зеркало из https://github.com/Azure/ARO-RP.git
ensure certificate config is updated with the new issuer profile
This commit is contained in:
Alex Chvatal
Родитель
32c197c15d
Коммит
798e99124e
|
|
@ -7,10 +7,7 @@ import (
|
|||
"context"
|
||||
"strings"
|
||||
|
||||
azkeyvault "github.com/Azure/azure-sdk-for-go/services/keyvault/v7.0/keyvault"
|
||||
|
||||
"github.com/Azure/ARO-RP/pkg/util/keyvault"
|
||||
utilpem "github.com/Azure/ARO-RP/pkg/util/pem"
|
||||
)
|
||||
|
||||
// if the cluster is using a managed domain and has a DigiCert-issued
|
||||
|
|
@ -18,33 +15,30 @@ import (
|
|||
// ensures that clusters upgrading to 4.16 aren't blocked due to the SHA-1
|
||||
// signing algorithm in use by DigiCert
|
||||
func (m *manager) replaceDigicert(ctx context.Context) error {
|
||||
apiCertName := m.doc.ID + "apiserver"
|
||||
|
||||
if strings.Contains(m.doc.OpenShiftCluster.Properties.ClusterProfile.Domain, ".") {
|
||||
bundle, err := m.env.ClusterKeyvault().GetSecret(ctx, apiCertName)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
oneCertIssuerName := "OneCertV2-PublicCA"
|
||||
|
||||
// don't need to look at the key, just the cert(s)
|
||||
_, certs, err := utilpem.Parse([]byte(*bundle.Value))
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
for _, certName := range []string{m.doc.ID + "-apiserver", m.doc.ID + "-ingress"} {
|
||||
clusterKeyvault := m.env.ClusterKeyvault()
|
||||
|
||||
outer:
|
||||
for _, cert := range certs {
|
||||
for _, w := range cert.Issuer.Organization {
|
||||
if strings.Contains(w, "DigiCert") {
|
||||
// cluster uses a DigiCert certificate, change it over to OneCert
|
||||
_, err := m.env.ClusterKeyvault().SetCertificateIssuer(ctx, "OneCertV2-PublicCA", azkeyvault.CertificateIssuerSetParameters{})
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
bundle, err := clusterKeyvault.GetCertificate(ctx, certName)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
m.env.ClusterKeyvault().CreateSignedCertificate(ctx, "OneCertV2-PublicCA", apiCertName, cert.Subject.CommonName, keyvault.EkuServerAuth)
|
||||
break outer
|
||||
if strings.Contains(*bundle.Policy.IssuerParameters.Name, "DigiCert") {
|
||||
policy, err := clusterKeyvault.GetCertificatePolicy(ctx, certName)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
policy.IssuerParameters.Name = &oneCertIssuerName
|
||||
err = clusterKeyvault.UpdateCertificatePolicy(ctx, certName, policy)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
m.env.ClusterKeyvault().CreateSignedCertificate(ctx, oneCertIssuerName, certName, certName, keyvault.EkuServerAuth)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -17,10 +17,13 @@ type BaseClient interface {
|
|||
CreateCertificate(ctx context.Context, vaultBaseURL string, certificateName string, parameters azkeyvault.CertificateCreateParameters) (result azkeyvault.CertificateOperation, err error)
|
||||
DeleteCertificate(ctx context.Context, vaultBaseURL string, certificateName string) (result azkeyvault.DeletedCertificateBundle, err error)
|
||||
GetCertificateOperation(ctx context.Context, vaultBaseURL string, certificateName string) (result azkeyvault.CertificateOperation, err error)
|
||||
GetCertificatePolicy(ctx context.Context, vaultBaseURL string, certificateName string) (result azkeyvault.CertificatePolicy, err error)
|
||||
GetSecret(ctx context.Context, vaultBaseURL string, secretName string, secretVersion string) (result azkeyvault.SecretBundle, err error)
|
||||
GetCertificate(ctx context.Context, vaultBaseURL string, certificateName string, certificateVersion string) (result azkeyvault.CertificateBundle, err error)
|
||||
GetCertificates(ctx context.Context, vaultBaseURL string, maxresults *int32, includePending *bool) (result azkeyvault.CertificateListResultPage, err error)
|
||||
SetSecret(ctx context.Context, vaultBaseURL string, secretName string, parameters azkeyvault.SecretSetParameters) (result azkeyvault.SecretBundle, err error)
|
||||
SetCertificateIssuer(ctx context.Context, vaultBaseURL string, issuerName string, parameter azkeyvault.CertificateIssuerSetParameters) (result azkeyvault.IssuerBundle, err error)
|
||||
UpdateCertificatePolicy(ctx context.Context, vaultBaseURL string, certificateName string, certificatePolicy azkeyvault.CertificatePolicy) (result azkeyvault.CertificatePolicy, err error)
|
||||
BaseClientAddons
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -36,11 +36,14 @@ type Manager interface {
|
|||
EnsureCertificateDeleted(context.Context, string) error
|
||||
GetBase64Secret(context.Context, string, string) ([]byte, error)
|
||||
GetBase64Secrets(context.Context, string) ([][]byte, error)
|
||||
GetCertificate(context.Context, string) (azkeyvault.CertificateBundle, error)
|
||||
GetCertificatePolicy(ctx context.Context, certificateName string) (azkeyvault.CertificatePolicy, error)
|
||||
GetCertificateSecret(context.Context, string) (*rsa.PrivateKey, []*x509.Certificate, error)
|
||||
GetSecret(context.Context, string) (azkeyvault.SecretBundle, error)
|
||||
GetSecrets(context.Context) ([]azkeyvault.SecretItem, error)
|
||||
SetCertificateIssuer(ctx context.Context, issuerName string, parameter azkeyvault.CertificateIssuerSetParameters) (result azkeyvault.IssuerBundle, err error)
|
||||
SetSecret(context.Context, string, azkeyvault.SecretSetParameters) error
|
||||
UpdateCertificatePolicy(context.Context, string, azkeyvault.CertificatePolicy) error
|
||||
WaitForCertificateOperation(context.Context, string) error
|
||||
}
|
||||
|
||||
|
|
@ -174,6 +177,14 @@ func (m *manager) GetBase64Secrets(ctx context.Context, secretName string) (bs [
|
|||
return bs, nil
|
||||
}
|
||||
|
||||
func (m *manager) GetCertificate(ctx context.Context, certificateName string) (azkeyvault.CertificateBundle, error) {
|
||||
return m.kv.GetCertificate(ctx, m.keyvaultURI, certificateName, "")
|
||||
}
|
||||
|
||||
func (m *manager) GetCertificatePolicy(ctx context.Context, certificateName string) (azkeyvault.CertificatePolicy, error) {
|
||||
return m.kv.GetCertificatePolicy(ctx, m.keyvaultURI, certificateName)
|
||||
}
|
||||
|
||||
func (m *manager) GetCertificateSecret(ctx context.Context, secretName string) (*rsa.PrivateKey, []*x509.Certificate, error) {
|
||||
bundle, err := m.kv.GetSecret(ctx, m.keyvaultURI, secretName, "")
|
||||
if err != nil {
|
||||
|
|
@ -213,6 +224,11 @@ func (m *manager) SetSecret(ctx context.Context, secretName string, parameters a
|
|||
return err
|
||||
}
|
||||
|
||||
func (m *manager) UpdateCertificatePolicy(ctx context.Context, certificateName string, certificatePolicy azkeyvault.CertificatePolicy) error {
|
||||
_, err := m.kv.UpdateCertificatePolicy(ctx, m.keyvaultURI, certificateName, certificatePolicy)
|
||||
return err
|
||||
}
|
||||
|
||||
func (m *manager) WaitForCertificateOperation(ctx context.Context, certificateName string) error {
|
||||
ctx, cancel := context.WithTimeout(ctx, 15*time.Minute)
|
||||
defer cancel()
|
||||
|
|
|
|||
|
|
@ -70,6 +70,21 @@ func (mr *MockBaseClientMockRecorder) DeleteCertificate(arg0, arg1, arg2 any) *g
|
|||
return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DeleteCertificate", reflect.TypeOf((*MockBaseClient)(nil).DeleteCertificate), arg0, arg1, arg2)
|
||||
}
|
||||
|
||||
// GetCertificate mocks base method.
|
||||
func (m *MockBaseClient) GetCertificate(arg0 context.Context, arg1, arg2, arg3 string) (keyvault.CertificateBundle, error) {
|
||||
m.ctrl.T.Helper()
|
||||
ret := m.ctrl.Call(m, "GetCertificate", arg0, arg1, arg2, arg3)
|
||||
ret0, _ := ret[0].(keyvault.CertificateBundle)
|
||||
ret1, _ := ret[1].(error)
|
||||
return ret0, ret1
|
||||
}
|
||||
|
||||
// GetCertificate indicates an expected call of GetCertificate.
|
||||
func (mr *MockBaseClientMockRecorder) GetCertificate(arg0, arg1, arg2, arg3 any) *gomock.Call {
|
||||
mr.mock.ctrl.T.Helper()
|
||||
return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetCertificate", reflect.TypeOf((*MockBaseClient)(nil).GetCertificate), arg0, arg1, arg2, arg3)
|
||||
}
|
||||
|
||||
// GetCertificateOperation mocks base method.
|
||||
func (m *MockBaseClient) GetCertificateOperation(arg0 context.Context, arg1, arg2 string) (keyvault.CertificateOperation, error) {
|
||||
m.ctrl.T.Helper()
|
||||
|
|
@ -85,6 +100,21 @@ func (mr *MockBaseClientMockRecorder) GetCertificateOperation(arg0, arg1, arg2 a
|
|||
return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetCertificateOperation", reflect.TypeOf((*MockBaseClient)(nil).GetCertificateOperation), arg0, arg1, arg2)
|
||||
}
|
||||
|
||||
// GetCertificatePolicy mocks base method.
|
||||
func (m *MockBaseClient) GetCertificatePolicy(arg0 context.Context, arg1, arg2 string) (keyvault.CertificatePolicy, error) {
|
||||
m.ctrl.T.Helper()
|
||||
ret := m.ctrl.Call(m, "GetCertificatePolicy", arg0, arg1, arg2)
|
||||
ret0, _ := ret[0].(keyvault.CertificatePolicy)
|
||||
ret1, _ := ret[1].(error)
|
||||
return ret0, ret1
|
||||
}
|
||||
|
||||
// GetCertificatePolicy indicates an expected call of GetCertificatePolicy.
|
||||
func (mr *MockBaseClientMockRecorder) GetCertificatePolicy(arg0, arg1, arg2 any) *gomock.Call {
|
||||
mr.mock.ctrl.T.Helper()
|
||||
return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetCertificatePolicy", reflect.TypeOf((*MockBaseClient)(nil).GetCertificatePolicy), arg0, arg1, arg2)
|
||||
}
|
||||
|
||||
// GetCertificates mocks base method.
|
||||
func (m *MockBaseClient) GetCertificates(arg0 context.Context, arg1 string, arg2 *int32, arg3 *bool) (keyvault.CertificateListResultPage, error) {
|
||||
m.ctrl.T.Helper()
|
||||
|
|
@ -174,3 +204,18 @@ func (mr *MockBaseClientMockRecorder) SetSecret(arg0, arg1, arg2, arg3 any) *gom
|
|||
mr.mock.ctrl.T.Helper()
|
||||
return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SetSecret", reflect.TypeOf((*MockBaseClient)(nil).SetSecret), arg0, arg1, arg2, arg3)
|
||||
}
|
||||
|
||||
// UpdateCertificatePolicy mocks base method.
|
||||
func (m *MockBaseClient) UpdateCertificatePolicy(arg0 context.Context, arg1, arg2 string, arg3 keyvault.CertificatePolicy) (keyvault.CertificatePolicy, error) {
|
||||
m.ctrl.T.Helper()
|
||||
ret := m.ctrl.Call(m, "UpdateCertificatePolicy", arg0, arg1, arg2, arg3)
|
||||
ret0, _ := ret[0].(keyvault.CertificatePolicy)
|
||||
ret1, _ := ret[1].(error)
|
||||
return ret0, ret1
|
||||
}
|
||||
|
||||
// UpdateCertificatePolicy indicates an expected call of UpdateCertificatePolicy.
|
||||
func (mr *MockBaseClientMockRecorder) UpdateCertificatePolicy(arg0, arg1, arg2, arg3 any) *gomock.Call {
|
||||
mr.mock.ctrl.T.Helper()
|
||||
return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UpdateCertificatePolicy", reflect.TypeOf((*MockBaseClient)(nil).UpdateCertificatePolicy), arg0, arg1, arg2, arg3)
|
||||
}
|
||||
|
|
|
|||
|
|
@ -102,6 +102,36 @@ func (mr *MockManagerMockRecorder) GetBase64Secrets(arg0, arg1 any) *gomock.Call
|
|||
return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetBase64Secrets", reflect.TypeOf((*MockManager)(nil).GetBase64Secrets), arg0, arg1)
|
||||
}
|
||||
|
||||
// GetCertificate mocks base method.
|
||||
func (m *MockManager) GetCertificate(arg0 context.Context, arg1 string) (keyvault0.CertificateBundle, error) {
|
||||
m.ctrl.T.Helper()
|
||||
ret := m.ctrl.Call(m, "GetCertificate", arg0, arg1)
|
||||
ret0, _ := ret[0].(keyvault0.CertificateBundle)
|
||||
ret1, _ := ret[1].(error)
|
||||
return ret0, ret1
|
||||
}
|
||||
|
||||
// GetCertificate indicates an expected call of GetCertificate.
|
||||
func (mr *MockManagerMockRecorder) GetCertificate(arg0, arg1 any) *gomock.Call {
|
||||
mr.mock.ctrl.T.Helper()
|
||||
return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetCertificate", reflect.TypeOf((*MockManager)(nil).GetCertificate), arg0, arg1)
|
||||
}
|
||||
|
||||
// GetCertificatePolicy mocks base method.
|
||||
func (m *MockManager) GetCertificatePolicy(arg0 context.Context, arg1 string) (keyvault0.CertificatePolicy, error) {
|
||||
m.ctrl.T.Helper()
|
||||
ret := m.ctrl.Call(m, "GetCertificatePolicy", arg0, arg1)
|
||||
ret0, _ := ret[0].(keyvault0.CertificatePolicy)
|
||||
ret1, _ := ret[1].(error)
|
||||
return ret0, ret1
|
||||
}
|
||||
|
||||
// GetCertificatePolicy indicates an expected call of GetCertificatePolicy.
|
||||
func (mr *MockManagerMockRecorder) GetCertificatePolicy(arg0, arg1 any) *gomock.Call {
|
||||
mr.mock.ctrl.T.Helper()
|
||||
return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetCertificatePolicy", reflect.TypeOf((*MockManager)(nil).GetCertificatePolicy), arg0, arg1)
|
||||
}
|
||||
|
||||
// GetCertificateSecret mocks base method.
|
||||
func (m *MockManager) GetCertificateSecret(arg0 context.Context, arg1 string) (*rsa.PrivateKey, []*x509.Certificate, error) {
|
||||
m.ctrl.T.Helper()
|
||||
|
|
@ -177,6 +207,20 @@ func (mr *MockManagerMockRecorder) SetSecret(arg0, arg1, arg2 any) *gomock.Call
|
|||
return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SetSecret", reflect.TypeOf((*MockManager)(nil).SetSecret), arg0, arg1, arg2)
|
||||
}
|
||||
|
||||
// UpdateCertificatePolicy mocks base method.
|
||||
func (m *MockManager) UpdateCertificatePolicy(arg0 context.Context, arg1 string, arg2 keyvault0.CertificatePolicy) error {
|
||||
m.ctrl.T.Helper()
|
||||
ret := m.ctrl.Call(m, "UpdateCertificatePolicy", arg0, arg1, arg2)
|
||||
ret0, _ := ret[0].(error)
|
||||
return ret0
|
||||
}
|
||||
|
||||
// UpdateCertificatePolicy indicates an expected call of UpdateCertificatePolicy.
|
||||
func (mr *MockManagerMockRecorder) UpdateCertificatePolicy(arg0, arg1, arg2 any) *gomock.Call {
|
||||
mr.mock.ctrl.T.Helper()
|
||||
return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UpdateCertificatePolicy", reflect.TypeOf((*MockManager)(nil).UpdateCertificatePolicy), arg0, arg1, arg2)
|
||||
}
|
||||
|
||||
// WaitForCertificateOperation mocks base method.
|
||||
func (m *MockManager) WaitForCertificateOperation(arg0 context.Context, arg1 string) error {
|
||||
m.ctrl.T.Helper()
|
||||
|
|
|
|||
Загрузка…
Ссылка в новой задаче