certificate overhaul
This commit is contained in:
@@ -35,9 +35,15 @@ type Config struct {
|
||||
|
||||
// mutation configuration
|
||||
AllowAdminNoMutate bool `env:"allow_admin_nomutate" default:"false"`
|
||||
AllowAdminNoMutateToggle string `env:"allow_admin_nomutate_toggle" default:"2d77b689-dc14-40a5-8971-34c62999335c"`
|
||||
AllowAdminNoMutateToggle string `env:"allow_admin_nomutate_toggle" default:"7b068a99-c02b-410a-bd59-3514bac85e7a"`
|
||||
DockerhubRegistry string `env:"dockerhub_registry" default:"registry.hub.docker.com"`
|
||||
MutateIgnoredImages []string `ignored:"true"`
|
||||
|
||||
// certificate configuration
|
||||
CACert string `env:"ca_cert"`
|
||||
CAPrivateKey string `env:"ca_private_key"`
|
||||
CertCert string `env:"cert_cert"`
|
||||
CertPrivateKey string `env:"cert_private_key"`
|
||||
}
|
||||
|
||||
// DefaultConfig initializes the config variable for use with a prepared set of defaults.
|
||||
|
||||
@@ -9,10 +9,18 @@ import (
|
||||
)
|
||||
|
||||
type configFileStruct struct {
|
||||
AllowAdminNoMutate bool `yaml:"allow-admin-nomutate"`
|
||||
AllowAdminNoMutateToggle string `yaml:"allow-admin-nomutate-toggle"`
|
||||
DockerhubRegistry string `yaml:"dockerhub-registry"`
|
||||
MutateIgnoredImages []string `yaml:"mutate-ignored-images"`
|
||||
AllowAdminNoMutate bool `yaml:"allow-admin-nomutate"`
|
||||
AllowAdminNoMutateToggle string `yaml:"allow-admin-nomutate-toggle"`
|
||||
DockerhubRegistry string `yaml:"dockerhub-registry"`
|
||||
MutateIgnoredImages []string `yaml:"mutate-ignored-images"`
|
||||
CertificateAuthority CertStruct `yaml:"certificate-authority"`
|
||||
Certificate CertStruct `yaml:"certificate"`
|
||||
}
|
||||
|
||||
type CertStruct struct {
|
||||
Certificate string `yaml:"certificate"`
|
||||
PrivateKey string `yaml:"private-key"`
|
||||
PublicKey string `yaml:"public-key"`
|
||||
}
|
||||
|
||||
func getConfigFileData(fileLocation string) (configFileStruct, error) {
|
||||
|
||||
@@ -1,8 +1,13 @@
|
||||
package config
|
||||
|
||||
import (
|
||||
"bytes"
|
||||
"crypto/x509"
|
||||
"encoding/pem"
|
||||
"flag"
|
||||
"fmt"
|
||||
"log"
|
||||
"mutating-webhook/internal/certificate"
|
||||
"os"
|
||||
"reflect"
|
||||
"strings"
|
||||
@@ -70,25 +75,108 @@ func Init() Config {
|
||||
}
|
||||
time.Now().Format(cfg.TimeFormat)
|
||||
|
||||
// print running config
|
||||
printRunningConfig(&cfg, cfgInfo)
|
||||
|
||||
// read config file
|
||||
configFileData, err := getConfigFileData(cfg.ConfigFile)
|
||||
if err != nil {
|
||||
log.Fatalf("[FATAL] Unable to read configuration file")
|
||||
}
|
||||
if cfg.AllowAdminNoMutate == false {
|
||||
cfg.AllowAdminNoMutate = configFileData.AllowAdminNoMutate
|
||||
updateValues(&cfg, configFileData)
|
||||
|
||||
// Generate certificates if needed
|
||||
if err := certificateInit(&cfg); err != nil {
|
||||
log.Fatalf("[FATAL] Unable to initialize certificate data: %v", err)
|
||||
}
|
||||
if cfg.AllowAdminNoMutateToggle == "2d77b689-dc14-40a5-8971-34c62999335c" {
|
||||
cfg.AllowAdminNoMutateToggle = configFileData.AllowAdminNoMutateToggle
|
||||
}
|
||||
if cfg.DockerhubRegistry == "registry.hub.docker.com" {
|
||||
cfg.DockerhubRegistry = configFileData.DockerhubRegistry
|
||||
}
|
||||
cfg.MutateIgnoredImages = configFileData.MutateIgnoredImages
|
||||
|
||||
// print running config
|
||||
printRunningConfig(&cfg, cfgInfo)
|
||||
|
||||
log.Println("[INFO] initialization sequence complete")
|
||||
return cfg
|
||||
}
|
||||
|
||||
func updateValues(cfg *Config, configFileData configFileStruct) {
|
||||
if cfg.AllowAdminNoMutate == false && configFileData.AllowAdminNoMutate != false {
|
||||
cfg.AllowAdminNoMutate = configFileData.AllowAdminNoMutate
|
||||
}
|
||||
if cfg.AllowAdminNoMutateToggle == "7b068a99-c02b-410a-bd59-3514bac85e7a" && configFileData.AllowAdminNoMutateToggle != "2d77b689-dc14-40a5-8971-34c62999335c" {
|
||||
cfg.AllowAdminNoMutateToggle = configFileData.AllowAdminNoMutateToggle
|
||||
}
|
||||
if cfg.DockerhubRegistry == "registry.hub.docker.com" && configFileData.DockerhubRegistry != "registry.hub.docker.com" {
|
||||
cfg.DockerhubRegistry = configFileData.DockerhubRegistry
|
||||
}
|
||||
if len(configFileData.MutateIgnoredImages) != 0 {
|
||||
cfg.MutateIgnoredImages = configFileData.MutateIgnoredImages
|
||||
}
|
||||
if len(configFileData.CertificateAuthority.Certificate) != 0 {
|
||||
cfg.CACert = configFileData.CertificateAuthority.Certificate
|
||||
}
|
||||
if len(configFileData.CertificateAuthority.PrivateKey) != 0 {
|
||||
cfg.CAPrivateKey = configFileData.CertificateAuthority.PrivateKey
|
||||
}
|
||||
if len(configFileData.Certificate.Certificate) != 0 {
|
||||
cfg.CertCert = configFileData.Certificate.Certificate
|
||||
}
|
||||
if len(configFileData.Certificate.PrivateKey) != 0 {
|
||||
cfg.CertPrivateKey = configFileData.Certificate.PrivateKey
|
||||
}
|
||||
}
|
||||
|
||||
func certificateInit(cfg *Config) error {
|
||||
// certificate authority private key does not exist, generate key pair
|
||||
if len(cfg.CAPrivateKey) == 0 {
|
||||
log.Printf("[TRACE] No certificate authority private key detected")
|
||||
keyPair, err := certificate.CreateRSAKeyPair(4096)
|
||||
if err != nil {
|
||||
return fmt.Errorf("Create RSA Key (%v)", err)
|
||||
}
|
||||
// pem encode private key
|
||||
k := new(bytes.Buffer)
|
||||
pem.Encode(k, &pem.Block{
|
||||
Type: "RSA PRIVATE KEY",
|
||||
Bytes: x509.MarshalPKCS1PrivateKey(keyPair),
|
||||
})
|
||||
cfg.CAPrivateKey = k.String()
|
||||
}
|
||||
|
||||
// certificate authority certificate is missing, create it
|
||||
if len(cfg.CACert) == 0 {
|
||||
log.Printf("[TRACE] No certificate authority certificate detected")
|
||||
caCert, err := certificate.CreateCA(cfg.CAPrivateKey)
|
||||
if err != nil {
|
||||
return fmt.Errorf("Create CA (%v)", err)
|
||||
}
|
||||
cfg.CACert = caCert
|
||||
}
|
||||
|
||||
// certificate private key does not exist, generate key pair
|
||||
if len(cfg.CertPrivateKey) == 0 {
|
||||
log.Printf("[TRACE] No server private key detected")
|
||||
keyPair, err := certificate.CreateRSAKeyPair(4096)
|
||||
if err != nil {
|
||||
return fmt.Errorf("Create RSA Key (%v)", err)
|
||||
}
|
||||
// pem encode private key
|
||||
k := new(bytes.Buffer)
|
||||
pem.Encode(k, &pem.Block{
|
||||
Type: "RSA PRIVATE KEY",
|
||||
Bytes: x509.MarshalPKCS1PrivateKey(keyPair),
|
||||
})
|
||||
cfg.CertPrivateKey = k.String()
|
||||
}
|
||||
|
||||
// certificate certificate is missing, create it
|
||||
if len(cfg.CertCert) == 0 {
|
||||
log.Printf("[TRACE] No server certificate detected")
|
||||
csr, err := certificate.CreateCSR(cfg.CertPrivateKey)
|
||||
if err != nil {
|
||||
return fmt.Errorf("Create CSR (%v)", err)
|
||||
}
|
||||
cert, err := certificate.SignCert(cfg.CACert, cfg.CAPrivateKey, csr)
|
||||
if err != nil {
|
||||
return fmt.Errorf("Sign Cert (%v)", err)
|
||||
}
|
||||
cfg.CertCert = cert
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user