Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Store CA cert in all namespaces #5

Merged
merged 2 commits into from
Oct 9, 2023
Merged

Store CA cert in all namespaces #5

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
834680d
Store CA cert in all namespaces
lloesche Oct 9, 2023
2a96738
mypy
lloesche Oct 9, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 8 additions & 2 deletions fixca/__main__.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,13 +31,19 @@ def main() -> None:
add_event_listener(EventType.SHUTDOWN, shutdown)

CA.initialize(namespace=args.namespace, secret_name=args.secret, dummy_ca=args.dummy_ca)
CA.store_ca_certs()

common_name = "ca.fix"
common_name = "fixca"
cert_key = gen_rsa_key()
cert_csr = gen_csr(
cert_key,
common_name=common_name,
san_dns_names=[common_name],
san_dns_names=[
common_name,
f"{common_name}.{args.namespace}",
f"{common_name}.{args.namespace}.svc",
f"{common_name}.{args.namespace}.svc.cluster.local",
],
)
cert_crt = CA.sign(cert_csr)
with TemporaryDirectory() as tmpdir:
Expand Down
13 changes: 12 additions & 1 deletion fixca/ca.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@
gen_ca_bundle_bytes,
)
from resotolib.jwt import encode_jwt, decode_jwt_from_headers
from .k8s import get_secret, set_secret
from .k8s import get_secret, set_secret, get_namespaces
from .utils import str_to_bool


Expand Down Expand Up @@ -143,6 +143,17 @@ def store_secret(
data=secret,
)

@requires_initialized
def store_ca_certs(self, exclude_system: bool = True) -> None:
assert self.cert is not None
for namespace in get_namespaces(exclude_system=exclude_system):
log.debug(f"Storing CA cert in {namespace}/fix-ca-cert")
set_secret(
namespace=namespace,
secret_name="fix-ca-cert",
data={"ca.crt": cert_to_bytes(self.cert).decode("utf-8")},
)


CA: CertificateAuthority = CertificateAuthority()
PSK: Optional[str] = None
Expand Down
19 changes: 19 additions & 0 deletions fixca/k8s.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,8 @@
from resotolib.logger import log
from kubernetes import client, config
from kubernetes.client.exceptions import ApiException
from kubernetes.client.models.v1_namespace_list import V1NamespaceList
from kubernetes.client.models.v1_namespace import V1Namespace
from .utils import memoize


Expand Down Expand Up @@ -60,3 +62,20 @@ def set_secret(namespace: str, secret_name: str, data: dict[str, str]) -> None:
raise
else:
raise


def get_namespaces(exclude_system: bool = True) -> list[str]:
k8s = k8s_client()

system_namespaces = ["kube-system", "kube-public", "kube-node-lease"]

try:
namespaces: V1NamespaceList = k8s.list_namespace()
return [
ns.metadata.name
for ns in namespaces.items
if isinstance(ns, V1Namespace) and (not exclude_system or ns.metadata.name not in system_namespaces)
]
except ApiException as e:
log.error(f"Failed to fetch namespaces: {e}")
return []
Loading