Skip to content

Commit

Permalink
Merge pull request #1656 from rksharma95/fix-certloader-bug
Browse files Browse the repository at this point in the history
fix(cert): read ca crt file only with externalcertloader
  • Loading branch information
daemon1024 authored Mar 4, 2024
2 parents b86dbcc + 14d4d50 commit 0cb094a
Show file tree
Hide file tree
Showing 2 changed files with 9 additions and 3 deletions.
6 changes: 5 additions & 1 deletion KubeArmor/cert/cert.go
Original file line number Diff line number Diff line change
Expand Up @@ -46,14 +46,16 @@ var DefaultKubeArmorClientConfig = CertConfig{
var DefaultKubeArmorCAConfig = CertConfig{
CN: KubeArmor_CN,
Organization: KubeArmor_ORG,
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
IsCa: true,
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign | x509.KeyUsageCRLSign,
}

type CertConfig struct {
CN string // Common Name
Organization string
DNS []string
IPs []string
IsCa bool
KeyUsage x509.KeyUsage
ExtKeyUsage []x509.ExtKeyUsage
NotAfter time.Time
Expand Down Expand Up @@ -200,8 +202,10 @@ func GenerateCert(cfg *CertConfig) (*CertKeyPair, error) {
NotAfter: cfg.NotAfter,
KeyUsage: cfg.KeyUsage,
ExtKeyUsage: cfg.ExtKeyUsage,
IsCA: cfg.IsCa,
BasicConstraintsValid: true,
}
template.DNSNames = append(template.DNSNames, cfg.DNS...)

for _, ip := range cfg.IPs {
template.IPAddresses = append(template.IPAddresses, net.ParseIP(ip))
Expand Down
6 changes: 4 additions & 2 deletions KubeArmor/cert/certloader.go
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ package cert
import (
"crypto/tls"
"crypto/x509"
"encoding/pem"

"k8s.io/client-go/kubernetes"
)
Expand Down Expand Up @@ -58,12 +59,13 @@ func (loader *ExternalCertLoader) GetCertificateAndCaPool() (*tls.Certificate, *
if err != nil {
return nil, nil, err
}
caCert, err := GetCertKeyPairFromCertBytes(caCertBytes)
caCertPem, _ := pem.Decode(caCertBytes.Crt)
caCert, err := x509.ParseCertificate(caCertPem.Bytes)
if err != nil {
return nil, nil, err
}
caCertPool := x509.NewCertPool()
caCertPool.AddCert(caCert.Crt)
caCertPool.AddCert(caCert)
// load server/client certificate from cert path
certBytes, err := ReadCertFromFile(&loader.CertPath)
if err != nil {
Expand Down

0 comments on commit 0cb094a

Please sign in to comment.