certificates: support allowed usage

2025-11-01 10:48:15 +00:00 · 2016-11-07 10:25:45 -08:00
parent ee177dbbfe
commit fb099ae385
5 changed files with 182 additions and 15 deletions
--- a/pkg/controller/certificates/certificate_controller.go
+++ b/pkg/controller/certificates/certificate_controller.go
@@ -33,9 +33,6 @@ import (
 	"k8s.io/kubernetes/pkg/util/workqueue"
 	"k8s.io/kubernetes/pkg/watch"

-	"github.com/cloudflare/cfssl/config"
-	"github.com/cloudflare/cfssl/signer"
-	"github.com/cloudflare/cfssl/signer/local"
 	"github.com/golang/glog"
 )

@@ -43,6 +40,10 @@ type AutoApprover interface {
 	AutoApprove(csr *certificates.CertificateSigningRequest) (*certificates.CertificateSigningRequest, error)
 }

+type Signer interface {
+	Sign(csr *certificates.CertificateSigningRequest) ([]byte, error)
+}
+
 type CertificateController struct {
 	kubeClient clientset.Interface

@@ -53,8 +54,7 @@ type CertificateController struct {
 	syncHandler func(csrKey string) error

 	approver AutoApprover
-
-	signer *local.Signer
+	signer   Signer

 	queue workqueue.RateLimitingInterface
 }
@@ -65,12 +65,7 @@ func NewCertificateController(kubeClient clientset.Interface, syncPeriod time.Du
 	eventBroadcaster.StartLogging(glog.Infof)
 	eventBroadcaster.StartRecordingToSink(&v1core.EventSinkImpl{Interface: kubeClient.Core().Events("")})

-	// Configure cfssl signer
-	// TODO: support non-default policy and remote/pkcs11 signing
-	policy := &config.Signing{
-		Default: config.DefaultConfig(),
-	}
-	ca, err := local.NewSignerFromFile(caCertFile, caKeyFile, policy)
+	s, err := NewCFSSLSigner(caCertFile, caKeyFile)
 	if err != nil {
 		return nil, err
 	}
@@ -78,7 +73,7 @@ func NewCertificateController(kubeClient clientset.Interface, syncPeriod time.Du
 	cc := &CertificateController{
 		kubeClient: kubeClient,
 		queue:      workqueue.NewNamedRateLimitingQueue(workqueue.DefaultControllerRateLimiter(), "certificate"),
-		signer:     ca,
+		signer:     s,
 		approver:   approver,
 	}

@@ -209,9 +204,7 @@ func (cc *CertificateController) maybeSignCertificate(key string) error {
 	// 3. Update the Status subresource

 	if csr.Status.Certificate == nil && IsCertificateRequestApproved(csr) {
-		pemBytes := csr.Spec.Request
-		req := signer.SignRequest{Request: string(pemBytes)}
-		certBytes, err := cc.signer.Sign(req)
+		certBytes, err := cc.signer.Sign(csr)
 		if err != nil {
 			return err
 		}