Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: onedata/certificate-init-container
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: v0.0.2
Choose a base ref
...
head repository: onedata/certificate-init-container
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: master
Choose a head ref

Commits on Aug 1, 2017

  1. Copy the full SHA
    9559890 View commit details
  2. Copy the full SHA
    8434eb0 View commit details

Commits on Apr 22, 2018

  1. use vgo

    kelseyhightower committed Apr 22, 2018
    Copy the full SHA
    8501acf View commit details

Commits on Jun 10, 2018

  1. update

    kelseyhightower committed Jun 10, 2018
    Copy the full SHA
    17a50f1 View commit details

Commits on Jan 19, 2021

  1. Copy the full SHA
    b1bc7fc View commit details

Commits on Jun 23, 2022

  1. merged upstream

    groundnuty committed Jun 23, 2022
    Copy the full SHA
    a88111d View commit details
  2. merged upstream

    groundnuty committed Jun 23, 2022
    Copy the full SHA
    28123b2 View commit details
  3. Copy the full SHA
    63462c8 View commit details
  4. Added badges to README

    groundnuty committed Jun 23, 2022
    Copy the full SHA
    b250cb7 View commit details
  5. Copy the full SHA
    1959cc3 View commit details
  6. Copy the full SHA
    d526823 View commit details
  7. Copy the full SHA
    188f382 View commit details
  8. merged upstream

    groundnuty committed Jun 23, 2022
    Copy the full SHA
    d2e0a7c View commit details
  9. Copy the full SHA
    0b7ce8f View commit details
  10. Copy the full SHA
    73fb34e View commit details
  11. corrected api changes

    groundnuty committed Jun 23, 2022
    Copy the full SHA
    113c9db View commit details

Commits on Jun 25, 2022

  1. Copy the full SHA
    54a4601 View commit details
  2. added GOARCH=amd64

    groundnuty committed Jun 25, 2022
    Copy the full SHA
    cc8fb55 View commit details
  3. new vendor dir

    groundnuty committed Jun 25, 2022
    Copy the full SHA
    25305a1 View commit details
  4. merged changes

    groundnuty committed Jun 25, 2022
    Copy the full SHA
    bfe0fbf View commit details

Commits on Jun 26, 2022

  1. added signer-name flag

    groundnuty committed Jun 26, 2022
    Copy the full SHA
    1d93465 View commit details

Commits on Jun 28, 2022

  1. Copy the full SHA
    a17ad4f View commit details
Showing 1,850 changed files with 148,474 additions and 901,816 deletions.
2 changes: 1 addition & 1 deletion Makefile
Original file line number Diff line number Diff line change
@@ -5,7 +5,7 @@ REPO_NAME = $(shell git config --get remote.origin.url | sed 's/\(.*\).git/\1/'
all: build push

build:
CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo
CGO_ENABLED=0 GOARCH=amd64 GOOS=linux go build -a -installsuffix cgo

container: image

4 changes: 2 additions & 2 deletions cloudbuild.yaml
Original file line number Diff line number Diff line change
@@ -3,6 +3,6 @@ steps:
env: ["PROJECT_ROOT=certificate-init-container"]
args: ["install", "."]
- name: "gcr.io/cloud-builders/docker"
args: ["build", "-t", "gcr.io/${PROJECT_ID}/certificate-init-container:0.0.1", "."]
args: ["build", "-t", "gcr.io/${PROJECT_ID}/certificate-init-container:0.0.2", "."]

images: ["gcr.io/${PROJECT_ID}/certificate-init-container:0.0.1"]
images: ["gcr.io/${PROJECT_ID}/certificate-init-container:0.0.2"]
24 changes: 5 additions & 19 deletions deployments/tls-app.yaml
Original file line number Diff line number Diff line change
@@ -1,36 +1,22 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: certificate-init
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: certificate-init
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
subjects:
- kind: ServiceAccount
name: certificate-init
---
apiVersion: apps/v1beta1
apiVersion: apps/v1
kind: Deployment
metadata:
name: tls-app
labels:
app: tls-app
spec:
selector:
matchLabels:
app: tls-app
replicas: 1
template:
metadata:
labels:
app: tls-app
spec:
serviceAccountName: certificate-init
initContainers:
- name: certificate-init-container
image: gcr.io/hightowerlabs/certificate-init-container:0.0.1
image: gcr.io/hightowerlabs/certificate-init-container:0.0.2
imagePullPolicy: Always
env:
- name: NAMESPACE
11 changes: 11 additions & 0 deletions go.mod
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
module github.com/kelseyhightower/certificate-init-container

go 1.18

require (
github.com/onedata/k8s v1.2.6
github.com/golang/protobuf v1.5.2 // indirect
golang.org/x/net v0.0.0-20220624214902-1bab6f366d9e // indirect
golang.org/x/text v0.3.7 // indirect
google.golang.org/protobuf v1.26.0 // indirect
)
87 changes: 0 additions & 87 deletions lock.json

This file was deleted.

80 changes: 54 additions & 26 deletions main.go
Original file line number Diff line number Diff line change
@@ -28,10 +28,11 @@ import (
"strings"
"time"

certificates "github.com/ericchiang/k8s/apis/certificates/v1beta1"
certificates "github.com/onedata/k8s/apis/certificates/v1"
corev1 "github.com/onedata/k8s/apis/core/v1"

"github.com/ericchiang/k8s"
"github.com/ericchiang/k8s/apis/meta/v1"
"github.com/onedata/k8s"
v1 "github.com/onedata/k8s/apis/meta/v1"
)

var (
@@ -47,6 +48,9 @@ var (
subdomain string
labels string
secretName string
signerName string
signerSecret string
signerNamespace string
createSecret bool
)

@@ -63,8 +67,11 @@ func main() {
flag.StringVar(&subdomain, "subdomain", "", "subdomain as defined by pod.spec.subdomain")
flag.StringVar(&labels, "labels", "", "labels to include in CertificateSigningRequest object; comma seprated list of key=value")
flag.StringVar(&secretName, "secret-name", "", "secret name to store generated files")
flag.StringVar(&signerName, "signer-name", "", "signer name in CertificateSigningRequest object")
flag.StringVar(&signerSecret, "signer-secret", "", "secret with certificate of a signer")
flag.StringVar(&signerNamespace, "signer-namespace", "default", "namespace where to find secret with certificate of a signer")
flag.BoolVar(&createSecret, "create-secret", false, "create a new secret instead of waiting for one to update")
flag.Parse()
flag.Parse()

certificateSigningRequestName := fmt.Sprintf("%s-%s", podName, namespace)

@@ -76,7 +83,7 @@ func main() {
// Generate a private key, pem encode it, and save it to the filesystem.
// The private key will be used to create a certificate signing request (csr)
// that will be submitted to a Kubernetes CA to obtain a TLS certificate.
key, err := rsa.GenerateKey(rand.Reader, 1024)
key, err := rsa.GenerateKey(rand.Reader, 2048)
if err != nil {
log.Fatalf("unable to genarate the private key: %s", err)
}
@@ -93,7 +100,7 @@ func main() {

log.Printf("wrote %s", keyFile)

// Gather the list of labels that will be added to the CreateCertificateSigningRequest object
// Gather the list of labels that will be added to the CreateCertificateSigningRequest object
labelsMap := make(map[string]string)

for _, n := range strings.Split(labels, ",") {
@@ -108,7 +115,6 @@ func main() {
labelsMap[label] = key
}


// Gather the list of IP addresses for the certificate's IP SANs field which
// include:
// - the pod IP address
@@ -179,26 +185,30 @@ func main() {
if err := ioutil.WriteFile(csrFile, certificateRequestBytes, 0644); err != nil {
log.Fatal("unable to %s, error: %s", csrFile, err)
}

log.Printf("wrote %s", csrFile)

// Submit a certificate signing request, wait for it to be approved, then save
// the signed certificate to the file system.
certificateSigningRequest := &certificates.CertificateSigningRequest{
Metadata: &v1.ObjectMeta{
Name: k8s.String(certificateSigningRequestName),
Name: k8s.String(certificateSigningRequestName),
Labels: labelsMap,
},
Spec: &certificates.CertificateSigningRequestSpec{
Groups: []string{"system:authenticated"},
Request: certificateRequestBytes,
KeyUsage: []string{"digital signature", "key encipherment", "server auth", "client auth"},
Groups: []string{"system:authenticated"},
Request: certificateRequestBytes,
SignerName: k8s.String(signerName),
Usages: []string{"digital signature", "key encipherment", "server auth", "client auth"},
},
}

_, err = client.CertificatesV1Beta1().GetCertificateSigningRequest(context.Background(), certificateSigningRequestName)
log.Printf("Deleting certificate signing request %s", certificateSigningRequestName)
client.Delete(context.Background(), certificateSigningRequest)
log.Printf("Removed approved request %s", certificateSigningRequestName)
err = client.Create(context.Background(), certificateSigningRequest)
if err != nil {
_, err = client.CertificatesV1Beta1().CreateCertificateSigningRequest(context.Background(), certificateSigningRequest)
err := client.Create(context.Background(), certificateSigningRequest)
if err != nil {
log.Fatalf("unable to create the certificate signing request: %s", err)
}
@@ -209,7 +219,8 @@ func main() {

var certificate []byte
for {
csr, err := client.CertificatesV1Beta1().GetCertificateSigningRequest(context.Background(), certificateSigningRequestName)
var csr certificates.CertificateSigningRequest
err := client.Get(context.Background(), "", certificateSigningRequestName, &csr)
if err != nil {
log.Printf("unable to retrieve certificate signing request (%s): %s", certificateSigningRequestName, err)
time.Sleep(5 * time.Second)
@@ -223,7 +234,7 @@ func main() {
log.Printf("got crt %s", certificate)
break
} else {
log.Printf("cert length still less than 1, wait to populate. Cert: %s", csr.GetStatus());
log.Printf("cert length still less than 1, wait to populate. Cert: %s", csr.GetStatus())
}

}
@@ -238,16 +249,17 @@ func main() {
if err := ioutil.WriteFile(certFile, certificate, 0644); err != nil {
log.Fatalf("unable to write to %s: %s", certFile, err)
}

log.Printf("wrote %s", certFile)

log.Printf("Deleting certificate signing request %s", certificateSigningRequestName)
client.CertificatesV1Beta1().DeleteCertificateSigningRequest(context.Background(), certificateSigningRequestName)
client.Delete(context.Background(), certificateSigningRequest)
log.Printf("Removed approved request %s", certificateSigningRequestName)

if secretName != "" {
for {
ks, err := client.CoreV1().GetSecret(context.Background(), secretName, namespace)
var ks corev1.Secret
err := client.Get(context.Background(), namespace, secretName, &ks)
if err != nil {
if createSecret {
log.Fatalf("TODO: cannot create secrets")
@@ -257,19 +269,35 @@ func main() {
continue
}
}

k8sCrt, err := ioutil.ReadFile("/var/run/secrets/kubernetes.io/serviceaccount/ca.crt")

var k8sCrt[] byte ;
if signerSecret != "" {
for {
var ss corev1.Secret
err := client.Get(context.Background(), signerNamespace, signerSecret, &ss)
if err != nil {
log.Printf("Secret with signer certificate (%s) not found; trying again in 5 seconds", signerSecret)
time.Sleep(5 * time.Second)
continue
}
k8sCrt = ss.GetData()["tls.crt"]
log.Printf("CA of signer from secret %s/%s :\n%s", signerNamespace, signerSecret, ss.GetData()["tls.crt"])
break
}
}
if k8sCrt == nil {
k8sCrt, err = ioutil.ReadFile("/var/run/secrets/kubernetes.io/serviceaccount/ca.crt")
}
stringData := make(map[string]string)
stringData["tls.key"] = string(pemKeyBytes)
stringData["tls.crt"] = string(certificate)
stringData["k8s.crt"] = string(k8sCrt) // ok

stringData["k8s.crt"] = string(k8sCrt) // ok
stringData["tlsAndK8s.crt"] = string(certificate) + "\n" + string(k8sCrt) // ok

ks.StringData = stringData
_, err = client.CoreV1().UpdateSecret(context.TODO(), ks)
err = client.Update(context.TODO(), &ks)
log.Printf("Stored credentials in secret: (%s)", secretName)

break
break
}
}

1 change: 0 additions & 1 deletion manifest.json

This file was deleted.

1 change: 0 additions & 1 deletion vendor/github.com/ericchiang/k8s/.gitignore

This file was deleted.

20 changes: 0 additions & 20 deletions vendor/github.com/ericchiang/k8s/.travis.yml

This file was deleted.

7 changes: 0 additions & 7 deletions vendor/github.com/ericchiang/k8s/Makefile

This file was deleted.

Loading