зеркало из https://github.com/Azure/ARO-RP.git
88 строки
2.6 KiB
Go
88 строки
2.6 KiB
Go
package cluster
|
|
|
|
// Copyright (c) Microsoft Corporation.
|
|
// Licensed under the Apache License 2.0.
|
|
|
|
import (
|
|
"context"
|
|
"fmt"
|
|
"strings"
|
|
|
|
"github.com/Azure/ARO-RP/pkg/env"
|
|
"github.com/Azure/ARO-RP/pkg/util/dns"
|
|
"github.com/Azure/ARO-RP/pkg/util/keyvault"
|
|
)
|
|
|
|
// if the cluster is using a managed domain and has a DigiCert-issued
|
|
// certificate, replace the certificate with one issued by OneCert. This
|
|
// ensures that clusters upgrading to 4.16 aren't blocked due to the SHA-1
|
|
// signing algorithm in use by DigiCert
|
|
func (m *manager) correctCertificateIssuer(ctx context.Context) error {
|
|
if m.env.FeatureIsSet(env.FeatureDisableSignedCertificates) {
|
|
return nil
|
|
}
|
|
|
|
domain, err := dns.ManagedDomain(m.env, m.doc.OpenShiftCluster.Properties.ClusterProfile.Domain)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
if domain != "" {
|
|
apiHostname := strings.Split(strings.TrimPrefix(m.doc.OpenShiftCluster.Properties.APIServerProfile.URL, "https://"), ":")[0]
|
|
err := m.ensureCertificateIssuer(ctx, m.APICertName(), apiHostname, OneCertPublicIssuerName)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
ingressHostname := "*" + strings.TrimSuffix(strings.TrimPrefix(m.doc.OpenShiftCluster.Properties.ConsoleProfile.URL, "https://console-openshift-console"), "/")
|
|
err = m.ensureCertificateIssuer(ctx, m.IngressCertName(), ingressHostname, OneCertPublicIssuerName)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
func (m *manager) ensureCertificateIssuer(ctx context.Context, certificateName, dnsName, issuerName string) error {
|
|
if strings.Count(dnsName, ".") < 2 {
|
|
return fmt.Errorf("%s is not a valid DNS name", dnsName)
|
|
}
|
|
|
|
clusterKeyvault := m.env.ClusterKeyvault()
|
|
|
|
bundle, err := clusterKeyvault.GetCertificate(ctx, certificateName)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
if bundle.Policy == nil {
|
|
return fmt.Errorf("bundle for %s contains nil pointer policy", certificateName)
|
|
}
|
|
if bundle.Policy.IssuerParameters == nil {
|
|
return fmt.Errorf("bundle for %s contains nil pointer policy issuer parameters", certificateName)
|
|
}
|
|
if bundle.Policy.IssuerParameters.Name == nil {
|
|
return fmt.Errorf("bundle for %s contains nil pointer policy issuer parameters name", certificateName)
|
|
}
|
|
|
|
if *bundle.Policy.IssuerParameters.Name != issuerName {
|
|
policy, err := clusterKeyvault.GetCertificatePolicy(ctx, certificateName)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
policy.IssuerParameters.Name = &issuerName
|
|
err = clusterKeyvault.UpdateCertificatePolicy(ctx, certificateName, policy)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
err = clusterKeyvault.CreateSignedCertificate(ctx, issuerName, certificateName, dnsName, keyvault.EkuServerAuth)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
}
|
|
return nil
|
|
}
|