name}"
,
}
errBndlContentType
=
ErrorDetails
{
Type
:
"/errors/ca-bndl/contentType"
,
Title
:
"Request Content-Type not application/json"
,
...
...
@@ -557,9 +550,9 @@ func (h *pemsHndlr) ServeHTTP(resp http.ResponseWriter, req *http.Request) {
}
type
bndlHndlr
struct
{
log
*
logrus
.
Logger
bndl
s
*
cacrt
.
Bundles
crt
*
crt
.
Getter
log
*
logrus
.
Logger
bndl
*
cacrt
.
Bundle
crt
*
crt
.
Getter
}
// XXX currently no reponses for GET or HEAD
...
...
@@ -569,13 +562,6 @@ func (h *bndlHndlr) ServeHTTP(resp http.ResponseWriter, req *http.Request) {
resp
.
Header
()
.
Set
(
"Content-Length"
,
"0"
)
status
:=
http
.
StatusTeapot
matches
:=
bndlRegex
.
FindStringSubmatch
(
req
.
URL
.
Path
)
if
matches
==
nil
{
errorResponse
(
resp
,
req
,
now
,
http
.
StatusNotFound
,
errBndlPattern
,
nil
,
h
.
log
)
return
}
if
_
,
ok
:=
allowedRW
[
req
.
Method
];
!
ok
{
status
=
http
.
StatusMethodNotAllowed
resp
.
Header
()
.
Set
(
"Allow"
,
allowRW
)
...
...
@@ -583,10 +569,9 @@ func (h *bndlHndlr) ServeHTTP(resp http.ResponseWriter, req *http.Request) {
reqLog
(
h
.
log
,
req
,
now
,
status
,
0
)
return
}
ns
,
name
:=
matches
[
1
],
matches
[
2
]
if
req
.
Method
==
http
.
MethodDelete
{
if
exist
,
err
:=
h
.
bndl
s
.
Delete
(
ns
,
name
);
!
exist
||
if
exist
,
err
:=
h
.
bndl
.
Delete
(
);
!
exist
||
(
err
!=
nil
&&
os
.
IsNotExist
(
err
))
{
errorResponse
(
resp
,
req
,
now
,
http
.
StatusNotFound
,
errBndlNotFound
,
err
,
h
.
log
)
...
...
@@ -606,7 +591,7 @@ func (h *bndlHndlr) ServeHTTP(resp http.ResponseWriter, req *http.Request) {
// XXX If-Match: uid/version
// XXX If-Unmodified-Since: compare file mtime
have
:=
h
.
bndl
s
.
Have
(
ns
,
name
)
have
:=
h
.
bndl
.
Have
(
)
if
have
&&
req
.
Method
==
http
.
MethodPost
{
status
=
http
.
StatusConflict
resp
.
WriteHeader
(
status
)
...
...
@@ -661,7 +646,7 @@ func (h *bndlHndlr) ServeHTTP(resp http.ResponseWriter, req *http.Request) {
}
}
if
srcs
.
Distro
{
if
!
h
.
bndl
s
.
HasDistroBundle
()
{
if
!
h
.
bndl
.
HasDistroBundle
()
{
errorResponse
(
resp
,
req
,
now
,
http
.
StatusNotFound
,
errBndlNoDistro
,
nil
,
h
.
log
)
return
...
...
@@ -669,19 +654,17 @@ func (h *bndlHndlr) ServeHTTP(resp http.ResponseWriter, req *http.Request) {
}
file
:=
&
cacrt
.
File
{
Namespace
:
ns
,
Name
:
name
,
Sources
:
srcs
,
Sources
:
srcs
,
}
if
h
.
bndl
s
.
CheckFileData
(
file
)
{
if
h
.
bndl
.
CheckFileData
(
file
)
{
status
=
http
.
StatusNoContent
resp
.
Header
()
.
Del
(
"Content-Length"
)
resp
.
WriteHeader
(
status
)
reqLog
(
h
.
log
,
req
,
now
,
status
,
0
)
return
}
if
err
:=
h
.
bndl
s
.
AddOrUpdate
(
file
);
err
!=
nil
{
if
err
:=
h
.
bndl
.
AddOrUpdate
(
file
);
err
!=
nil
{
if
os
.
IsPermission
(
err
)
{
errorResponse
(
resp
,
req
,
now
,
http
.
StatusInternalServerError
,
...
...
pkg/rest/server.go
View file @
b8cebbe8
...
...
@@ -46,8 +46,7 @@ const (
healthzPath
=
"/v1/healthz"
pemsPfx
=
"/v1/pems/"
pemsAll
=
"/v1/pems"
bndlPfx
=
"/v1/ca-bndl/"
bndlAll
=
"/v1/ca-bndl"
bndlPath
=
"/v1/ca-bndl"
)
// Server encapsulates the HTTP server for the REST API.
...
...
@@ -59,7 +58,7 @@ type Server struct {
version
string
log
*
logrus
.
Logger
files
*
pem
.
Files
bndl
s
*
cacrt
.
Bundles
bndl
*
cacrt
.
Bundle
crtGetter
*
crt
.
Getter
}
...
...
@@ -88,7 +87,7 @@ func NewServer(
gid
,
mode
int
,
log
*
logrus
.
Logger
,
files
*
pem
.
Files
,
bndl
s
*
cacrt
.
Bundles
,
bndl
*
cacrt
.
Bundle
,
crtGetter
*
crt
.
Getter
,
)
*
Server
{
srv
:=
&
Server
{
...
...
@@ -98,7 +97,7 @@ func NewServer(
version
:
version
,
log
:
log
,
files
:
files
,
bndl
s
:
bndls
,
bndl
:
bndl
,
crtGetter
:
crtGetter
,
}
if
gid
>=
0
{
...
...
@@ -171,14 +170,13 @@ func (srv *Server) Start() error {
crtGetter
:
srv
.
crtGetter
,
}
bndlHandler
:=
&
bndlHndlr
{
log
:
srv
.
log
,
bndl
s
:
srv
.
bndls
,
crt
:
srv
.
crtGetter
,
log
:
srv
.
log
,
bndl
:
srv
.
bndl
,
crt
:
srv
.
crtGetter
,
}
mux
.
Handle
(
pemsPfx
,
pemsHandler
)
mux
.
Handle
(
pemsAll
,
pemsHandler
)
mux
.
Handle
(
bndlPfx
,
bndlHandler
)
mux
.
Handle
(
bndlAll
,
bndlHandler
)
mux
.
Handle
(
bndlPath
,
bndlHandler
)
srv
.
server
=
http
.
Server
{
Handler
:
mux
}
go
func
()
{
if
err
:=
srv
.
server
.
Serve
(
lsnr
);
err
!=
nil
{
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment