vendor files

vendor/k8s.io/kubernetes/pkg/controller/certificates/signer/BUILD

@@ -0,0 +1,52 @@
+package(default_visibility = ["//visibility:public"])
+
+load(
+    "@io_bazel_rules_go//go:def.bzl",
+    "go_library",
+    "go_test",
+)
+
+go_test(
+    name = "go_default_test",
+    srcs = ["cfssl_signer_test.go"],
+    data = [
+        "testdata/ca.crt",
+        "testdata/ca.key",
+        "testdata/kubelet.csr",
+    ],
+    importpath = "k8s.io/kubernetes/pkg/controller/certificates/signer",
+    library = ":go_default_library",
+    deps = [
+        "//vendor/k8s.io/api/certificates/v1beta1:go_default_library",
+        "//vendor/k8s.io/client-go/util/cert:go_default_library",
+    ],
+)
+
+go_library(
+    name = "go_default_library",
+    srcs = ["cfssl_signer.go"],
+    importpath = "k8s.io/kubernetes/pkg/controller/certificates/signer",
+    deps = [
+        "//pkg/controller/certificates:go_default_library",
+        "//vendor/github.com/cloudflare/cfssl/config:go_default_library",
+        "//vendor/github.com/cloudflare/cfssl/helpers:go_default_library",
+        "//vendor/github.com/cloudflare/cfssl/signer:go_default_library",
+        "//vendor/github.com/cloudflare/cfssl/signer/local:go_default_library",
+        "//vendor/k8s.io/api/certificates/v1beta1:go_default_library",
+        "//vendor/k8s.io/client-go/informers/certificates/v1beta1:go_default_library",
+        "//vendor/k8s.io/client-go/kubernetes:go_default_library",
+    ],
+)
+
+filegroup(
+    name = "package-srcs",
+    srcs = glob(["**"]),
+    tags = ["automanaged"],
+    visibility = ["//visibility:private"],
+)
+
+filegroup(
+    name = "all-srcs",
+    srcs = [":package-srcs"],
+    tags = ["automanaged"],
+)

vendor/k8s.io/kubernetes/pkg/controller/certificates/signer/cfssl_signer.go

@@ -0,0 +1,138 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package signer implements a CA signer that uses keys stored on local disk.
+package signer
+
+import (
+	"crypto"
+	"crypto/x509"
+	"fmt"
+	"io/ioutil"
+	"os"
+	"time"
+
+	capi "k8s.io/api/certificates/v1beta1"
+	certificatesinformers "k8s.io/client-go/informers/certificates/v1beta1"
+	clientset "k8s.io/client-go/kubernetes"
+	"k8s.io/kubernetes/pkg/controller/certificates"
+
+	"github.com/cloudflare/cfssl/config"
+	"github.com/cloudflare/cfssl/helpers"
+	"github.com/cloudflare/cfssl/signer"
+	"github.com/cloudflare/cfssl/signer/local"
+)
+
+func NewCSRSigningController(
+	client clientset.Interface,
+	csrInformer certificatesinformers.CertificateSigningRequestInformer,
+	caFile, caKeyFile string,
+	certificateDuration time.Duration,
+) (*certificates.CertificateController, error) {
+	signer, err := newCFSSLSigner(caFile, caKeyFile, client, certificateDuration)
+	if err != nil {
+		return nil, err
+	}
+	return certificates.NewCertificateController(
+		client,
+		csrInformer,
+		signer.handle,
+	), nil
+}
+
+type cfsslSigner struct {
+	ca                  *x509.Certificate
+	priv                crypto.Signer
+	sigAlgo             x509.SignatureAlgorithm
+	client              clientset.Interface
+	certificateDuration time.Duration
+}
+
+func newCFSSLSigner(caFile, caKeyFile string, client clientset.Interface, certificateDuration time.Duration) (*cfsslSigner, error) {
+	ca, err := ioutil.ReadFile(caFile)
+	if err != nil {
+		return nil, fmt.Errorf("error reading CA cert file %q: %v", caFile, err)
+	}
+	cakey, err := ioutil.ReadFile(caKeyFile)
+	if err != nil {
+		return nil, fmt.Errorf("error reading CA key file %q: %v", caKeyFile, err)
+	}
+
+	parsedCa, err := helpers.ParseCertificatePEM(ca)
+	if err != nil {
+		return nil, fmt.Errorf("error parsing CA cert file %q: %v", caFile, err)
+	}
+
+	strPassword := os.Getenv("CFSSL_CA_PK_PASSWORD")
+	password := []byte(strPassword)
+	if strPassword == "" {
+		password = nil
+	}
+
+	priv, err := helpers.ParsePrivateKeyPEMWithPassword(cakey, password)
+	if err != nil {
+		return nil, fmt.Errorf("Malformed private key %v", err)
+	}
+	return &cfsslSigner{
+		priv:                priv,
+		ca:                  parsedCa,
+		sigAlgo:             signer.DefaultSigAlgo(priv),
+		client:              client,
+		certificateDuration: certificateDuration,
+	}, nil
+}
+
+func (s *cfsslSigner) handle(csr *capi.CertificateSigningRequest) error {
+	if !certificates.IsCertificateRequestApproved(csr) {
+		return nil
+	}
+	csr, err := s.sign(csr)
+	if err != nil {
+		return fmt.Errorf("error auto signing csr: %v", err)
+	}
+	_, err = s.client.CertificatesV1beta1().CertificateSigningRequests().UpdateStatus(csr)
+	if err != nil {
+		return fmt.Errorf("error updating signature for csr: %v", err)
+	}
+	return nil
+}
+
+func (s *cfsslSigner) sign(csr *capi.CertificateSigningRequest) (*capi.CertificateSigningRequest, error) {
+	var usages []string
+	for _, usage := range csr.Spec.Usages {
+		usages = append(usages, string(usage))
+	}
+	policy := &config.Signing{
+		Default: &config.SigningProfile{
+			Usage:        usages,
+			Expiry:       s.certificateDuration,
+			ExpiryString: s.certificateDuration.String(),
+		},
+	}
+	cfs, err := local.NewSigner(s.priv, s.ca, s.sigAlgo, policy)
+	if err != nil {
+		return nil, err
+	}
+
+	csr.Status.Certificate, err = cfs.Sign(signer.SignRequest{
+		Request: string(csr.Spec.Request),
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	return csr, nil
+}

vendor/k8s.io/kubernetes/pkg/controller/certificates/signer/cfssl_signer_test.go

@@ -0,0 +1,84 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package signer
+
+import (
+	"crypto/x509"
+	"io/ioutil"
+	"reflect"
+	"testing"
+	"time"
+
+	capi "k8s.io/api/certificates/v1beta1"
+	"k8s.io/client-go/util/cert"
+)
+
+func TestSigner(t *testing.T) {
+	s, err := newCFSSLSigner("./testdata/ca.crt", "./testdata/ca.key", nil, 1*time.Hour)
+	if err != nil {
+		t.Fatalf("failed to create signer: %v", err)
+	}
+
+	csrb, err := ioutil.ReadFile("./testdata/kubelet.csr")
+	if err != nil {
+		t.Fatalf("failed to read CSR: %v", err)
+	}
+
+	csr := &capi.CertificateSigningRequest{
+		Spec: capi.CertificateSigningRequestSpec{
+			Request: []byte(csrb),
+			Usages: []capi.KeyUsage{
+				capi.UsageSigning,
+				capi.UsageKeyEncipherment,
+				capi.UsageServerAuth,
+				capi.UsageClientAuth,
+			},
+		},
+	}
+
+	csr, err = s.sign(csr)
+	if err != nil {
+		t.Fatalf("failed to sign CSR: %v", err)
+	}
+	certData := csr.Status.Certificate
+	if len(certData) == 0 {
+		t.Fatalf("expected a certificate after signing")
+	}
+
+	certs, err := cert.ParseCertsPEM(certData)
+	if err != nil {
+		t.Fatalf("failed to parse certificate: %v", err)
+	}
+	if len(certs) != 1 {
+		t.Fatalf("expected one certificate")
+	}
+
+	crt := certs[0]
+
+	if crt.Subject.CommonName != "system:node:k-a-node-s36b" {
+		t.Errorf("expected common name of 'system:node:k-a-node-s36b', but got: %v", certs[0].Subject.CommonName)
+	}
+	if !reflect.DeepEqual(crt.Subject.Organization, []string{"system:nodes"}) {
+		t.Errorf("expected organization to be [system:nodes] but got: %v", crt.Subject.Organization)
+	}
+	if crt.KeyUsage != x509.KeyUsageDigitalSignature|x509.KeyUsageKeyEncipherment {
+		t.Errorf("bad key usage")
+	}
+	if !reflect.DeepEqual(crt.ExtKeyUsage, []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth}) {
+		t.Errorf("bad extended key usage")
+	}
+}

vendor/k8s.io/kubernetes/pkg/controller/certificates/signer/testdata/ca.crt

@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC9zCCAd+gAwIBAgIJAOWJ8tWNUIsZMA0GCSqGSIb3DQEBCwUAMBIxEDAOBgNV
+BAMMB2t1YmUtY2EwHhcNMTYxMjIyMDAyNTI5WhcNNDQwNTA5MDAyNTI5WjASMRAw
+DgYDVQQDDAdrdWJlLWNhMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
+1HK1d2p7N7UC6px8lVtABw8jPpVyNYjrJmI+TKTTdCgWGsUTFMCw4t4Q/KQDDlvB
+P19uPhbfp8aLwOWXBCxOPZzlM2mAEjSUgKjbyGCW/8vaXa2VgQm3tKZdydKiFvIo
+fEsNA+58w8A0WWEB8wYFcdCt8uPyQ0ws/TxE+WW3u7EPlC0/inIX9JqeZZMpDk3N
+lHEv/pGEjQmoet/hBwGHq9PKepkN5/V6rrSADJ5I4Uklp2f7G9MCP/zV8xKfs0lK
+CMoJsIPK3nL9N3C0rqBQPfcyKE2fnEkxC3UVZA8brvLTkBfOgmM2eVg/nauU1ejv
+zOJL7tDwUioLriw2hiGrFwIDAQABo1AwTjAdBgNVHQ4EFgQUbGJxJeW7BgZ4xSmW
+d3Aw3gq8YZUwHwYDVR0jBBgwFoAUbGJxJeW7BgZ4xSmWd3Aw3gq8YZUwDAYDVR0T
+BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAunzpYAxpzguzxG83pK5n3ObsGDwO
+78d38qX1VRvMLPvioZxYgquqqFPdLI3xe8b8KdZNzb65549tgjAI17tTKGTRgJu5
+yzLU1tO4vNaAFecMCtPvElYfkrAv2vbGCVJ1bYKTnjdu3083jG3sY9TDj0364A57
+lNwKEd5uxHGWg4H+NbyHkDqfKmllzLvJ9XjSWBPmNVLSW50hV+h9fUXgz9LN+qVY
+VEDfAEWqb6PVy9ANw8A8QLnuSRxbd7hAigtlC4MwzYJ6tyFIIH6bCIgfoZuA+brm
+WGcpIxl4fKEGafSgjsK/6Yhb61mkhHmG16mzEUZNkNsjiYJuF2QxpOlQrw==
+-----END CERTIFICATE-----

vendor/k8s.io/kubernetes/pkg/controller/certificates/signer/testdata/ca.key

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpQIBAAKCAQEA1HK1d2p7N7UC6px8lVtABw8jPpVyNYjrJmI+TKTTdCgWGsUT
+FMCw4t4Q/KQDDlvBP19uPhbfp8aLwOWXBCxOPZzlM2mAEjSUgKjbyGCW/8vaXa2V
+gQm3tKZdydKiFvIofEsNA+58w8A0WWEB8wYFcdCt8uPyQ0ws/TxE+WW3u7EPlC0/
+inIX9JqeZZMpDk3NlHEv/pGEjQmoet/hBwGHq9PKepkN5/V6rrSADJ5I4Uklp2f7
+G9MCP/zV8xKfs0lKCMoJsIPK3nL9N3C0rqBQPfcyKE2fnEkxC3UVZA8brvLTkBfO
+gmM2eVg/nauU1ejvzOJL7tDwUioLriw2hiGrFwIDAQABAoIBAFJCmEFE2bEYRajS
+LusmCgSxt9PjyfUwrtyN7dF/gODZJLX42QqQEe3GTo2EdCp7HLiNGwKvmKo+Fp76
+Rx82iJUSyyy9DPn/ogCvYWqU++LP7B2ZuOnd+WPZhzc+d8Sqv0JhTQjYrzaclaiG
+B1syWalYRAJogMXOGR102MA4wovJrlHFuTVSWiDe0uguLxyjoTMIRqbib9ZAMSLX
+bfcM2abGpXgq10abda3KKAJbZyr2fnBvqKTs4a4zYeHJpQT+NBPMiryb2WnPFg+b
+93nrjDxUtPsx8NJz6HGkSQLagXkZX2J1JpT8loaNIdyQHab1LNXptc84LR8xxusy
+bs5NowECgYEA+j+SwVgeC+NCUIfxr3F9zPAD9A0Tk3gD4z+j0opfLIMghX4jtK0e
+9fQyglecAbojlkEUk/js5IVZ0IIhBNPWXxKtdShZO7EmJ6Z5IEmFrZK1xUomYBa2
+BfysqSAkxVLsTDIfI0Q4DHQNDOV+iY3j8WoaR51cXr+IY+mYBGSNI80CgYEA2VS5
+X5QHDxoh3r5ORiyab3ciubEofJ29D3NR1tCe9ZgSYRV5Y7T/4KPpZdpsEX/ydYD6
+X4DyURuYNK7PUR8DSlX7/VuMzHThqGJMaT0LE+alU4bruiad33X1WXgtcPTGCic0
+8il50TZTgba0CwxuCO1eVb3IijwgJBX/byM67nMCgYEA7As1KSwtwzbMoVtpa/xY
+Fgu7HuOKuIn22M55fylH1puk/GXb1huJ3aNGVU2/+J0T3jFq8JxXDsJ90kA8Vupe
+BXV/qceyS6yv+ax8Cilvbya4T+y+P9qMPR912V1Zccri2ohYeJJrb8uzV5vM/ICb
+JmbXfP+AVlrBksSOwG37920CgYEAsSi2X6o8QtxLhdZd2ihbz8cu4G4AkezHhAO+
+T70KBytquAcYR+Xwu38CMEvn0jAZRh3YeueTH/i9jxx81STRutPysSni0Xvpwyg2
+H4dqM1PNqxQNrlXyVYlDciZb7HsrwHULXOfgbGG7mr6Db4o3XEGap4woID84+BGS
+glcWn+8CgYEA36uulmZcodfet04qQvlDtr1d7mwLdTR/JAO0ZBIgFH7eGZdEVh8O
+DoTJTdSSJGiv8J35PwEXfhKHjhgOjDocLYu+yCOwVj7jRdHqlDS1BaE36Hzdw0rb
+mWkBRMGJtGhzhoRJEFHAnoLXc9danRfnHwVR58drlf7bjR5I9eU9u1I=
+-----END RSA PRIVATE KEY-----

vendor/k8s.io/kubernetes/pkg/controller/certificates/signer/testdata/kubelet.csr

@@ -0,0 +1,8 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIH1MIGdAgEAMDsxFTATBgNVBAoTDHN5c3RlbTpub2RlczEiMCAGA1UEAxMZc3lz
+dGVtOm5vZGU6ay1hLW5vZGUtczM2YjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA
+BJbxa5Y8SrUJVHpOoWD5ceqH+5R9mjIhwVP2sqfTcLkjvbitzOiLlxSq/LwJ+qq7
+kVpf9f3GopZVhRWbYSCg0YGgADAKBggqhkjOPQQDAgNHADBEAiAabb6XFtPOJUCQ
++84NhxLEvPANhrtwFq3Q0qFZ9TzH5QIgc/697RTTcbri2lVj+10dLFIC3VYJ7br4
+QjA7haCYXrA=
+-----END CERTIFICATE REQUEST-----