Switch CSR approver/signer/cleaner controllers to v1

pkg/apis/certificates/helpers.go

@@ -20,12 +20,15 @@ import (
 	"crypto/x509"
 	"encoding/pem"
 	"errors"
+	"fmt"
+	"reflect"
+	"strings"
+
+	"k8s.io/apimachinery/pkg/util/sets"
 )
 
-// ParseCSR extracts the CSR from the API object and decodes it.
-func ParseCSR(obj *CertificateSigningRequest) (*x509.CertificateRequest, error) {
-	// extract PEM from request object
-	pemBytes := obj.Spec.Request
+// ParseCSR extracts the CSR from the bytes and decodes it.
+func ParseCSR(pemBytes []byte) (*x509.CertificateRequest, error) {
 	block, _ := pem.Decode(pemBytes)
 	if block == nil || block.Type != "CERTIFICATE REQUEST" {
 		return nil, errors.New("PEM block type must be CERTIFICATE REQUEST")
@@ -36,3 +39,88 @@ func ParseCSR(obj *CertificateSigningRequest) (*x509.CertificateRequest, error)
 	}
 	return csr, nil
 }
+
+var (
+	organizationNotSystemNodesErr = fmt.Errorf("subject organization is not system:nodes")
+	commonNameNotSystemNode       = fmt.Errorf("subject common name does not begin with system:node:")
+	dnsOrIPSANRequiredErr         = fmt.Errorf("DNS or IP subjectAltName is required")
+	dnsSANNotAllowedErr           = fmt.Errorf("DNS subjectAltNames are not allowed")
+	emailSANNotAllowedErr         = fmt.Errorf("Email subjectAltNames are not allowed")
+	ipSANNotAllowedErr            = fmt.Errorf("IP subjectAltNames are not allowed")
+	uriSANNotAllowedErr           = fmt.Errorf("URI subjectAltNames are not allowed")
+)
+
+var kubeletServingRequiredUsages = sets.NewString(
+	string(UsageDigitalSignature),
+	string(UsageKeyEncipherment),
+	string(UsageServerAuth),
+)
+
+func IsKubeletServingCSR(req *x509.CertificateRequest, usages sets.String) bool {
+	return ValidateKubeletServingCSR(req, usages) == nil
+}
+func ValidateKubeletServingCSR(req *x509.CertificateRequest, usages sets.String) error {
+	if !reflect.DeepEqual([]string{"system:nodes"}, req.Subject.Organization) {
+		return organizationNotSystemNodesErr
+	}
+
+	// at least one of dnsNames or ipAddresses must be specified
+	if len(req.DNSNames) == 0 && len(req.IPAddresses) == 0 {
+		return dnsOrIPSANRequiredErr
+	}
+
+	if len(req.EmailAddresses) > 0 {
+		return emailSANNotAllowedErr
+	}
+	if len(req.URIs) > 0 {
+		return uriSANNotAllowedErr
+	}
+
+	if !kubeletServingRequiredUsages.Equal(usages) {
+		return fmt.Errorf("usages did not match %v", kubeletServingRequiredUsages.List())
+	}
+
+	if !strings.HasPrefix(req.Subject.CommonName, "system:node:") {
+		return commonNameNotSystemNode
+	}
+
+	return nil
+}
+
+var kubeletClientRequiredUsages = sets.NewString(
+	string(UsageDigitalSignature),
+	string(UsageKeyEncipherment),
+	string(UsageClientAuth),
+)
+
+func IsKubeletClientCSR(req *x509.CertificateRequest, usages sets.String) bool {
+	return ValidateKubeletClientCSR(req, usages) == nil
+}
+func ValidateKubeletClientCSR(req *x509.CertificateRequest, usages sets.String) error {
+	if !reflect.DeepEqual([]string{"system:nodes"}, req.Subject.Organization) {
+		return organizationNotSystemNodesErr
+	}
+
+	if len(req.DNSNames) > 0 {
+		return dnsSANNotAllowedErr
+	}
+	if len(req.EmailAddresses) > 0 {
+		return emailSANNotAllowedErr
+	}
+	if len(req.IPAddresses) > 0 {
+		return ipSANNotAllowedErr
+	}
+	if len(req.URIs) > 0 {
+		return uriSANNotAllowedErr
+	}
+
+	if !strings.HasPrefix(req.Subject.CommonName, "system:node:") {
+		return commonNameNotSystemNode
+	}
+
+	if !kubeletClientRequiredUsages.Equal(usages) {
+		return fmt.Errorf("usages did not match %v", kubeletClientRequiredUsages.List())
+	}
+
+	return nil
+}