Change length of TLS certs and CA.
Signed-off-by: Ryan Richard <richardry@vmware.com>
This commit is contained in:
Margo Crawford
Ryan Richard
parent
9bd206cedb
commit
fa49beb623
@ -448,7 +448,7 @@ func (c *impersonatorConfigController) ensureTLSSecretIsCreatedAndLoaded(ctx con
|
|||||||
|
|
||||||
// TODO create/save/watch the CA separately so we can reuse it to mint tls certs as the settings are dynamically changed,
|
// TODO create/save/watch the CA separately so we can reuse it to mint tls certs as the settings are dynamically changed,
|
||||||
// so that clients don't need to be updated to use a different CA just because the server-side settings were changed.
|
// so that clients don't need to be updated to use a different CA just because the server-side settings were changed.
|
||||||
impersonationCA, err := certauthority.New(pkix.Name{CommonName: "test CA"}, 24*time.Hour) // TODO change the expiration of this to 100 years
|
impersonationCA, err := certauthority.New(pkix.Name{CommonName: "Pinniped Impersonation Proxy CA"}, 100*365*24*time.Hour)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return fmt.Errorf("could not create impersonation CA: %w", err)
|
return fmt.Errorf("could not create impersonation CA: %w", err)
|
||||||
}
|
}
|
||||||
@ -534,7 +534,7 @@ func (c *impersonatorConfigController) findTLSCertificateNameFromLoadBalancer()
|
|||||||
}
|
}
|
||||||
|
|
||||||
func (c *impersonatorConfigController) createNewTLSSecret(ctx context.Context, ca *certauthority.CA, ips []net.IP, hostnames []string) (*v1.Secret, error) {
|
func (c *impersonatorConfigController) createNewTLSSecret(ctx context.Context, ca *certauthority.CA, ips []net.IP, hostnames []string) (*v1.Secret, error) {
|
||||||
impersonationCert, err := ca.Issue(pkix.Name{}, hostnames, ips, 24*time.Hour) // TODO change the length of this too 100 years for now?
|
impersonationCert, err := ca.Issue(pkix.Name{}, hostnames, ips, 100*365*24*time.Hour)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, fmt.Errorf("could not create impersonation cert: %w", err)
|
return nil, fmt.Errorf("could not create impersonation cert: %w", err)
|
||||||
}
|
}
|
||||||
|
|||||||
@ -8,6 +8,7 @@ import (
|
|||||||
"crypto/tls"
|
"crypto/tls"
|
||||||
"crypto/x509"
|
"crypto/x509"
|
||||||
"crypto/x509/pkix"
|
"crypto/x509/pkix"
|
||||||
|
"encoding/pem"
|
||||||
"errors"
|
"errors"
|
||||||
"fmt"
|
"fmt"
|
||||||
"io/ioutil"
|
"io/ioutil"
|
||||||
@ -668,6 +669,17 @@ func TestImpersonatorConfigControllerSync(t *testing.T) {
|
|||||||
r.NotNil(createdSecret.Data["ca.crt"])
|
r.NotNil(createdSecret.Data["ca.crt"])
|
||||||
r.NotNil(createdSecret.Data[corev1.TLSPrivateKeyKey])
|
r.NotNil(createdSecret.Data[corev1.TLSPrivateKeyKey])
|
||||||
r.NotNil(createdSecret.Data[corev1.TLSCertKey])
|
r.NotNil(createdSecret.Data[corev1.TLSCertKey])
|
||||||
|
validCert := testutil.ValidateCertificate(t, string(createdSecret.Data["ca.crt"]), string(createdSecret.Data[corev1.TLSCertKey]))
|
||||||
|
validCert.RequireMatchesPrivateKey(string(createdSecret.Data[corev1.TLSPrivateKeyKey]))
|
||||||
|
validCert.RequireLifetime(time.Now().Add(-10*time.Second), time.Now().Add(100*time.Hour*24*365), 10*time.Second)
|
||||||
|
// Make sure the CA certificate looks roughly like what we expect.
|
||||||
|
block, _ := pem.Decode(createdSecret.Data["ca.crt"])
|
||||||
|
require.NotNil(t, block)
|
||||||
|
caCert, err := x509.ParseCertificate(block.Bytes)
|
||||||
|
require.NoError(t, err)
|
||||||
|
require.Equal(t, "Pinniped Impersonation Proxy CA", caCert.Subject.CommonName)
|
||||||
|
require.WithinDuration(t, time.Now().Add(-10*time.Second), caCert.NotBefore, 10*time.Second)
|
||||||
|
require.WithinDuration(t, time.Now().Add(100*time.Hour*24*365), caCert.NotAfter, 10*time.Second)
|
||||||
return createdSecret.Data["ca.crt"]
|
return createdSecret.Data["ca.crt"]
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user