kyverno/pkg/tls/utils.go

package tls

import (
	"crypto/rsa"
	"crypto/x509"
	"encoding/pem"
	"time"

	"github.com/kyverno/kyverno/api/kyverno"
	corev1 "k8s.io/api/core/v1"
)

func privateKeyToPem(rsaKey *rsa.PrivateKey) []byte {
	privateKey := &pem.Block{
		Type:  "PRIVATE KEY",
		Bytes: x509.MarshalPKCS1PrivateKey(rsaKey),
	}
	return pem.EncodeToMemory(privateKey)
}

func certificateToPem(certs ...*x509.Certificate) []byte {
	var raw []byte
	for _, cert := range certs {
		certificate := &pem.Block{
			Type:  "CERTIFICATE",
			Bytes: cert.Raw,
		}
		raw = append(raw, pem.EncodeToMemory(certificate)...)
	}
	return raw
}

func pemToPrivateKey(raw []byte) (*rsa.PrivateKey, error) {
	block, _ := pem.Decode(raw)
	return x509.ParsePKCS1PrivateKey(block.Bytes)
}

func pemToCertificates(raw []byte) []*x509.Certificate {
	var certs []*x509.Certificate
	for {
		certPemBlock, next := pem.Decode(raw)
		if certPemBlock == nil {
			return certs
		}
		raw = next
		cert, err := x509.ParseCertificate(certPemBlock.Bytes)
		if err == nil {
			certs = append(certs, cert)
		}
	}
}

func removeExpiredCertificates(now time.Time, certs ...*x509.Certificate) []*x509.Certificate {
	var result []*x509.Certificate
	for _, cert := range certs {
		if !now.After(cert.NotAfter) {
			result = append(result, cert)
		}
	}
	return result
}

func allCertificatesExpired(now time.Time, certs ...*x509.Certificate) bool {
	for _, cert := range certs {
		if !now.After(cert.NotAfter) {
			return false
		}
	}
	return true
}

func validateCert(now time.Time, cert *x509.Certificate, caCerts ...*x509.Certificate) bool {
	pool := x509.NewCertPool()
	for _, cert := range caCerts {
		pool.AddCert(cert)
	}
	if _, err := cert.Verify(x509.VerifyOptions{Roots: pool, CurrentTime: now}); err != nil {
		return false
	}
	return true
}

func isSecretManagedByKyverno(secret *corev1.Secret) bool {
	if secret != nil {
		labels := secret.GetLabels()
		if labels == nil {
			return false
		}
		if labels[kyverno.LabelCertManagedBy] != kyverno.ValueKyvernoApp {
			return false
		}
	}
	return true
}
refactor: cleanup tls package (#3854) * refactor: init certs with certs renewer directly Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * refactor: tls package Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * refactor: cleanup tls package Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> 2022-05-11 08:05:13 +00:00			`package tls`

			`import (`
refactor: remove deployment hash on certs secrets (#3886) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> 2022-05-11 14:58:14 +00:00			`"crypto/rsa"`
			`"crypto/x509"`
			`"encoding/pem"`
feat: gracefull certificates rotation support (#3890) * refactor: remove deployment hash on certs secrets Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * feat: add label on kyverno webhooks Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * feat: implement update ca bundle Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * test: set very low validity and expiration intervals Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * fix: writing secret Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * add renew ca Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * decouple ca and tls validity duration Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * refactored code, everything is in place to finalize implementation Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * use real validity periods Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com> 2022-05-12 14:07:25 +00:00			`"time"`
refactor: remove deployment hash on certs secrets (#3886) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> 2022-05-11 14:58:14 +00:00
refactor: move kyverno constants out of v1 package (#7760) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2023-07-06 08:00:36 +00:00			`"github.com/kyverno/kyverno/api/kyverno"`
chore: make k8s api import aliases consistent (#3950) * chore: make kyverno api import aliases consistent Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * chore: make apimachinery api import aliases consistent Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> 2022-05-17 14:14:31 +00:00			`corev1 "k8s.io/api/core/v1"`
refactor: cleanup tls package (#3854) * refactor: init certs with certs renewer directly Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * refactor: tls package Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * refactor: cleanup tls package Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> 2022-05-11 08:05:13 +00:00			`)`

feat: gracefull certificates rotation support (#3890) * refactor: remove deployment hash on certs secrets Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * feat: add label on kyverno webhooks Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * feat: implement update ca bundle Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * test: set very low validity and expiration intervals Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * fix: writing secret Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * add renew ca Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * decouple ca and tls validity duration Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * refactored code, everything is in place to finalize implementation Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * use real validity periods Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com> 2022-05-12 14:07:25 +00:00			`func privateKeyToPem(rsaKey *rsa.PrivateKey) []byte {`
refactor: remove deployment hash on certs secrets (#3886) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> 2022-05-11 14:58:14 +00:00			`privateKey := &pem.Block{`
			`Type: "PRIVATE KEY",`
			`Bytes: x509.MarshalPKCS1PrivateKey(rsaKey),`
			`}`
			`return pem.EncodeToMemory(privateKey)`
			`}`

feat: gracefull certificates rotation support (#3890) * refactor: remove deployment hash on certs secrets Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * feat: add label on kyverno webhooks Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * feat: implement update ca bundle Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * test: set very low validity and expiration intervals Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * fix: writing secret Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * add renew ca Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * decouple ca and tls validity duration Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * refactored code, everything is in place to finalize implementation Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * use real validity periods Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com> 2022-05-12 14:07:25 +00:00			`func certificateToPem(certs ...*x509.Certificate) []byte {`
			`var raw []byte`
			`for _, cert := range certs {`
			`certificate := &pem.Block{`
			`Type: "CERTIFICATE",`
			`Bytes: cert.Raw,`
			`}`
			`raw = append(raw, pem.EncodeToMemory(certificate)...)`
			`}`
			`return raw`
			`}`

			`func pemToPrivateKey(raw []byte) (*rsa.PrivateKey, error) {`
			`block, _ := pem.Decode(raw)`
			`return x509.ParsePKCS1PrivateKey(block.Bytes)`
			`}`

			`func pemToCertificates(raw []byte) []*x509.Certificate {`
			`var certs []*x509.Certificate`
			`for {`
			`certPemBlock, next := pem.Decode(raw)`
			`if certPemBlock == nil {`
			`return certs`
			`}`
			`raw = next`
			`cert, err := x509.ParseCertificate(certPemBlock.Bytes)`
			`if err == nil {`
			`certs = append(certs, cert)`
			`}`
			`}`
			`}`

			`func removeExpiredCertificates(now time.Time, certs ...x509.Certificate) []x509.Certificate {`
			`var result []*x509.Certificate`
			`for _, cert := range certs {`
			`if !now.After(cert.NotAfter) {`
			`result = append(result, cert)`
			`}`
refactor: remove deployment hash on certs secrets (#3886) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> 2022-05-11 14:58:14 +00:00			`}`
feat: gracefull certificates rotation support (#3890) * refactor: remove deployment hash on certs secrets Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * feat: add label on kyverno webhooks Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * feat: implement update ca bundle Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * test: set very low validity and expiration intervals Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * fix: writing secret Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * add renew ca Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * decouple ca and tls validity duration Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * refactored code, everything is in place to finalize implementation Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * use real validity periods Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com> 2022-05-12 14:07:25 +00:00			`return result`
			`}`

			`func allCertificatesExpired(now time.Time, certs ...*x509.Certificate) bool {`
			`for _, cert := range certs {`
			`if !now.After(cert.NotAfter) {`
			`return false`
			`}`
			`}`
			`return true`
			`}`

			`func validateCert(now time.Time, cert x509.Certificate, caCerts ...x509.Certificate) bool {`
			`pool := x509.NewCertPool()`
			`for _, cert := range caCerts {`
			`pool.AddCert(cert)`
			`}`
			`if _, err := cert.Verify(x509.VerifyOptions{Roots: pool, CurrentTime: now}); err != nil {`
			`return false`
			`}`
			`return true`
refactor: remove deployment hash on certs secrets (#3886) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> 2022-05-11 14:58:14 +00:00			`}`

fix: don't report ready until certs are valid (#4934) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2022-10-14 04:23:42 +00:00			`func isSecretManagedByKyverno(secret *corev1.Secret) bool {`
refactor: remove deployment hash on certs secrets (#3886) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> 2022-05-11 14:58:14 +00:00			`if secret != nil {`
			`labels := secret.GetLabels()`
			`if labels == nil {`
			`return false`
			`}`
chore: move cert.kyverno.io/managed-by label in constants (#7942) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2023-07-31 13:17:51 +00:00			`if labels[kyverno.LabelCertManagedBy] != kyverno.ValueKyvernoApp {`
refactor: remove deployment hash on certs secrets (#3886) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> 2022-05-11 14:58:14 +00:00			`return false`
			`}`
refactor: cleanup tls package (#3854) * refactor: init certs with certs renewer directly Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * refactor: tls package Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * refactor: cleanup tls package Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> 2022-05-11 08:05:13 +00:00			`}`
refactor: remove deployment hash on certs secrets (#3886) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> 2022-05-11 14:58:14 +00:00			`return true`
			`}`