Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
K
k3s
Project
Project
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Registry
Registry
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Jacklull
k3s
Commits
59177e58
Commit
59177e58
authored
Nov 15, 2019
by
Darren Shepherd
Committed by
Craig Jellick
Nov 15, 2019
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Bump dynamiclistener to support RSA keys
parent
4e544bde
Hide whitespace changes
Inline
Side-by-side
Showing
8 changed files
with
47 additions
and
50 deletions
+47
-50
go.mod
go.mod
+1
-1
go.sum
go.sum
+2
-2
ca.go
vendor/github.com/rancher/dynamiclistener/factory/ca.go
+14
-7
cert_utils.go
.../github.com/rancher/dynamiclistener/factory/cert_utils.go
+1
-19
gen.go
vendor/github.com/rancher/dynamiclistener/factory/gen.go
+10
-14
controller.go
.../rancher/dynamiclistener/storage/kubernetes/controller.go
+15
-5
memory.go
...thub.com/rancher/dynamiclistener/storage/memory/memory.go
+3
-1
modules.txt
vendor/modules.txt
+1
-1
No files found.
go.mod
View file @
59177e58
...
...
@@ -100,7 +100,7 @@ require (
github.com/opencontainers/runc v1.0.0-rc2.0.20190611121236-6cc515888830
github.com/pkg/errors v0.8.1
github.com/rakelkar/gonetsh v0.0.0-20190719023240-501daadcadf8 // indirect
github.com/rancher/dynamiclistener v0.
1.1-0.20191113144757-736b5d5d8b51
github.com/rancher/dynamiclistener v0.
2.0
github.com/rancher/helm-controller v0.2.2
github.com/rancher/kine v0.2.4
github.com/rancher/remotedialer v0.2.0
...
...
go.sum
View file @
59177e58
...
...
@@ -582,8 +582,8 @@ github.com/rancher/cri v1.3.0-k3s.2 h1:k2XFyD+ZdsGvNfugdvqD38KSMANT3JmTFULFM2CtI
github.com/rancher/cri v1.3.0-k3s.2/go.mod h1:Ht5T1dIKzm+4NExmb7wDVG6qR+j0xeXIjjhCv1d9geY=
github.com/rancher/cri-tools v1.16.1-k3s.1 h1:iporgQ46noE6dtLzq6fWcIO2qjyPZy2m42d2P+UnGJg=
github.com/rancher/cri-tools v1.16.1-k3s.1/go.mod h1:TEKhKv2EJIZp+p9jnEy4C63g8CosJzsI4kyKKkHag+8=
github.com/rancher/dynamiclistener v0.
1.1-0.20191113144757-736b5d5d8b51 h1:+UOLT6b1Of/gSiLR1i+m81ITu79vUpIU8zpsxbY4Hlw
=
github.com/rancher/dynamiclistener v0.
1.1-0.20191113144757-736b5d5d8b51
/go.mod h1:fs/dxyNcB3YT6W9fVz4bDGfhmSQS17QQup6BIcGF++s=
github.com/rancher/dynamiclistener v0.
2.0 h1:KucYwJXVVGhZ/NndfMCeQoCafT/VN7kvqSGgmlX8Lxk
=
github.com/rancher/dynamiclistener v0.
2.0
/go.mod h1:fs/dxyNcB3YT6W9fVz4bDGfhmSQS17QQup6BIcGF++s=
github.com/rancher/flannel v0.11.0-k3s.1 h1:mIwnfWDafjzQgFkZeJ1AkFrrAT3EdBaA1giE0eLJKo8=
github.com/rancher/flannel v0.11.0-k3s.1/go.mod h1:Hn4ZV+eq0LhLZP63xZnxdGwXEoRSxs5sxELxu27M3UA=
github.com/rancher/go-dqlite v1.1.0-k3s.1 h1:w3ghNkY5vqRnnrcqxvHkpBQr6E+R/nIwJfaGdNgJAiw=
...
...
vendor/github.com/rancher/dynamiclistener/factory/ca.go
View file @
59177e58
package
factory
import
(
"crypto
/ecdsa
"
"crypto"
"crypto/x509"
"fmt"
"io/ioutil"
"os"
"github.com/rancher/dynamiclistener/cert"
)
func
GenCA
()
(
*
x509
.
Certificate
,
*
ecdsa
.
PrivateKey
,
error
)
{
func
GenCA
()
(
*
x509
.
Certificate
,
crypto
.
Signer
,
error
)
{
caKey
,
err
:=
NewPrivateKey
()
if
err
!=
nil
{
return
nil
,
nil
,
err
...
...
@@ -21,7 +24,7 @@ func GenCA() (*x509.Certificate, *ecdsa.PrivateKey, error) {
return
caCert
,
caKey
,
nil
}
func
LoadOrGenCA
()
(
*
x509
.
Certificate
,
*
ecdsa
.
PrivateKey
,
error
)
{
func
LoadOrGenCA
()
(
*
x509
.
Certificate
,
crypto
.
Signer
,
error
)
{
cert
,
key
,
err
:=
loadCA
()
if
err
==
nil
{
return
cert
,
key
,
nil
...
...
@@ -52,11 +55,11 @@ func LoadOrGenCA() (*x509.Certificate, *ecdsa.PrivateKey, error) {
return
cert
,
key
,
nil
}
func
loadCA
()
(
*
x509
.
Certificate
,
*
ecdsa
.
PrivateKey
,
error
)
{
func
loadCA
()
(
*
x509
.
Certificate
,
crypto
.
Signer
,
error
)
{
return
LoadCerts
(
"./certs/ca.pem"
,
"./certs/ca.key"
)
}
func
LoadCerts
(
certFile
,
keyFile
string
)
(
*
x509
.
Certificate
,
*
ecdsa
.
PrivateKey
,
error
)
{
func
LoadCerts
(
certFile
,
keyFile
string
)
(
*
x509
.
Certificate
,
crypto
.
Signer
,
error
)
{
caPem
,
err
:=
ioutil
.
ReadFile
(
certFile
)
if
err
!=
nil
{
return
nil
,
nil
,
err
...
...
@@ -66,15 +69,19 @@ func LoadCerts(certFile, keyFile string) (*x509.Certificate, *ecdsa.PrivateKey,
return
nil
,
nil
,
err
}
key
,
err
:=
ParseEC
PrivateKeyPEM
(
caKey
)
key
,
err
:=
cert
.
Parse
PrivateKeyPEM
(
caKey
)
if
err
!=
nil
{
return
nil
,
nil
,
err
}
signer
,
ok
:=
key
.
(
crypto
.
Signer
)
if
!
ok
{
return
nil
,
nil
,
fmt
.
Errorf
(
"key is not a crypto.Signer"
)
}
cert
,
err
:=
ParseCertPEM
(
caPem
)
if
err
!=
nil
{
return
nil
,
nil
,
err
}
return
cert
,
key
,
nil
return
cert
,
signer
,
nil
}
vendor/github.com/rancher/dynamiclistener/factory/cert_utils.go
View file @
59177e58
...
...
@@ -2,7 +2,6 @@ package factory
import
(
"crypto"
"crypto/ecdsa"
"crypto/rand"
"crypto/x509"
"crypto/x509/pkix"
...
...
@@ -15,8 +14,7 @@ import (
)
const
(
ECPrivateKeyBlockType
=
"EC PRIVATE KEY"
CertificateBlockType
=
"CERTIFICATE"
CertificateBlockType
=
"CERTIFICATE"
)
func
NewSelfSignedCACert
(
key
crypto
.
Signer
,
cn
string
,
org
...
string
)
(
*
x509
.
Certificate
,
error
)
{
...
...
@@ -72,22 +70,6 @@ func NewSignedCert(signer crypto.Signer, caCert *x509.Certificate, caKey crypto.
return
x509
.
ParseCertificate
(
cert
)
}
func
ParseECPrivateKeyPEM
(
keyData
[]
byte
)
(
*
ecdsa
.
PrivateKey
,
error
)
{
var
privateKeyPemBlock
*
pem
.
Block
for
{
privateKeyPemBlock
,
keyData
=
pem
.
Decode
(
keyData
)
if
privateKeyPemBlock
==
nil
{
break
}
if
privateKeyPemBlock
.
Type
==
ECPrivateKeyBlockType
{
return
x509
.
ParseECPrivateKey
(
privateKeyPemBlock
.
Bytes
)
}
}
return
nil
,
fmt
.
Errorf
(
"pem does not include a valid EC private key"
)
}
func
ParseCertPEM
(
pemCerts
[]
byte
)
(
*
x509
.
Certificate
,
error
)
{
var
pemBlock
*
pem
.
Block
for
{
...
...
vendor/github.com/rancher/dynamiclistener/factory/gen.go
View file @
59177e58
...
...
@@ -13,6 +13,7 @@ import (
"sort"
"strings"
"github.com/rancher/dynamiclistener/cert"
v1
"k8s.io/api/core/v1"
)
...
...
@@ -105,7 +106,7 @@ func (t *TLS) AddCN(secret *v1.Secret, cn ...string) (*v1.Secret, bool, error) {
return
secret
,
true
,
nil
}
func
(
t
*
TLS
)
newCert
(
domains
[]
string
,
ips
[]
net
.
IP
,
privateKey
*
ecdsa
.
PrivateKey
)
(
*
x509
.
Certificate
,
error
)
{
func
(
t
*
TLS
)
newCert
(
domains
[]
string
,
ips
[]
net
.
IP
,
privateKey
crypto
.
Signer
)
(
*
x509
.
Certificate
,
error
)
{
return
NewSignedCert
(
privateKey
,
t
.
CACert
,
t
.
CAKey
,
t
.
CN
,
t
.
Organization
,
domains
,
ips
)
}
...
...
@@ -134,39 +135,34 @@ func NeedsUpdate(secret *v1.Secret, cn ...string) bool {
return
false
}
func
getPrivateKey
(
secret
*
v1
.
Secret
)
(
*
ecdsa
.
PrivateKey
,
error
)
{
func
getPrivateKey
(
secret
*
v1
.
Secret
)
(
crypto
.
Signer
,
error
)
{
keyBytes
:=
secret
.
Data
[
v1
.
TLSPrivateKeyKey
]
if
len
(
keyBytes
)
==
0
{
return
NewPrivateKey
()
}
privateKey
,
err
:=
ParseEC
PrivateKeyPEM
(
keyBytes
)
if
err
==
nil
{
return
privateKey
,
nil
privateKey
,
err
:=
cert
.
Parse
PrivateKeyPEM
(
keyBytes
)
if
signer
,
ok
:=
privateKey
.
(
crypto
.
Signer
);
ok
&&
err
==
nil
{
return
signer
,
nil
}
return
NewPrivateKey
()
}
func
Marshal
(
x509Cert
*
x509
.
Certificate
,
privateKey
*
ecdsa
.
PrivateKey
)
([]
byte
,
[]
byte
,
error
)
{
func
Marshal
(
x509Cert
*
x509
.
Certificate
,
privateKey
crypto
.
Signer
)
([]
byte
,
[]
byte
,
error
)
{
certBlock
:=
pem
.
Block
{
Type
:
CertificateBlockType
,
Bytes
:
x509Cert
.
Raw
,
}
keyBytes
,
err
:=
x509
.
MarshalECPrivateKey
(
privateKey
)
keyBytes
,
err
:=
cert
.
MarshalPrivateKeyToPEM
(
privateKey
)
if
err
!=
nil
{
return
nil
,
nil
,
err
}
keyBlock
:=
pem
.
Block
{
Type
:
ECPrivateKeyBlockType
,
Bytes
:
keyBytes
,
}
return
pem
.
EncodeToMemory
(
&
certBlock
),
pem
.
EncodeToMemory
(
&
keyBlock
),
nil
return
pem
.
EncodeToMemory
(
&
certBlock
),
keyBytes
,
nil
}
func
NewPrivateKey
()
(
*
ecdsa
.
PrivateKey
,
error
)
{
func
NewPrivateKey
()
(
crypto
.
Signer
,
error
)
{
return
ecdsa
.
GenerateKey
(
elliptic
.
P256
(),
rand
.
Reader
)
}
vendor/github.com/rancher/dynamiclistener/storage/kubernetes/controller.go
View file @
59177e58
...
...
@@ -80,9 +80,19 @@ func (s *storage) init(secrets v1controller.SecretController) {
})
s
.
secrets
=
secrets
secret
,
err
:=
s
.
storage
.
Get
()
if
err
==
nil
&&
secret
!=
nil
{
s
.
saveInK8s
(
secret
)
if
secret
,
err
:=
s
.
storage
.
Get
();
err
==
nil
&&
secret
!=
nil
&&
len
(
secret
.
Data
)
>
0
{
// just ensure there is a secret in k3s
if
_
,
err
:=
s
.
secrets
.
Get
(
s
.
namespace
,
s
.
name
,
metav1
.
GetOptions
{});
errors
.
IsNotFound
(
err
)
{
_
,
_
=
s
.
secrets
.
Create
(
&
v1
.
Secret
{
ObjectMeta
:
metav1
.
ObjectMeta
{
Name
:
s
.
name
,
Namespace
:
s
.
namespace
,
Annotations
:
secret
.
Annotations
,
},
Type
:
v1
.
SecretTypeTLS
,
Data
:
secret
.
Data
,
})
}
}
}
...
...
@@ -132,10 +142,10 @@ func (s *storage) saveInK8s(secret *v1.Secret) (*v1.Secret, error) {
targetSecret
.
Data
=
secret
.
Data
if
targetSecret
.
UID
==
""
{
logrus
.
Infof
(
"Creating new TLS secret for %v (count: %d)
"
,
targetSecret
.
Name
,
len
(
targetSecret
.
Data
)
-
1
)
logrus
.
Infof
(
"Creating new TLS secret for %v (count: %d)
: %v"
,
targetSecret
.
Name
,
len
(
targetSecret
.
Annotations
)
-
1
,
targetSecret
.
Annotations
)
return
s
.
secrets
.
Create
(
targetSecret
)
}
else
{
logrus
.
Infof
(
"Updating TLS secret for %v (count: %d)
"
,
targetSecret
.
Name
,
len
(
targetSecret
.
Data
)
-
1
)
logrus
.
Infof
(
"Updating TLS secret for %v (count: %d)
: %v"
,
targetSecret
.
Name
,
len
(
targetSecret
.
Annotations
)
-
1
,
targetSecret
.
Annotations
)
return
s
.
secrets
.
Update
(
targetSecret
)
}
}
...
...
vendor/github.com/rancher/dynamiclistener/storage/memory/memory.go
View file @
59177e58
...
...
@@ -2,6 +2,7 @@ package memory
import
(
"github.com/rancher/dynamiclistener"
"github.com/sirupsen/logrus"
v1
"k8s.io/api/core/v1"
)
...
...
@@ -15,7 +16,7 @@ func NewBacked(storage dynamiclistener.TLSStorage) dynamiclistener.TLSStorage {
type
memory
struct
{
storage
dynamiclistener
.
TLSStorage
secret
*
v1
.
Secret
secret
*
v1
.
Secret
}
func
(
m
*
memory
)
Get
()
(
*
v1
.
Secret
,
error
)
{
...
...
@@ -37,6 +38,7 @@ func (m *memory) Update(secret *v1.Secret) error {
}
}
logrus
.
Infof
(
"Active TLS secret %s (ver=%s) (count %d): %v"
,
secret
.
Name
,
secret
.
ResourceVersion
,
len
(
secret
.
Annotations
)
-
1
,
secret
.
Annotations
)
m
.
secret
=
secret
return
nil
}
vendor/modules.txt
View file @
59177e58
...
...
@@ -748,7 +748,7 @@ github.com/prometheus/procfs/internal/util
# github.com/rakelkar/gonetsh v0.0.0-20190719023240-501daadcadf8
github.com/rakelkar/gonetsh/netroute
github.com/rakelkar/gonetsh/netsh
# github.com/rancher/dynamiclistener v0.
1.1-0.20191113144757-736b5d5d8b51
# github.com/rancher/dynamiclistener v0.
2.0
github.com/rancher/dynamiclistener
github.com/rancher/dynamiclistener/factory
github.com/rancher/dynamiclistener/storage/file
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment