Skip to content

Commit 7832e0b

Browse files
committed
snc: generate ca cert for snc if not provided by user
for the openshift-snc service user needs to supply a self signed cert for the admin kubeconfig, this commit adds code to generate this cert when the user has not provided one during create using the flag '--ca-cert-file'
1 parent ab689ee commit 7832e0b

3 files changed

Lines changed: 74 additions & 3 deletions

File tree

.gitignore

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -4,3 +4,5 @@ out/
44
manifest.json
55
ami-id
66
Pulumi*.yaml
7+
custom-ca.crt
8+
custom-ca.key

cmd/mapt/cmd/aws/services/openshift-snc.go

Lines changed: 4 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -72,9 +72,10 @@ func createSNC() *cobra.Command {
7272
Version: viper.GetString(ocpVersion),
7373
Arch: viper.GetString(params.LinuxArch),
7474
PullSecretFile: viper.GetString(pullSecretFile),
75-
CaCertFile: viper.GetString(caCertFile),
76-
Spot: viper.IsSet(awsParams.Spot),
77-
Timeout: viper.GetString(params.Timeout)}); err != nil {
75+
CaCertFile: util.If(viper.GetString(caCertFile) == "",
76+
util.GenAdminKubeconfigSignerCert(), viper.GetString(caCertFile)),
77+
Spot: viper.IsSet(awsParams.Spot),
78+
Timeout: viper.GetString(params.Timeout)}); err != nil {
7879
logging.Error(err)
7980
}
8081
return nil

pkg/util/ocp_util.go

Lines changed: 68 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,68 @@
1+
package util
2+
3+
import (
4+
"crypto/rand"
5+
"crypto/rsa"
6+
"crypto/x509"
7+
"crypto/x509/pkix"
8+
"encoding/pem"
9+
"os"
10+
"path/filepath"
11+
"time"
12+
13+
"github.com/redhat-developer/mapt/pkg/util/logging"
14+
)
15+
16+
func GenAdminKubeconfigSignerCert() string {
17+
caCertFileName := "custom-ca.crt"
18+
caKeyFileName := "custom-ca.key"
19+
20+
ca := &x509.Certificate{
21+
Subject: pkix.Name{
22+
OrganizationalUnit: []string{"openshift"},
23+
CommonName: "admin-kubeconfig-signer-custom",
24+
},
25+
NotBefore: time.Now(),
26+
NotAfter: time.Now().Add(time.Hour * 24 * 365),
27+
IsCA: true,
28+
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
29+
KeyUsage: x509.KeyUsageCertSign | x509.KeyUsageDigitalSignature,
30+
BasicConstraintsValid: true,
31+
}
32+
33+
caPrivateKey, err := rsa.GenerateKey(rand.Reader, 4096)
34+
if err != nil {
35+
logging.Error(err)
36+
return ""
37+
}
38+
39+
cert, err := x509.CreateCertificate(rand.Reader, ca, ca, &caPrivateKey.PublicKey, caPrivateKey)
40+
if err != nil {
41+
logging.Error(err)
42+
return ""
43+
}
44+
45+
certPem := pem.EncodeToMemory(&pem.Block{
46+
Type: "CERTIFICATE",
47+
Bytes: cert,
48+
})
49+
50+
privateKeyPem := pem.EncodeToMemory(&pem.Block{
51+
Type: "RSA PRIVATE KEY",
52+
Bytes: x509.MarshalPKCS1PrivateKey(caPrivateKey),
53+
})
54+
55+
_ = os.Remove(caCertFileName)
56+
_ = os.Remove(caKeyFileName)
57+
58+
if err := os.WriteFile(caCertFileName, certPem, 0444); err != nil {
59+
logging.Error(err)
60+
return ""
61+
}
62+
if err := os.WriteFile(caKeyFileName, privateKeyPem, 0444); err != nil {
63+
logging.Error(err)
64+
return ""
65+
}
66+
67+
return filepath.Join(".", caCertFileName)
68+
}

0 commit comments

Comments
 (0)