djpbessems/ContainerImage.Pinniped
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Change length of TLS certs and CA.

Browse Source 
Signed-off-by: Ryan Richard <richardry@vmware.com>
This commit is contained in:
Margo Crawford 2021-02-26 12:05:17 -08:00 committed by Ryan Richard
parent 9bd206cedb
commit fa49beb623
2 changed files with 14 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
internal/controller/impersonatorconfig/impersonator_config.go
View File

@ -448,7 +448,7 @@ func (c *impersonatorConfigController) ensureTLSSecretIsCreatedAndLoaded(ctx con
// TODO create/save/watch the CA separately so we can reuse it to mint tls certs as the settings are dynamically changed,
// so that clients don't need to be updated to use a different CA just because the server-side settings were changed.
impersonationCA, err := certauthority.New(pkix.Name{CommonName: "test CA"}, 24*time.Hour) // TODO change the expiration of this to 100 years
impersonationCA, err := certauthority.New(pkix.Name{CommonName: "Pinniped Impersonation Proxy CA"}, 100*365*24*time.Hour)
if err != nil {
return fmt.Errorf("could not create impersonation CA: %w", err)
}
@ -534,7 +534,7 @@ func (c *impersonatorConfigController) findTLSCertificateNameFromLoadBalancer()
}
func (c *impersonatorConfigController) createNewTLSSecret(ctx context.Context, ca *certauthority.CA, ips []net.IP, hostnames []string) (*v1.Secret, error) {
impersonationCert, err := ca.Issue(pkix.Name{}, hostnames, ips, 24*time.Hour) // TODO change the length of this too 100 years for now?
impersonationCert, err := ca.Issue(pkix.Name{}, hostnames, ips, 100*365*24*time.Hour)
if err != nil {
return nil, fmt.Errorf("could not create impersonation cert: %w", err)
}

12
internal/controller/impersonatorconfig/impersonator_config_test.go
View File

@ -8,6 +8,7 @@ import (
"crypto/tls"
"crypto/x509"
"crypto/x509/pkix"
"encoding/pem"
"errors"
"fmt"
"io/ioutil"
@ -668,6 +669,17 @@ func TestImpersonatorConfigControllerSync(t *testing.T) {
r.NotNil(createdSecret.Data["ca.crt"])
r.NotNil(createdSecret.Data[corev1.TLSPrivateKeyKey])
r.NotNil(createdSecret.Data[corev1.TLSCertKey])
validCert := testutil.ValidateCertificate(t, string(createdSecret.Data["ca.crt"]), string(createdSecret.Data[corev1.TLSCertKey]))
validCert.RequireMatchesPrivateKey(string(createdSecret.Data[corev1.TLSPrivateKeyKey]))
validCert.RequireLifetime(time.Now().Add(-10*time.Second), time.Now().Add(100*time.Hour*24*365), 10*time.Second)
// Make sure the CA certificate looks roughly like what we expect.
block, _ := pem.Decode(createdSecret.Data["ca.crt"])
require.NotNil(t, block)
caCert, err := x509.ParseCertificate(block.Bytes)
require.NoError(t, err)
require.Equal(t, "Pinniped Impersonation Proxy CA", caCert.Subject.CommonName)
require.WithinDuration(t, time.Now().Add(-10*time.Second), caCert.NotBefore, 10*time.Second)
require.WithinDuration(t, time.Now().Add(100*time.Hour*24*365), caCert.NotAfter, 10*time.Second)
return createdSecret.Data["ca.crt"]
}