apitech
/
loki
mirror of https://github.com/grafana/loki
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Like Prometheus, but for logs.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
7603 Commits
849 Branches
312 Tags
686 MiB
Tag: Branch: Tree: 7b5a109bef
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '7b5a109bef'
${ noResults }
loki/operator/internal/certrotation/signer.go

100 lines
2.7 KiB
Raw Normal View History Unescape

operator: Add support for built-in-cert-rotation for all internal lokistack encryption (#7064)
3 years ago
package certrotation
import (
"bytes"
"fmt"
"time"
"github.com/openshift/library-go/pkg/crypto"
corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
operator: Automatically order imports based on contributing guide (#9692)
2 years ago
"sigs.k8s.io/controller-runtime/pkg/client"
operator: Add support for built-in-cert-rotation for all internal lokistack encryption (#7064)
3 years ago
)
// SigningCAExpired returns true if the signer certificate expired and the reason of expiry.
func SigningCAExpired(opts Options) error {
// Skip as secret not created or loaded
if opts.Signer.Secret == nil {
return nil
}
reason := opts.Signer.Rotation.NeedNewCertificate(opts.Signer.Secret.Annotations, opts.Rotation.CACertRefresh)
if reason != "" {
return &CertExpiredError{Message: "signing CA certificate expired", Reasons: []string{reason}}
}
return nil
}
// buildSigningCASecret returns a k8s Secret holding the signing CA certificate
func buildSigningCASecret(opts *Options) (client.Object, error) {
signingCertKeyPairSecret := newSigningCASecret(*opts)
opts.Signer.Rotation.Issuer = fmt.Sprintf("%s_%s", signingCertKeyPairSecret.Namespace, signingCertKeyPairSecret.Name)
if reason := opts.Signer.Rotation.NeedNewCertificate(signingCertKeyPairSecret.Annotations, opts.Rotation.CACertRefresh); reason != "" {
if err := setSigningCertKeyPairSecret(signingCertKeyPairSecret, opts.Rotation.CACertValidity, opts.Signer.Rotation); err != nil {
return nil, err
}
}
var (
cert = signingCertKeyPairSecret.Data[corev1.TLSCertKey]
key = signingCertKeyPairSecret.Data[corev1.TLSPrivateKeyKey]
)
rawCA, err := crypto.GetCAFromBytes(cert, key)
if err != nil {
return nil, err
}
opts.Signer.RawCA = rawCA
return signingCertKeyPairSecret, nil
}
func newSigningCASecret(opts Options) *corev1.Secret {
current := opts.Signer.Secret.DeepCopy()
s := &corev1.Secret{
ObjectMeta: metav1.ObjectMeta{
Name: SigningCASecretName(opts.StackName),
Namespace: opts.StackNamespace,
},
Type: corev1.SecretTypeTLS,
}
if current != nil {
s.Annotations = current.Annotations
s.Labels = current.Labels
s.Data = current.Data
}
return s
}
// setSigningCertKeyPairSecret creates a new signing cert/key pair and sets them in the secret
func setSigningCertKeyPairSecret(s *corev1.Secret, validity time.Duration, caCreator signerRotation) error {
if s.Annotations == nil {
s.Annotations = map[string]string{}
}
if s.Data == nil {
s.Data = map[string][]byte{}
}
ca, err := caCreator.NewCertificate(validity)
if err != nil {
return err
}
certBytes := &bytes.Buffer{}
keyBytes := &bytes.Buffer{}
if err := ca.WriteCertConfig(certBytes, keyBytes); err != nil {
return err
}
s.Data[corev1.TLSCertKey] = certBytes.Bytes()
s.Data[corev1.TLSPrivateKeyKey] = keyBytes.Bytes()
caCreator.SetAnnotations(ca, s.Annotations)
return nil
}