Skip to content

Commit

Permalink
Sign new certificate using loadbalancer-serving-signer (#104)
Browse files Browse the repository at this point in the history
* Sign new certificate using loadbalancer-serving-signer

* update docs
  • Loading branch information
loganmc10 authored Sep 19, 2023
1 parent a512ca5 commit ab043ed
Show file tree
Hide file tree
Showing 6 changed files with 43 additions and 19 deletions.
2 changes: 1 addition & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@
## Description
This operator can assist in reconfiguring a cluster once it has been moved to a new location. It performs the following steps:

* Update the API and Ingress domain aliases using a generated self-signed certificate, or using a user provided certificate.
* Update the API and Ingress domain aliases using a generated certificate (signed by loadbalancer-serving-signer), or using a user provided certificate.
* Update the internal DNS records for the API and Ingress (SNO only).
* (Optional) Update the cluster-wide pull secret.
* (Optional) Add new SSH keys for the 'core' user.
Expand Down
4 changes: 2 additions & 2 deletions api/v1beta1/clusterrelocation_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,7 @@ type ClusterRelocationSpec struct {
AddInternalDNSEntries *bool `json:"addInternalDNSEntries,omitempty"`

// APICertRef is a reference to a TLS secret that will be used for the API server.
// If it is omitted, a self-signed certificate will be generated.
// If it is omitted, a certificate will be generated and signed by loadbalancer-serving-signer.
// The type of the secret must be kubernetes.io/tls.
//+operator-sdk:csv:customresourcedefinitions:type=spec
APICertRef *corev1.SecretReference `json:"apiCertRef,omitempty"`
Expand All @@ -56,7 +56,7 @@ type ClusterRelocationSpec struct {
ImageDigestMirrors []configv1.ImageDigestMirrors `json:"imageDigestMirrors,omitempty"`

// IngressCertRef is a reference to a TLS secret that will be used for the Ingress Controller.
// If it is omitted, a self-signed certificate will be generated.
// If it is omitted, a certificate will be generated and signed by loadbalancer-serving-signer.
// The type of the secret must be kubernetes.io/tls.
//+operator-sdk:csv:customresourcedefinitions:type=spec
IngressCertRef *corev1.SecretReference `json:"ingressCertRef,omitempty"`
Expand Down
10 changes: 6 additions & 4 deletions config/crd/bases/rhsyseng.github.io_clusterrelocations.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -246,8 +246,9 @@ spec:
type: boolean
apiCertRef:
description: APICertRef is a reference to a TLS secret that will be
used for the API server. If it is omitted, a self-signed certificate
will be generated. The type of the secret must be kubernetes.io/tls.
used for the API server. If it is omitted, a certificate will be
generated and signed by loadbalancer-serving-signer. The type of
the secret must be kubernetes.io/tls.
properties:
name:
description: name is unique within a namespace to reference a
Expand Down Expand Up @@ -341,8 +342,9 @@ spec:
type: array
ingressCertRef:
description: IngressCertRef is a reference to a TLS secret that will
be used for the Ingress Controller. If it is omitted, a self-signed
certificate will be generated. The type of the secret must be kubernetes.io/tls.
be used for the Ingress Controller. If it is omitted, a certificate
will be generated and signed by loadbalancer-serving-signer. The
type of the secret must be kubernetes.io/tls.
properties:
name:
description: name is unique within a namespace to reference a
Expand Down
8 changes: 4 additions & 4 deletions internal/api/reconcile.go
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ func Reconcile(ctx context.Context, c client.Client, scheme *runtime.Scheme, rel
var origSecretName string
var origSecretNamespace string
if relocation.Spec.APICertRef == nil {
// If they haven't specified an APICertRef, we generate a self-signed certificate for them
// If they haven't specified an APICertRef, we generate a certificate for them
origSecretName = "generated-api-secret"
origSecretNamespace = rhsysenggithubiov1beta1.ConfigNamespace
secret := &corev1.Secret{ObjectMeta: metav1.ObjectMeta{Name: origSecretName, Namespace: origSecretNamespace}}
Expand All @@ -36,7 +36,7 @@ func Reconcile(ctx context.Context, c client.Client, scheme *runtime.Scheme, rel
if !ok {
logger.Info("generating new TLS cert for API")
var err error
secret.Data, err = secrets.GenerateTLSKeyPair(relocation.Spec.Domain, "api")
secret.Data, err = secrets.GenerateTLSKeyPair(ctx, c, relocation.Spec.Domain, "api")
if err != nil {
return err
}
Expand All @@ -49,7 +49,7 @@ func Reconcile(ctx context.Context, c client.Client, scheme *runtime.Scheme, rel
if commonName != fmt.Sprintf("api.%s", relocation.Spec.Domain) {
logger.Info("Domain name has changed, generating new TLS certificate for API")
var err error
secret.Data, err = secrets.GenerateTLSKeyPair(relocation.Spec.Domain, "api")
secret.Data, err = secrets.GenerateTLSKeyPair(ctx, c, relocation.Spec.Domain, "api")
if err != nil {
return err
}
Expand All @@ -63,7 +63,7 @@ func Reconcile(ctx context.Context, c client.Client, scheme *runtime.Scheme, rel
return err
}
if op != controllerutil.OperationResultNone {
logger.Info("Self-signed API TLS cert modified", "OperationResult", op)
logger.Info("API TLS cert modified", "OperationResult", op)
}
} else {
if relocation.Spec.APICertRef.Name == "" || relocation.Spec.APICertRef.Namespace == "" {
Expand Down
8 changes: 4 additions & 4 deletions internal/ingress/reconcile.go
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ func Reconcile(ctx context.Context, c client.Client, scheme *runtime.Scheme, rel
var origSecretName string
var origSecretNamespace string
if relocation.Spec.IngressCertRef == nil {
// If they haven't specified an IngressCertRef, we generate a self-signed certificate for them
// If they haven't specified an IngressCertRef, we generate a certificate for them
origSecretName = "generated-ingress-secret"
origSecretNamespace = rhsysenggithubiov1beta1.IngressNamespace
secret := &corev1.Secret{ObjectMeta: metav1.ObjectMeta{Name: origSecretName, Namespace: origSecretNamespace}}
Expand All @@ -42,7 +42,7 @@ func Reconcile(ctx context.Context, c client.Client, scheme *runtime.Scheme, rel
if !ok {
logger.Info("generating new TLS cert for Ingresses")
var err error
secret.Data, err = secrets.GenerateTLSKeyPair(relocation.Spec.Domain, "*.apps")
secret.Data, err = secrets.GenerateTLSKeyPair(ctx, c, relocation.Spec.Domain, "*.apps")
if err != nil {
return err
}
Expand All @@ -55,7 +55,7 @@ func Reconcile(ctx context.Context, c client.Client, scheme *runtime.Scheme, rel
if commonName != fmt.Sprintf("*.apps.%s", relocation.Spec.Domain) {
logger.Info("Domain name has changed, generating new TLS certificate for Ingresses")
var err error
secret.Data, err = secrets.GenerateTLSKeyPair(relocation.Spec.Domain, "*.apps")
secret.Data, err = secrets.GenerateTLSKeyPair(ctx, c, relocation.Spec.Domain, "*.apps")
if err != nil {
return err
}
Expand All @@ -69,7 +69,7 @@ func Reconcile(ctx context.Context, c client.Client, scheme *runtime.Scheme, rel
return err
}
if op != controllerutil.OperationResultNone {
logger.Info("Self-signed Ingress TLS cert modified", "OperationResult", op)
logger.Info("Ingress TLS cert modified", "OperationResult", op)
}

secretName := origSecretName
Expand Down
30 changes: 26 additions & 4 deletions internal/secrets/secrets.go
Original file line number Diff line number Diff line change
Expand Up @@ -44,14 +44,36 @@ func GetCertCommonName(TLSCertKey []byte) (string, error) {
return cert.Subject.CommonName, nil
}

func GenerateTLSKeyPair(domain string, prefix string) (map[string][]byte, error) {
func GenerateTLSKeyPair(ctx context.Context, c client.Client, domain string, prefix string) (map[string][]byte, error) {
// Sign the certificate using loadbalancer-serving-signer
lbSigningSecret := &corev1.Secret{}
if err := c.Get(ctx, types.NamespacedName{Name: "loadbalancer-serving-signer", Namespace: "openshift-kube-apiserver-operator"}, lbSigningSecret); err != nil {
return nil, err
}
certBlock, _ := pem.Decode(lbSigningSecret.Data[corev1.TLSCertKey])
if certBlock == nil {
return nil, fmt.Errorf("could not decode loadbalancer-serving-signer certificate")
}
lbSigningCert, err := x509.ParseCertificate(certBlock.Bytes)
if err != nil {
return nil, err
}
keyBlock, _ := pem.Decode(lbSigningSecret.Data[corev1.TLSPrivateKeyKey])
if keyBlock == nil {
return nil, fmt.Errorf("could not decode loadbalancer-serving-signer private key")
}
lbSigningPrivateKey, err := x509.ParsePKCS1PrivateKey(keyBlock.Bytes)
if err != nil {
return nil, err
}

// Generate a private key
privateKey, err := rsa.GenerateKey(rand.Reader, 2048)
if err != nil {
return nil, err
}

// Create a self-signed certificate template
// Create a certificate template
certificateTemplate := x509.Certificate{
SerialNumber: big.NewInt(1),
Subject: pkix.Name{CommonName: fmt.Sprintf("%s.%s", prefix, domain)},
Expand All @@ -61,8 +83,8 @@ func GenerateTLSKeyPair(domain string, prefix string) (map[string][]byte, error)
DNSNames: []string{fmt.Sprintf("%s.%s", prefix, domain)},
}

// Create a self-signed certificate using the private key and certificate template
derBytes, err := x509.CreateCertificate(rand.Reader, &certificateTemplate, &certificateTemplate, &privateKey.PublicKey, privateKey)
// Create a certificate using the private key and certificate template, signed by loadbalancer-serving-signer
derBytes, err := x509.CreateCertificate(rand.Reader, &certificateTemplate, lbSigningCert, &privateKey.PublicKey, lbSigningPrivateKey)
if err != nil {
return nil, err
}
Expand Down

0 comments on commit ab043ed

Please sign in to comment.