Created
December 10, 2019 22:06
-
-
Save ihcsim/8d5cd19ff813c411061ea279b45e421a to your computer and use it in GitHub Desktop.
https://github.com/linkerd/linkerd2/pull/3696 - upgrade.go
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
```diff | |
diff --git a/cli/cmd/upgrade.go b/cli/cmd/upgrade.go | |
index e4b674a1..70be6450 100644 | |
--- a/cli/cmd/upgrade.go | |
+++ b/cli/cmd/upgrade.go | |
@@ -6,13 +6,13 @@ import ( | |
"fmt" | |
"io/ioutil" | |
"os" | |
- "time" | |
"github.com/linkerd/linkerd2/pkg/config" | |
pb "github.com/linkerd/linkerd2/controller/gen/config" | |
charts "github.com/linkerd/linkerd2/pkg/charts/linkerd2" | |
"github.com/linkerd/linkerd2/pkg/healthcheck" | |
+ "github.com/linkerd/linkerd2/pkg/issuercerts" | |
"github.com/linkerd/linkerd2/pkg/k8s" | |
"github.com/linkerd/linkerd2/pkg/tls" | |
"github.com/linkerd/linkerd2/pkg/version" | |
@@ -393,7 +393,7 @@ func (options *upgradeOptions) fetchIdentityValues(k kubernetes.Interface, idctx | |
} | |
var trustAnchorsPEM string | |
- var issuerData *issuerData | |
+ var issuerData *issuercerts.IssuerCertData | |
var err error | |
if options.identityOptions.trustPEMFile != "" { | |
@@ -422,94 +422,60 @@ func (options *upgradeOptions) fetchIdentityValues(k kubernetes.Interface, idctx | |
Scheme: idctx.Scheme, | |
ClockSkewAllowance: idctx.GetClockSkewAllowance().String(), | |
IssuanceLifetime: idctx.GetIssuanceLifetime().String(), | |
- CrtExpiry: issuerData.exp, | |
+ CrtExpiry: *issuerData.Expiry, | |
CrtExpiryAnnotation: k8s.IdentityIssuerExpiryAnnotation, | |
TLS: &charts.TLS{ | |
- KeyPEM: issuerData.key, | |
- CrtPEM: issuerData.crt, | |
+ KeyPEM: issuerData.IssuerKey, | |
+ CrtPEM: issuerData.IssuerCrt, | |
}, | |
}, | |
}, nil | |
} | |
-type issuerData struct { | |
- key string | |
- crt string | |
- exp time.Time | |
-} | |
+func readIssuer(trustPEM, issuerCrtPath, issuerKeyPath string) (*issuercerts.IssuerCertData, error) { | |
-func verifyCreds(creds *tls.Cred, trustAnchors, dns string) error { | |
- roots, err := tls.DecodePEMCertPool(trustAnchors) | |
+ key, crt, err := issuercerts.LoadIssuerCrtAndKeyFromFiles(issuerKeyPath, issuerCrtPath) | |
if err != nil { | |
- return err | |
+ return nil, err | |
} | |
- if err := creds.Verify(roots, dns); err != nil { | |
- return fmt.Errorf("invalid credentials: %s", err) | |
+ issuerData := &issuercerts.IssuerCertData{ | |
+ TrustAnchors: trustPEM, | |
+ IssuerCrt: crt, | |
+ IssuerKey: key, | |
} | |
- return nil | |
-} | |
- | |
-func readIssuer(trustPEM, issuerCrtPath, issuerKeyPath string) (*issuerData, error) { | |
- creds, err := tls.ReadPEMCreds(issuerKeyPath, issuerCrtPath) | |
- if err != nil { | |
+ if _, err := issuerData.VerifyAndBuildCreds(""); err != nil { | |
return nil, err | |
} | |
- if err := verifyCreds(creds, trustPEM, ""); err != nil { | |
- return nil, fmt.Errorf("invalid issuer credentials: %s", err) | |
- } | |
- | |
- return &issuerData{ | |
- key: creds.EncodePrivateKeyPEM(), | |
- crt: creds.EncodeCertificatePEM(), | |
- exp: creds.Certificate.NotAfter, | |
- }, nil | |
+ return issuerData, nil | |
} | |
-func fetchIssuer(k kubernetes.Interface, trustPEM string, scheme string) (*issuerData, error) { | |
- crtName := k8s.IdentityIssuerCrtName | |
- keyName := k8s.IdentityIssuerKeyName | |
- | |
- roots, err := tls.DecodePEMCertPool(trustPEM) | |
- if err != nil { | |
- return nil, err | |
- } | |
+func fetchIssuer(k kubernetes.Interface, trustPEM string, scheme string) (*issuercerts.IssuerCertData, error) { | |
+ var ( | |
+ issuerData *issuercerts.IssuerCertData | |
+ err error | |
+ ) | |
- secret, err := k.CoreV1(). | |
- Secrets(controlPlaneNamespace). | |
- Get(k8s.IdentityIssuerSecretName, metav1.GetOptions{}) | |
+ kubeAPI, err := k8s.NewAPI(kubeconfigPath, kubeContext, impersonate, 0) | |
if err != nil { | |
return nil, err | |
} | |
- if scheme == string(corev1.SecretTypeTLS) { | |
- crtName = corev1.TLSCertKey | |
- keyName = corev1.TLSPrivateKeyKey | |
- } | |
- keyPEM := string(secret.Data[keyName]) | |
- key, err := tls.DecodePEMKey(keyPEM) | |
- if err != nil { | |
- return nil, err | |
+ switch scheme { | |
+ case string(corev1.SecretTypeTLS): | |
+ issuerData, err = issuercerts.FetchExternalIssuerData(kubeAPI, controlPlaneNamespace) | |
+ case "": | |
+ issuerData, err = issuercerts.FetchIssuerData(kubeAPI, trustPEM, controlPlaneNamespace) | |
} | |
- crtPEM := string(secret.Data[crtName]) | |
- crt, err := tls.DecodePEMCrt(crtPEM) | |
+ cred, err := issuerData.VerifyAndBuildCreds("") | |
if err != nil { | |
return nil, err | |
} | |
- cred := &tls.Cred{PrivateKey: key, Crt: *crt} | |
- if err = cred.Verify(roots, ""); err != nil { | |
- return nil, fmt.Errorf("invalid issuer credentials: %s", err) | |
- } | |
- | |
- return &issuerData{ | |
- key: keyPEM, | |
- crt: crtPEM, | |
- exp: crt.Certificate.NotAfter, | |
- }, nil | |
- | |
+ issuerData.Expiry = &cred.Crt.Certificate.NotAfter | |
+ return issuerData, nil | |
} | |
// upgradeErrorf prints the error message and quits the upgrade process | |
diff --git a/pkg/issuercerts/issuercerts.go b/pkg/issuercerts/issuercerts.go | |
index c2543f96..e177c6d2 100644 | |
--- a/pkg/issuercerts/issuercerts.go | |
+++ b/pkg/issuercerts/issuercerts.go | |
@@ -21,6 +21,7 @@ type IssuerCertData struct { | |
TrustAnchors string | |
IssuerCrt string | |
IssuerKey string | |
+ Expiry *time.Time | |
} | |
// FetchIssuerData fetches the issuer data from the linkerd-identitiy-issuer secrets (used for linkerd.io/tls schemed secrets) | |
@@ -41,7 +42,7 @@ func FetchIssuerData(api *k8s.KubernetesAPI, trustAnchors, controlPlaneNamespace | |
return nil, fmt.Errorf(keyMissingError, k8s.IdentityIssuerKeyName, "issuer key", consts.IdentityIssuerSecretName, true) | |
} | |
- return &IssuerCertData{trustAnchors, string(crt), string(key)}, nil | |
+ return &IssuerCertData{trustAnchors, string(crt), string(key), nil}, nil | |
} | |
// FetchExternalIssuerData fetches the issuer data from the linkerd-identitiy-issuer secrets (used for kubernetes.io/tls schemed secrets) | |
@@ -66,7 +67,7 @@ func FetchExternalIssuerData(api *k8s.KubernetesAPI, controlPlaneNamespace strin | |
return nil, fmt.Errorf(keyMissingError, corev1.TLSPrivateKeyKey, "issuer key", consts.IdentityIssuerSecretName, true) | |
} | |
- return &IssuerCertData{string(anchors), string(crt), string(key)}, nil | |
+ return &IssuerCertData{string(anchors), string(crt), string(key), nil}, nil | |
} | |
// LoadIssuerCrtAndKeyFromFiles loads the issuer certificate and key from files | |
@@ -97,7 +98,7 @@ func LoadIssuerDataFromFiles(keyPEMFile, crtPEMFile, trustPEMFile string) (*Issu | |
return nil, err | |
} | |
- return &IssuerCertData{string(anchors), crt, key}, nil | |
+ return &IssuerCertData{string(anchors), crt, key, nil}, nil | |
} | |
// CheckCertTimeValidity ensures the certificate is valid time - wise | |
``` |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment