github/containerd
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 2 Wiki Activity

switches from not CA signed to self CA signed for streaming TLS

Browse Source 
Signed-off-by: Mike Brown <brownwm@us.ibm.com>
This commit is contained in:
Mike Brown 2018-04-02 11:07:59 -05:00
parent d36d62ecd4
commit c7793564fc
1 changed files with 9 additions and 57 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

66
pkg/server/streaming.go
View File

@ -17,19 +17,11 @@ limitations under the License.
package server package server
import ( import (
"crypto/rand"
"crypto/rsa"
"crypto/tls" "crypto/tls"
"crypto/x509"
"crypto/x509/pkix"
"encoding/pem"
"fmt"
"io" "io"
"math" "math"
"math/big"
"net" "net"
"os" "os"
"time"
"github.com/pkg/errors" "github.com/pkg/errors"
k8snet "k8s.io/apimachinery/pkg/util/net" k8snet "k8s.io/apimachinery/pkg/util/net"
@ -42,13 +34,6 @@ import (
ctrdutil "github.com/containerd/cri/pkg/containerd/util" ctrdutil "github.com/containerd/cri/pkg/containerd/util"
) )
const (
// certOrganizationName is the name of this organization, used for certificates etc.
certOrganizationName = "containerd"
// certCommonName is the common name of the CRI plugin
certCommonName = "cri"
)
func newStreamServer(c *criService, addr, port string) (streaming.Server, error) { func newStreamServer(c *criService, addr, port string) (streaming.Server, error) {
if addr == "" { if addr == "" {
a, err := k8snet.ChooseBindAddress(nil) a, err := k8snet.ChooseBindAddress(nil)
@ -141,54 +126,26 @@ func handleResizing(resize <-chan remotecommand.TerminalSize, resizeFunc func(si
}() }()
} }
// newTLSCert returns a tls.certificate loaded from a newly generated // newTLSCert returns a self CA signed tls.certificate.
// x509certificate from a newly generated rsa public/private key pair. The
// x509certificate is self signed.
// TODO (mikebrow): replace / rewrite this function to support using CA // TODO (mikebrow): replace / rewrite this function to support using CA
// signing of the cetificate. Requires a security plan for kubernetes regarding // signing of the cetificate. Requires a security plan for kubernetes regarding
// CRI connections / streaming, etc. For example, kubernetes could configure or // CRI connections / streaming, etc. For example, kubernetes could configure or
// require a CA service and pass a configuration down through CRI. // require a CA service and pass a configuration down through CRI.
func newTLSCert() (tls.Certificate, error) { func newTLSCert() (tls.Certificate, error) {
fail := func(err error) (tls.Certificate, error) { return tls.Certificate{}, err } fail := func(err error) (tls.Certificate, error) { return tls.Certificate{}, err }
var years = 1 // duration of certificate
// Generate new private key
privKey, err := rsa.GenerateKey(rand.Reader, 2048)
if err != nil {
return fail(errors.Wrap(err, "private key cannot be created"))
}
// Generate pem block using the private key
keyPem := pem.EncodeToMemory(&pem.Block{
Type: k8scert.RSAPrivateKeyBlockType,
Bytes: x509.MarshalPKCS1PrivateKey(privKey),
})
// Generate a new random serial number for certificate
serialNumber, err := rand.Int(rand.Reader, new(big.Int).Lsh(big.NewInt(1), 128))
if err != nil {
return fail(errors.Wrap(err, "failed to generate serial number"))
}
hostName, err := os.Hostname() hostName, err := os.Hostname()
if err != nil { if err != nil {
return fail(errors.Wrap(err, "failed to get hostname")) return fail(errors.Wrap(err, "failed to get hostname"))
} }
addrs, err := net.InterfaceAddrs() addrs, err := net.InterfaceAddrs()
if err != nil { if err != nil {
return fail(errors.Wrap(err, "failed to get host IP addresses")) return fail(errors.Wrap(err, "failed to get host IP addresses"))
} }
// Configure and create new certificate var alternateIPs []net.IP
tml := x509.Certificate{ var alternateDNS []string
NotBefore: time.Now(),
NotAfter: time.Now().AddDate(years, 0, 0),
SerialNumber: serialNumber,
Subject: pkix.Name{
CommonName: fmt.Sprintf("%s:%s:%s", certOrganizationName, certCommonName, hostName),
Organization: []string{certOrganizationName},
},
BasicConstraintsValid: true,
}
for _, addr := range addrs { for _, addr := range addrs {
var ip net.IP var ip net.IP
@ -201,21 +158,16 @@ func newTLSCert() (tls.Certificate, error) {
continue continue
} }
tml.IPAddresses = append(tml.IPAddresses, ip) alternateIPs = append(alternateIPs, ip)
tml.DNSNames = append(tml.DNSNames, ip.String()) alternateDNS = append(alternateDNS, ip.String())
} }
cert, err := x509.CreateCertificate(rand.Reader, &tml, &tml, &privKey.PublicKey, privKey) // Generate a self signed certificate key (CA is self)
certPem, keyPem, err := k8scert.GenerateSelfSignedCertKey(hostName, alternateIPs, alternateDNS)
if err != nil { if err != nil {
return fail(errors.Wrap(err, "certificate cannot be created")) return fail(errors.Wrap(err, "certificate key could not be created"))
} }
// Generate a pem block with the certificate
certPem := pem.EncodeToMemory(&pem.Block{
Type: k8scert.CertificateBlockType,
Bytes: cert,
})
// Load the tls certificate // Load the tls certificate
tlsCert, err := tls.X509KeyPair(certPem, keyPem) tlsCert, err := tls.X509KeyPair(certPem, keyPem)
if err != nil { if err != nil {