Skip to content

Commit

Permalink
HTTP: Add support for external CA (#1538)
Browse files Browse the repository at this point in the history
* Add support for external CA cert

* Add unit tests
  • Loading branch information
barkbay authored Aug 12, 2019
1 parent 4514d58 commit 5adde3d
Show file tree
Hide file tree
Showing 8 changed files with 355 additions and 16 deletions.
7 changes: 4 additions & 3 deletions operators/config/crds/apm_v1alpha1_apmserver.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -130,9 +130,10 @@ spec:
certificate:
description: 'Certificate is a reference to a secret that contains
the certificate and private key to be used. The secret should
have the following content: - `tls.crt`: The certificate
(or a chain). - `tls.key`: The private key to the first certificate
in the certificate chain.'
have the following content: - `ca.crt`: The certificate authority
(optional) - `tls.crt`: The certificate (or a chain). - `tls.key`:
The private key to the first certificate in the certificate
chain.'
properties:
secretName:
type: string
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -78,9 +78,10 @@ spec:
certificate:
description: 'Certificate is a reference to a secret that contains
the certificate and private key to be used. The secret should
have the following content: - `tls.crt`: The certificate
(or a chain). - `tls.key`: The private key to the first certificate
in the certificate chain.'
have the following content: - `ca.crt`: The certificate authority
(optional) - `tls.crt`: The certificate (or a chain). - `tls.key`:
The private key to the first certificate in the certificate
chain.'
properties:
secretName:
type: string
Expand Down
7 changes: 4 additions & 3 deletions operators/config/crds/kibana_v1alpha1_kibana.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -127,9 +127,10 @@ spec:
certificate:
description: 'Certificate is a reference to a secret that contains
the certificate and private key to be used. The secret should
have the following content: - `tls.crt`: The certificate
(or a chain). - `tls.key`: The private key to the first certificate
in the certificate chain.'
have the following content: - `ca.crt`: The certificate authority
(optional) - `tls.crt`: The certificate (or a chain). - `tls.key`:
The private key to the first certificate in the certificate
chain.'
properties:
secretName:
type: string
Expand Down
1 change: 1 addition & 0 deletions operators/pkg/apis/common/v1alpha1/common.go
Original file line number Diff line number Diff line change
Expand Up @@ -59,6 +59,7 @@ type TLSOptions struct {
//
// The secret should have the following content:
//
// - `ca.crt`: The certificate authority (optional)
// - `tls.crt`: The certificate (or a chain).
// - `tls.key`: The private key to the first certificate in the certificate chain.
Certificate SecretRef `json:"certificate,omitempty"`
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,8 @@
package http

import (
"fmt"

"github.com/elastic/cloud-on-k8s/operators/pkg/apis/common/v1alpha1"
"github.com/elastic/cloud-on-k8s/operators/pkg/controller/common/certificates"
"github.com/elastic/cloud-on-k8s/operators/pkg/utils/k8s"
Expand All @@ -14,6 +16,19 @@ import (

type CertificatesSecret v1.Secret

// CAPem returns the certificate of the certificate authority.
func (s CertificatesSecret) CAPem() []byte {
if ca, exist := s.Data[certificates.CAFileName]; exist {
return ca
}
return nil
}

// CertChain combines the certificate of the CA and the host certificate.
func (s CertificatesSecret) CertChain() []byte {
return append(s.CertPem(), s.CAPem()...)
}

func (s CertificatesSecret) CertPem() []byte {
return s.Data[certificates.CertFileName]
}
Expand All @@ -22,8 +37,36 @@ func (s CertificatesSecret) KeyPem() []byte {
return s.Data[certificates.KeyFileName]
}

// Validate checks that mandatory fields are present.
// It does not check that the public key matches the private key.
func (s CertificatesSecret) Validate() error {
// TODO: Validate that the contents of the secret forms a valid certificate.
// Validate private key
key, exist := s.Data[certificates.KeyFileName]
if !exist {
return fmt.Errorf("can't find private key %s in %s/%s", certificates.KeyFileName, s.Namespace, s.Name)
}
_, err := certificates.ParsePEMPrivateKey(key)
if err != nil {
return err
}
// Validate host certificate
cert, exist := s.Data[certificates.CertFileName]
if !exist {
return fmt.Errorf("can't find certificate %s in %s/%s", certificates.CertFileName, s.Namespace, s.Name)
}
_, err = certificates.ParsePEMCerts(cert)
if err != nil {
return err
}
// Eventually validate CA certificate
ca, exist := s.Data[certificates.CAFileName]
if !exist {
return nil
}
_, err = certificates.ParsePEMCerts(ca)
if err != nil {
return err
}
return nil
}

Expand Down
Loading

0 comments on commit 5adde3d

Please sign in to comment.