ensure certificate config is updated with the new issuer profile

This commit is contained in:
Alex Chvatal 2024-09-27 13:49:48 -04:00
Родитель 32c197c15d
Коммит 798e99124e
5 изменённых файлов: 127 добавлений и 25 удалений

Просмотреть файл

@ -7,10 +7,7 @@ import (
"context"
"strings"
azkeyvault "github.com/Azure/azure-sdk-for-go/services/keyvault/v7.0/keyvault"
"github.com/Azure/ARO-RP/pkg/util/keyvault"
utilpem "github.com/Azure/ARO-RP/pkg/util/pem"
)
// if the cluster is using a managed domain and has a DigiCert-issued
@ -18,33 +15,30 @@ import (
// ensures that clusters upgrading to 4.16 aren't blocked due to the SHA-1
// signing algorithm in use by DigiCert
func (m *manager) replaceDigicert(ctx context.Context) error {
apiCertName := m.doc.ID + "apiserver"
if strings.Contains(m.doc.OpenShiftCluster.Properties.ClusterProfile.Domain, ".") {
bundle, err := m.env.ClusterKeyvault().GetSecret(ctx, apiCertName)
oneCertIssuerName := "OneCertV2-PublicCA"
for _, certName := range []string{m.doc.ID + "-apiserver", m.doc.ID + "-ingress"} {
clusterKeyvault := m.env.ClusterKeyvault()
bundle, err := clusterKeyvault.GetCertificate(ctx, certName)
if err != nil {
return err
}
// don't need to look at the key, just the cert(s)
_, certs, err := utilpem.Parse([]byte(*bundle.Value))
if strings.Contains(*bundle.Policy.IssuerParameters.Name, "DigiCert") {
policy, err := clusterKeyvault.GetCertificatePolicy(ctx, certName)
if err != nil {
return err
}
outer:
for _, cert := range certs {
for _, w := range cert.Issuer.Organization {
if strings.Contains(w, "DigiCert") {
// cluster uses a DigiCert certificate, change it over to OneCert
_, err := m.env.ClusterKeyvault().SetCertificateIssuer(ctx, "OneCertV2-PublicCA", azkeyvault.CertificateIssuerSetParameters{})
policy.IssuerParameters.Name = &oneCertIssuerName
err = clusterKeyvault.UpdateCertificatePolicy(ctx, certName, policy)
if err != nil {
return err
}
m.env.ClusterKeyvault().CreateSignedCertificate(ctx, "OneCertV2-PublicCA", apiCertName, cert.Subject.CommonName, keyvault.EkuServerAuth)
break outer
}
m.env.ClusterKeyvault().CreateSignedCertificate(ctx, oneCertIssuerName, certName, certName, keyvault.EkuServerAuth)
}
}
}

Просмотреть файл

@ -17,10 +17,13 @@ type BaseClient interface {
CreateCertificate(ctx context.Context, vaultBaseURL string, certificateName string, parameters azkeyvault.CertificateCreateParameters) (result azkeyvault.CertificateOperation, err error)
DeleteCertificate(ctx context.Context, vaultBaseURL string, certificateName string) (result azkeyvault.DeletedCertificateBundle, err error)
GetCertificateOperation(ctx context.Context, vaultBaseURL string, certificateName string) (result azkeyvault.CertificateOperation, err error)
GetCertificatePolicy(ctx context.Context, vaultBaseURL string, certificateName string) (result azkeyvault.CertificatePolicy, err error)
GetSecret(ctx context.Context, vaultBaseURL string, secretName string, secretVersion string) (result azkeyvault.SecretBundle, err error)
GetCertificate(ctx context.Context, vaultBaseURL string, certificateName string, certificateVersion string) (result azkeyvault.CertificateBundle, err error)
GetCertificates(ctx context.Context, vaultBaseURL string, maxresults *int32, includePending *bool) (result azkeyvault.CertificateListResultPage, err error)
SetSecret(ctx context.Context, vaultBaseURL string, secretName string, parameters azkeyvault.SecretSetParameters) (result azkeyvault.SecretBundle, err error)
SetCertificateIssuer(ctx context.Context, vaultBaseURL string, issuerName string, parameter azkeyvault.CertificateIssuerSetParameters) (result azkeyvault.IssuerBundle, err error)
UpdateCertificatePolicy(ctx context.Context, vaultBaseURL string, certificateName string, certificatePolicy azkeyvault.CertificatePolicy) (result azkeyvault.CertificatePolicy, err error)
BaseClientAddons
}

Просмотреть файл

@ -36,11 +36,14 @@ type Manager interface {
EnsureCertificateDeleted(context.Context, string) error
GetBase64Secret(context.Context, string, string) ([]byte, error)
GetBase64Secrets(context.Context, string) ([][]byte, error)
GetCertificate(context.Context, string) (azkeyvault.CertificateBundle, error)
GetCertificatePolicy(ctx context.Context, certificateName string) (azkeyvault.CertificatePolicy, error)
GetCertificateSecret(context.Context, string) (*rsa.PrivateKey, []*x509.Certificate, error)
GetSecret(context.Context, string) (azkeyvault.SecretBundle, error)
GetSecrets(context.Context) ([]azkeyvault.SecretItem, error)
SetCertificateIssuer(ctx context.Context, issuerName string, parameter azkeyvault.CertificateIssuerSetParameters) (result azkeyvault.IssuerBundle, err error)
SetSecret(context.Context, string, azkeyvault.SecretSetParameters) error
UpdateCertificatePolicy(context.Context, string, azkeyvault.CertificatePolicy) error
WaitForCertificateOperation(context.Context, string) error
}
@ -174,6 +177,14 @@ func (m *manager) GetBase64Secrets(ctx context.Context, secretName string) (bs [
return bs, nil
}
func (m *manager) GetCertificate(ctx context.Context, certificateName string) (azkeyvault.CertificateBundle, error) {
return m.kv.GetCertificate(ctx, m.keyvaultURI, certificateName, "")
}
func (m *manager) GetCertificatePolicy(ctx context.Context, certificateName string) (azkeyvault.CertificatePolicy, error) {
return m.kv.GetCertificatePolicy(ctx, m.keyvaultURI, certificateName)
}
func (m *manager) GetCertificateSecret(ctx context.Context, secretName string) (*rsa.PrivateKey, []*x509.Certificate, error) {
bundle, err := m.kv.GetSecret(ctx, m.keyvaultURI, secretName, "")
if err != nil {
@ -213,6 +224,11 @@ func (m *manager) SetSecret(ctx context.Context, secretName string, parameters a
return err
}
func (m *manager) UpdateCertificatePolicy(ctx context.Context, certificateName string, certificatePolicy azkeyvault.CertificatePolicy) error {
_, err := m.kv.UpdateCertificatePolicy(ctx, m.keyvaultURI, certificateName, certificatePolicy)
return err
}
func (m *manager) WaitForCertificateOperation(ctx context.Context, certificateName string) error {
ctx, cancel := context.WithTimeout(ctx, 15*time.Minute)
defer cancel()

Просмотреть файл

@ -70,6 +70,21 @@ func (mr *MockBaseClientMockRecorder) DeleteCertificate(arg0, arg1, arg2 any) *g
return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DeleteCertificate", reflect.TypeOf((*MockBaseClient)(nil).DeleteCertificate), arg0, arg1, arg2)
}
// GetCertificate mocks base method.
func (m *MockBaseClient) GetCertificate(arg0 context.Context, arg1, arg2, arg3 string) (keyvault.CertificateBundle, error) {
m.ctrl.T.Helper()
ret := m.ctrl.Call(m, "GetCertificate", arg0, arg1, arg2, arg3)
ret0, _ := ret[0].(keyvault.CertificateBundle)
ret1, _ := ret[1].(error)
return ret0, ret1
}
// GetCertificate indicates an expected call of GetCertificate.
func (mr *MockBaseClientMockRecorder) GetCertificate(arg0, arg1, arg2, arg3 any) *gomock.Call {
mr.mock.ctrl.T.Helper()
return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetCertificate", reflect.TypeOf((*MockBaseClient)(nil).GetCertificate), arg0, arg1, arg2, arg3)
}
// GetCertificateOperation mocks base method.
func (m *MockBaseClient) GetCertificateOperation(arg0 context.Context, arg1, arg2 string) (keyvault.CertificateOperation, error) {
m.ctrl.T.Helper()
@ -85,6 +100,21 @@ func (mr *MockBaseClientMockRecorder) GetCertificateOperation(arg0, arg1, arg2 a
return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetCertificateOperation", reflect.TypeOf((*MockBaseClient)(nil).GetCertificateOperation), arg0, arg1, arg2)
}
// GetCertificatePolicy mocks base method.
func (m *MockBaseClient) GetCertificatePolicy(arg0 context.Context, arg1, arg2 string) (keyvault.CertificatePolicy, error) {
m.ctrl.T.Helper()
ret := m.ctrl.Call(m, "GetCertificatePolicy", arg0, arg1, arg2)
ret0, _ := ret[0].(keyvault.CertificatePolicy)
ret1, _ := ret[1].(error)
return ret0, ret1
}
// GetCertificatePolicy indicates an expected call of GetCertificatePolicy.
func (mr *MockBaseClientMockRecorder) GetCertificatePolicy(arg0, arg1, arg2 any) *gomock.Call {
mr.mock.ctrl.T.Helper()
return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetCertificatePolicy", reflect.TypeOf((*MockBaseClient)(nil).GetCertificatePolicy), arg0, arg1, arg2)
}
// GetCertificates mocks base method.
func (m *MockBaseClient) GetCertificates(arg0 context.Context, arg1 string, arg2 *int32, arg3 *bool) (keyvault.CertificateListResultPage, error) {
m.ctrl.T.Helper()
@ -174,3 +204,18 @@ func (mr *MockBaseClientMockRecorder) SetSecret(arg0, arg1, arg2, arg3 any) *gom
mr.mock.ctrl.T.Helper()
return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SetSecret", reflect.TypeOf((*MockBaseClient)(nil).SetSecret), arg0, arg1, arg2, arg3)
}
// UpdateCertificatePolicy mocks base method.
func (m *MockBaseClient) UpdateCertificatePolicy(arg0 context.Context, arg1, arg2 string, arg3 keyvault.CertificatePolicy) (keyvault.CertificatePolicy, error) {
m.ctrl.T.Helper()
ret := m.ctrl.Call(m, "UpdateCertificatePolicy", arg0, arg1, arg2, arg3)
ret0, _ := ret[0].(keyvault.CertificatePolicy)
ret1, _ := ret[1].(error)
return ret0, ret1
}
// UpdateCertificatePolicy indicates an expected call of UpdateCertificatePolicy.
func (mr *MockBaseClientMockRecorder) UpdateCertificatePolicy(arg0, arg1, arg2, arg3 any) *gomock.Call {
mr.mock.ctrl.T.Helper()
return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UpdateCertificatePolicy", reflect.TypeOf((*MockBaseClient)(nil).UpdateCertificatePolicy), arg0, arg1, arg2, arg3)
}

Просмотреть файл

@ -102,6 +102,36 @@ func (mr *MockManagerMockRecorder) GetBase64Secrets(arg0, arg1 any) *gomock.Call
return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetBase64Secrets", reflect.TypeOf((*MockManager)(nil).GetBase64Secrets), arg0, arg1)
}
// GetCertificate mocks base method.
func (m *MockManager) GetCertificate(arg0 context.Context, arg1 string) (keyvault0.CertificateBundle, error) {
m.ctrl.T.Helper()
ret := m.ctrl.Call(m, "GetCertificate", arg0, arg1)
ret0, _ := ret[0].(keyvault0.CertificateBundle)
ret1, _ := ret[1].(error)
return ret0, ret1
}
// GetCertificate indicates an expected call of GetCertificate.
func (mr *MockManagerMockRecorder) GetCertificate(arg0, arg1 any) *gomock.Call {
mr.mock.ctrl.T.Helper()
return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetCertificate", reflect.TypeOf((*MockManager)(nil).GetCertificate), arg0, arg1)
}
// GetCertificatePolicy mocks base method.
func (m *MockManager) GetCertificatePolicy(arg0 context.Context, arg1 string) (keyvault0.CertificatePolicy, error) {
m.ctrl.T.Helper()
ret := m.ctrl.Call(m, "GetCertificatePolicy", arg0, arg1)
ret0, _ := ret[0].(keyvault0.CertificatePolicy)
ret1, _ := ret[1].(error)
return ret0, ret1
}
// GetCertificatePolicy indicates an expected call of GetCertificatePolicy.
func (mr *MockManagerMockRecorder) GetCertificatePolicy(arg0, arg1 any) *gomock.Call {
mr.mock.ctrl.T.Helper()
return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetCertificatePolicy", reflect.TypeOf((*MockManager)(nil).GetCertificatePolicy), arg0, arg1)
}
// GetCertificateSecret mocks base method.
func (m *MockManager) GetCertificateSecret(arg0 context.Context, arg1 string) (*rsa.PrivateKey, []*x509.Certificate, error) {
m.ctrl.T.Helper()
@ -177,6 +207,20 @@ func (mr *MockManagerMockRecorder) SetSecret(arg0, arg1, arg2 any) *gomock.Call
return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SetSecret", reflect.TypeOf((*MockManager)(nil).SetSecret), arg0, arg1, arg2)
}
// UpdateCertificatePolicy mocks base method.
func (m *MockManager) UpdateCertificatePolicy(arg0 context.Context, arg1 string, arg2 keyvault0.CertificatePolicy) error {
m.ctrl.T.Helper()
ret := m.ctrl.Call(m, "UpdateCertificatePolicy", arg0, arg1, arg2)
ret0, _ := ret[0].(error)
return ret0
}
// UpdateCertificatePolicy indicates an expected call of UpdateCertificatePolicy.
func (mr *MockManagerMockRecorder) UpdateCertificatePolicy(arg0, arg1, arg2 any) *gomock.Call {
mr.mock.ctrl.T.Helper()
return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UpdateCertificatePolicy", reflect.TypeOf((*MockManager)(nil).UpdateCertificatePolicy), arg0, arg1, arg2)
}
// WaitForCertificateOperation mocks base method.
func (m *MockManager) WaitForCertificateOperation(arg0 context.Context, arg1 string) error {
m.ctrl.T.Helper()