2016-11-10 22:56:29 +00:00
|
|
|
/*
|
|
|
|
|
Copyright 2015 The Kubernetes Authors.
|
|
|
|
|
|
|
|
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
|
you may not use this file except in compliance with the License.
|
|
|
|
|
You may obtain a copy of the License at
|
|
|
|
|
|
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
|
|
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
|
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
|
See the License for the specific language governing permissions and
|
|
|
|
|
limitations under the License.
|
|
|
|
|
*/
|
|
|
|
|
|
2018-01-18 19:14:42 +00:00
|
|
|
package store
|
2016-11-10 22:56:29 +00:00
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"fmt"
|
|
|
|
|
"strings"
|
|
|
|
|
|
2016-11-16 18:24:26 +00:00
|
|
|
"github.com/golang/glog"
|
2017-11-13 01:43:28 +00:00
|
|
|
"github.com/imdario/mergo"
|
2016-11-16 18:24:26 +00:00
|
|
|
|
2017-09-17 18:42:31 +00:00
|
|
|
apiv1 "k8s.io/api/core/v1"
|
2017-09-30 23:42:42 +00:00
|
|
|
extensions "k8s.io/api/extensions/v1beta1"
|
2018-01-19 18:44:31 +00:00
|
|
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
2016-11-10 22:56:29 +00:00
|
|
|
|
2018-01-18 19:14:42 +00:00
|
|
|
"k8s.io/ingress-nginx/internal/file"
|
2017-11-07 22:02:12 +00:00
|
|
|
"k8s.io/ingress-nginx/internal/ingress"
|
2018-01-18 19:14:42 +00:00
|
|
|
"k8s.io/ingress-nginx/internal/k8s"
|
2017-11-07 22:02:12 +00:00
|
|
|
"k8s.io/ingress-nginx/internal/net/ssl"
|
2016-11-10 22:56:29 +00:00
|
|
|
)
|
|
|
|
|
|
2016-11-11 23:43:35 +00:00
|
|
|
// syncSecret keeps in sync Secrets used by Ingress rules with the files on
|
2017-04-09 16:52:10 +00:00
|
|
|
// disk to allow copy of the content of the secret to disk to be used
|
|
|
|
|
// by external processes.
|
2018-01-18 19:14:42 +00:00
|
|
|
func (s k8sStore) syncSecret(key string) {
|
|
|
|
|
s.mu.Lock()
|
|
|
|
|
defer s.mu.Unlock()
|
|
|
|
|
|
2017-07-18 18:21:38 +00:00
|
|
|
glog.V(3).Infof("starting syncing of secret %v", key)
|
2017-04-09 16:52:10 +00:00
|
|
|
|
2018-01-18 19:14:42 +00:00
|
|
|
// TODO: getPemCertificate should not write to disk to avoid unnecessary overhead
|
|
|
|
|
cert, err := s.getPemCertificate(key)
|
2017-07-18 18:21:38 +00:00
|
|
|
if err != nil {
|
2018-05-15 12:10:29 +00:00
|
|
|
if !isErrSecretForAuth(err) {
|
|
|
|
|
glog.Warningf("error obtaining PEM from secret %v: %v", key, err)
|
|
|
|
|
}
|
2017-07-18 18:21:38 +00:00
|
|
|
return
|
|
|
|
|
}
|
2016-11-10 22:56:29 +00:00
|
|
|
|
2017-07-18 18:21:38 +00:00
|
|
|
// create certificates and add or update the item in the store
|
2018-04-12 22:26:10 +00:00
|
|
|
cur, err := s.GetLocalSSLCert(key)
|
2018-01-18 19:14:42 +00:00
|
|
|
if err == nil {
|
|
|
|
|
if cur.Equal(cert) {
|
2017-07-18 18:21:38 +00:00
|
|
|
// no need to update
|
|
|
|
|
return
|
2017-03-10 15:34:13 +00:00
|
|
|
}
|
2017-07-18 18:21:38 +00:00
|
|
|
glog.Infof("updating secret %v in the local store", key)
|
2018-01-18 19:14:42 +00:00
|
|
|
s.sslStore.Update(key, cert)
|
2017-09-13 14:14:24 +00:00
|
|
|
// this update must trigger an update
|
|
|
|
|
// (like an update event from a change in Ingress)
|
2018-01-18 19:14:42 +00:00
|
|
|
s.sendDummyEvent()
|
2017-07-18 18:21:38 +00:00
|
|
|
return
|
2016-11-10 22:56:29 +00:00
|
|
|
}
|
2017-07-18 18:21:38 +00:00
|
|
|
|
|
|
|
|
glog.Infof("adding secret %v to the local store", key)
|
2018-01-18 19:14:42 +00:00
|
|
|
s.sslStore.Add(key, cert)
|
2017-10-01 00:48:14 +00:00
|
|
|
// this update must trigger an update
|
2017-09-30 23:42:42 +00:00
|
|
|
// (like an update event from a change in Ingress)
|
2018-01-18 19:14:42 +00:00
|
|
|
s.sendDummyEvent()
|
2016-11-10 22:56:29 +00:00
|
|
|
}
|
|
|
|
|
|
2017-02-06 18:16:36 +00:00
|
|
|
// getPemCertificate receives a secret, and creates a ingress.SSLCert as return.
|
|
|
|
|
// It parses the secret and verifies if it's a keypair, or a 'ca.crt' secret only.
|
2018-01-18 19:14:42 +00:00
|
|
|
func (s k8sStore) getPemCertificate(secretName string) (*ingress.SSLCert, error) {
|
|
|
|
|
secret, err := s.listers.Secret.ByKey(secretName)
|
2016-11-10 22:56:29 +00:00
|
|
|
if err != nil {
|
2017-03-14 12:48:20 +00:00
|
|
|
return nil, fmt.Errorf("error retrieving secret %v: %v", secretName, err)
|
2016-11-10 22:56:29 +00:00
|
|
|
}
|
|
|
|
|
|
2017-09-17 18:42:31 +00:00
|
|
|
cert, okcert := secret.Data[apiv1.TLSCertKey]
|
|
|
|
|
key, okkey := secret.Data[apiv1.TLSPrivateKeyKey]
|
2016-11-10 22:56:29 +00:00
|
|
|
ca := secret.Data["ca.crt"]
|
|
|
|
|
|
2018-05-15 12:10:29 +00:00
|
|
|
auth := secret.Data["auth"]
|
|
|
|
|
|
2017-09-27 03:46:22 +00:00
|
|
|
// namespace/secretName -> namespace-secretName
|
2016-11-10 22:56:29 +00:00
|
|
|
nsSecName := strings.Replace(secretName, "/", "-", -1)
|
2017-02-06 18:16:36 +00:00
|
|
|
|
2018-01-18 19:14:42 +00:00
|
|
|
var sslCert *ingress.SSLCert
|
2017-02-06 18:16:36 +00:00
|
|
|
if okcert && okkey {
|
2017-09-27 03:46:22 +00:00
|
|
|
if cert == nil {
|
|
|
|
|
return nil, fmt.Errorf("secret %v has no 'tls.crt'", secretName)
|
|
|
|
|
}
|
|
|
|
|
if key == nil {
|
|
|
|
|
return nil, fmt.Errorf("secret %v has no 'tls.key'", secretName)
|
2017-09-18 14:38:23 +00:00
|
|
|
}
|
2017-09-27 03:46:22 +00:00
|
|
|
|
|
|
|
|
// If 'ca.crt' is also present, it will allow this secret to be used in the
|
2017-11-08 20:58:57 +00:00
|
|
|
// 'nginx.ingress.kubernetes.io/auth-tls-secret' annotation
|
2018-01-18 19:14:42 +00:00
|
|
|
sslCert, err = ssl.AddOrUpdateCertAndKey(nsSecName, cert, key, ca, s.filesystem)
|
2017-07-18 20:26:28 +00:00
|
|
|
if err != nil {
|
2017-09-27 03:46:22 +00:00
|
|
|
return nil, fmt.Errorf("unexpected error creating pem file: %v", err)
|
2017-07-18 20:26:28 +00:00
|
|
|
}
|
2017-09-27 03:46:22 +00:00
|
|
|
|
2018-01-18 19:14:42 +00:00
|
|
|
glog.V(3).Infof("found 'tls.crt' and 'tls.key', configuring %v as a TLS Secret (CN: %v)", secretName, sslCert.CN)
|
2017-09-27 03:46:22 +00:00
|
|
|
if ca != nil {
|
|
|
|
|
glog.V(3).Infof("found 'ca.crt', secret %v can also be used for Certificate Authentication", secretName)
|
|
|
|
|
}
|
2017-02-06 18:16:36 +00:00
|
|
|
} else if ca != nil {
|
2018-01-18 19:14:42 +00:00
|
|
|
sslCert, err = ssl.AddCertAuth(nsSecName, ca, s.filesystem)
|
2017-09-27 03:46:22 +00:00
|
|
|
|
2017-07-18 20:26:28 +00:00
|
|
|
if err != nil {
|
2017-09-27 03:46:22 +00:00
|
|
|
return nil, fmt.Errorf("unexpected error creating pem file: %v", err)
|
2017-07-18 20:26:28 +00:00
|
|
|
}
|
2017-09-27 03:46:22 +00:00
|
|
|
|
|
|
|
|
// makes this secret in 'syncSecret' to be used for Certificate Authentication
|
|
|
|
|
// this does not enable Certificate Authentication
|
|
|
|
|
glog.V(3).Infof("found only 'ca.crt', configuring %v as an Certificate Authentication Secret", secretName)
|
|
|
|
|
|
2017-02-06 18:16:36 +00:00
|
|
|
} else {
|
2018-05-15 12:10:29 +00:00
|
|
|
if auth != nil {
|
|
|
|
|
return nil, ErrSecretForAuth
|
|
|
|
|
}
|
|
|
|
|
|
2017-03-30 11:00:31 +00:00
|
|
|
return nil, fmt.Errorf("no keypair or CA cert could be found in %v", secretName)
|
2017-02-06 18:16:36 +00:00
|
|
|
}
|
|
|
|
|
|
2018-01-18 19:14:42 +00:00
|
|
|
sslCert.Name = secret.Name
|
|
|
|
|
sslCert.Namespace = secret.Namespace
|
|
|
|
|
|
|
|
|
|
return sslCert, nil
|
2016-11-10 22:56:29 +00:00
|
|
|
}
|
|
|
|
|
|
2018-01-18 19:14:42 +00:00
|
|
|
func (s k8sStore) checkSSLChainIssues() {
|
2018-04-12 22:26:10 +00:00
|
|
|
for _, item := range s.ListLocalSSLCerts() {
|
2018-01-18 19:14:42 +00:00
|
|
|
secretName := k8s.MetaNamespaceKey(item)
|
2018-04-12 22:26:10 +00:00
|
|
|
secret, err := s.GetLocalSSLCert(secretName)
|
2018-01-18 19:14:42 +00:00
|
|
|
if err != nil {
|
|
|
|
|
continue
|
|
|
|
|
}
|
2017-11-13 01:43:28 +00:00
|
|
|
|
|
|
|
|
if secret.FullChainPemFileName != "" {
|
|
|
|
|
// chain already checked
|
|
|
|
|
continue
|
|
|
|
|
}
|
|
|
|
|
|
2018-01-18 19:14:42 +00:00
|
|
|
data, err := ssl.FullChainCert(secret.PemFileName, s.filesystem)
|
2017-11-13 01:43:28 +00:00
|
|
|
if err != nil {
|
|
|
|
|
glog.Errorf("unexpected error generating SSL certificate with full intermediate chain CA certs: %v", err)
|
|
|
|
|
continue
|
|
|
|
|
}
|
|
|
|
|
|
2018-01-18 19:14:42 +00:00
|
|
|
fullChainPemFileName := fmt.Sprintf("%v/%v-%v-full-chain.pem", file.DefaultSSLDirectory, secret.Namespace, secret.Name)
|
|
|
|
|
|
|
|
|
|
file, err := s.filesystem.Create(fullChainPemFileName)
|
|
|
|
|
if err != nil {
|
|
|
|
|
glog.Errorf("unexpected error creating SSL certificate file %v: %v", fullChainPemFileName, err)
|
|
|
|
|
continue
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
_, err = file.Write(data)
|
2017-11-13 01:43:28 +00:00
|
|
|
if err != nil {
|
|
|
|
|
glog.Errorf("unexpected error creating SSL certificate: %v", err)
|
|
|
|
|
continue
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
dst := &ingress.SSLCert{}
|
|
|
|
|
|
|
|
|
|
err = mergo.MergeWithOverwrite(dst, secret)
|
|
|
|
|
if err != nil {
|
|
|
|
|
glog.Errorf("unexpected error creating SSL certificate: %v", err)
|
|
|
|
|
continue
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
dst.FullChainPemFileName = fullChainPemFileName
|
|
|
|
|
|
|
|
|
|
glog.Infof("updating local copy of ssl certificate %v with missing intermediate CA certs", secretName)
|
2018-01-18 19:14:42 +00:00
|
|
|
s.sslStore.Update(secretName, dst)
|
2017-11-13 01:43:28 +00:00
|
|
|
// this update must trigger an update
|
|
|
|
|
// (like an update event from a change in Ingress)
|
2018-01-18 19:14:42 +00:00
|
|
|
s.sendDummyEvent()
|
2017-11-13 01:43:28 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2018-01-19 18:44:31 +00:00
|
|
|
// sendDummyEvent sends a dummy event to trigger an update
|
|
|
|
|
// This is used in when a secret change
|
|
|
|
|
func (s *k8sStore) sendDummyEvent() {
|
2018-02-14 01:46:18 +00:00
|
|
|
s.updateCh.In() <- Event{
|
2018-01-19 18:44:31 +00:00
|
|
|
Type: UpdateEvent,
|
|
|
|
|
Obj: &extensions.Ingress{
|
|
|
|
|
ObjectMeta: metav1.ObjectMeta{
|
|
|
|
|
Name: "dummy",
|
|
|
|
|
Namespace: "dummy",
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
}
|
2018-05-15 12:10:29 +00:00
|
|
|
|
|
|
|
|
// ErrSecretForAuth error to indicate a secret is used for authentication
|
|
|
|
|
var ErrSecretForAuth = fmt.Errorf("Secret is used for authentication")
|
|
|
|
|
|
|
|
|
|
func isErrSecretForAuth(e error) bool {
|
|
|
|
|
return e == ErrSecretForAuth
|
|
|
|
|
}
|
