From 629f7b2380f4397b8f72e44637cf51e1b6ca761e Mon Sep 17 00:00:00 2001 From: Jordan Liggitt Date: Sat, 22 May 2021 20:04:38 -0400 Subject: [PATCH] Fix expired unit test certs --- .../kube-aggregator/pkg/apiserver/BUILD | 1 + .../pkg/apiserver/handler_proxy_test.go | 215 +++--------------- .../pkg/apiserver/testdata/README.md | 1 + .../pkg/apiserver/testdata/client-ca-key.pem | 5 + .../pkg/apiserver/testdata/client-ca.pem | 10 + .../pkg/apiserver/testdata/client-key.pem | 5 + .../pkg/apiserver/testdata/client.pem | 11 + .../testdata/generate.client-ca.json | 6 + .../apiserver/testdata/generate.client.json | 3 + .../apiserver/testdata/generate.profiles.json | 22 ++ .../testdata/generate.server-ca.json | 6 + .../apiserver/testdata/generate.server.json | 4 + .../pkg/apiserver/testdata/generate.sh | 23 ++ .../pkg/apiserver/testdata/server-ca-key.pem | 5 + .../pkg/apiserver/testdata/server-ca.pem | 10 + .../pkg/apiserver/testdata/server-key.pem | 5 + .../pkg/apiserver/testdata/server.pem | 12 + 17 files changed, 155 insertions(+), 189 deletions(-) create mode 100644 staging/src/k8s.io/kube-aggregator/pkg/apiserver/testdata/README.md create mode 100644 staging/src/k8s.io/kube-aggregator/pkg/apiserver/testdata/client-ca-key.pem create mode 100644 staging/src/k8s.io/kube-aggregator/pkg/apiserver/testdata/client-ca.pem create mode 100644 staging/src/k8s.io/kube-aggregator/pkg/apiserver/testdata/client-key.pem create mode 100644 staging/src/k8s.io/kube-aggregator/pkg/apiserver/testdata/client.pem create mode 100644 staging/src/k8s.io/kube-aggregator/pkg/apiserver/testdata/generate.client-ca.json create mode 100644 staging/src/k8s.io/kube-aggregator/pkg/apiserver/testdata/generate.client.json create mode 100644 staging/src/k8s.io/kube-aggregator/pkg/apiserver/testdata/generate.profiles.json create mode 100644 staging/src/k8s.io/kube-aggregator/pkg/apiserver/testdata/generate.server-ca.json create mode 100644 staging/src/k8s.io/kube-aggregator/pkg/apiserver/testdata/generate.server.json create mode 100755 staging/src/k8s.io/kube-aggregator/pkg/apiserver/testdata/generate.sh create mode 100644 staging/src/k8s.io/kube-aggregator/pkg/apiserver/testdata/server-ca-key.pem create mode 100644 staging/src/k8s.io/kube-aggregator/pkg/apiserver/testdata/server-ca.pem create mode 100644 staging/src/k8s.io/kube-aggregator/pkg/apiserver/testdata/server-key.pem create mode 100644 staging/src/k8s.io/kube-aggregator/pkg/apiserver/testdata/server.pem diff --git a/staging/src/k8s.io/kube-aggregator/pkg/apiserver/BUILD b/staging/src/k8s.io/kube-aggregator/pkg/apiserver/BUILD index 41956d67395e2..c9b4a4cf9853b 100644 --- a/staging/src/k8s.io/kube-aggregator/pkg/apiserver/BUILD +++ b/staging/src/k8s.io/kube-aggregator/pkg/apiserver/BUILD @@ -12,6 +12,7 @@ go_test( "handler_apis_test.go", "handler_proxy_test.go", ], + data = glob(["testdata/**"]), embed = [":go_default_library"], deps = [ "//staging/src/k8s.io/apimachinery/pkg/api/equality:go_default_library", diff --git a/staging/src/k8s.io/kube-aggregator/pkg/apiserver/handler_proxy_test.go b/staging/src/k8s.io/kube-aggregator/pkg/apiserver/handler_proxy_test.go index 95282152b8583..eab1a2844e475 100644 --- a/staging/src/k8s.io/kube-aggregator/pkg/apiserver/handler_proxy_test.go +++ b/staging/src/k8s.io/kube-aggregator/pkg/apiserver/handler_proxy_test.go @@ -586,15 +586,15 @@ func TestGetContextForNewRequest(t *testing.T) { // instead it manually calls to updateAPIService and RunOnce to reload the certificate func TestProxyCertReload(t *testing.T) { // STEP 1: set up a backend server that will require the client certificate - // this server uses clientCaCrt to validate the client certificate + // this server uses clientCaCrt() to validate the client certificate backendHandler := &targetHTTPHandler{} backendServer := httptest.NewUnstartedServer(backendHandler) - if cert, err := tls.X509KeyPair(backendCertificate, backendKey); err != nil { + if cert, err := tls.X509KeyPair(backendCertificate(), backendKey()); err != nil { t.Fatal(err) } else { caCertPool := x509.NewCertPool() // we're testing this while enabling MTLS - caCertPool.AppendCertsFromPEM(clientCaCrt) + caCertPool.AppendCertsFromPEM(clientCaCrt()) backendServer.TLS = &tls.Config{Certificates: []tls.Certificate{cert}, ClientAuth: tls.RequireAndVerifyClientCert, ClientCAs: caCertPool} } backendServer.StartTLS() @@ -606,7 +606,7 @@ func TestProxyCertReload(t *testing.T) { serviceResolver: &mockedRouter{destinationHost: backendServer.Listener.Addr().String()}, } certFile, keyFile, dir := getCertAndKeyPaths(t) - writeCerts(certFile, keyFile, backendCertificate, backendKey, t) + writeCerts(certFile, keyFile, backendCertificate(), backendKey(), t) defer func() { if err := os.RemoveAll(dir); err != nil { @@ -630,7 +630,7 @@ func TestProxyCertReload(t *testing.T) { Service: &apiregistration.ServiceReference{Name: "test-service2", Namespace: "test-ns", Port: pointer.Int32Ptr(443)}, Group: "foo", Version: "v1", - CABundle: backendCaCertificate, // used to validate backendCertificate + CABundle: backendCaCertificate(), // used to validate backendCertificate() }, Status: apiregistration.APIServiceStatus{ Conditions: []apiregistration.APIServiceCondition{ @@ -655,8 +655,8 @@ func TestProxyCertReload(t *testing.T) { } // STEP 3: swap the certificate used by the aggregator to auth against the backend server and verify the request passes - // note that this step uses the certificate that can be validated by the backend server with clientCaCrt - writeCerts(certFile, keyFile, clientCert, clientKey, t) + // note that this step uses the certificate that can be validated by the backend server with clientCaCrt() + writeCerts(certFile, keyFile, clientCert(), clientKey(), t) err = certProvider.RunOnce() if err != nil { t.Fatalf("Expected no error when refreshing dynamic certs, got %v", err) @@ -691,186 +691,23 @@ func writeCerts(certFile, keyFile string, certContent, keyContent []byte, t *tes } } +func readTestFile(filename string) []byte { + data, err := ioutil.ReadFile("testdata/" + filename) + if err != nil { + panic(err) + } + return data +} + // cert and ca for client auth -var clientCert = []byte(`-----BEGIN CERTIFICATE----- -MIIFaDCCA1ACAWUwDQYJKoZIhvcNAQEFBQAwejELMAkGA1UEBhMCVVMxEzARBgNV -BAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcxGDAWBgNVBAoM -D015IG9yZ2FuaXphdGlvbjEQMA4GA1UECwwHTXkgdW5pdDESMBAGA1UEAwwJbG9j -YWxob3N0MB4XDTIwMDUyMjA4MTA1MVoXDTIxMDUyMjA4MTA1MVowejELMAkGA1UE -BhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDU1vdW50YWluIFZp -ZXcxGDAWBgNVBAoMD015IG9yZ2FuaXphdGlvbjEQMA4GA1UECwwHTXkgdW5pdDES -MBAGA1UEAwwJbG9jYWxob3N0MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKC -AgEAwdDdguS2eVb950cmuyK/fTEBy+I1OFwPSg6S2zF5v/98Sva87Y/qFBrv1EzY -usU+OWuH0nnyk14bOGl+imbvk+tdiXr4i8tIY8QnBrUbyNvPwemcRejQQb1P5YX0 -An3BS8vckt1e1zahhyb+Uch/ApLFzv3nOEGg7OTA5vfyNs/OUcaz7XuKrFQipxLA -wEpPbukI8ThH2uLwiRxWUrLGmOeWocM4JFCk6LaQLWkTzl9WgKTYwzrI24LaUgb6 -0urlUi0bmE8AJRZBdmVCiEapxiHDre8c3CaLh8aF1LQ95ZraF8NZAvMxJvSK0R7I -05V+eZH+xdBH2n5naLjVuvm96VPbDGlcWRwi+ZKZXAvi6YMNJ5g564u2Nl+eACtd -9Kg6C9AIU8vSX9WrX4UcwaohQVjxUmHNL6YqHXhltyPdN3coFxDSPyp46x8Y2BIW -s1x1qnlor5xOOQhYPoIQzMgrgJw6wRLWdIkyP/NOazSwet2i4cpeLD3wgXpuylQp -Of06WChGN7NRx9JQSA7y6JKJq38jyB4+iNpU7NfkCQQndwvowPUBOSXNAUOgv2Qt -QEiODhNPsHhSHM6L4xSpwFzh7dDywpPCeb6Fzyp/EslaLiFoEQr2Wc0xM/Xssqa6 -yBjSpATBqP1exQVr7LQn50lf9penN4FOQRZ9k/49DLX1RFUCAwEAATANBgkqhkiG -9w0BAQUFAAOCAgEAVyFuPhtyDMi8FxD00fqnAxwnr7IyNBwYuQivu7gXKwQ2U9v1 -LSqDxvUft6sDWNUl/2f+Lga3CaVJ7FJL/rOwU5APkD4lcc43UcUv8pN2QAVFUs2h -8MPEZnM2oHEA3M77Yr1RZUHE24pHsv3Bi0u7w8kPhFb7ebAbfXAHIWkekPejroso -fOC2W8PXGqCJcpuIrAzIRvu/Ia0Cu4bmSZp4pK4lilgmUCr5LTc3YeNuAvbqco8f -mhXJ+qR4PYWkldgOdhz7eajKF0JP6R8pQacCTZ5OM1y9tg3yN6BEKus3EojpDtqs -5cTegj914lnNXI/bod6kqnuMT1sfnt2y8AmUcgD+NMhw6dG6zJI1Jf+01G2q3HCn -wtB0jPntk1hRepVkLfSvxoMofkjESHSVstYiGRQWQziFq98ei59uW1ZNpP/yVJGb -I7eM/b3vnFUBX2eypfVyY7+vBCxvgRjmpKnOuhCgm2bla1Ho7XUz1OvGkYfnHM3u -lUiTnAdNXQEf1Y2OjWeHeQeoeJ7gJiwJhMH8yZIierLHDP7FbBSLZ+VZW4Wfe6vT -WJ4no8kkD5ROWBNf0c0dt2uip6dZ5L2zMrqeUrhpy59ZhoZoMP5cmY/sfTzpRzNO -KitvR2SwVL12T6pAkwq3ItdiGZ16x5XrYv22H0jP8R6MCd59Sfnz9wWdY1Q= ------END CERTIFICATE-----`) -var clientKey = []byte(`-----BEGIN RSA PRIVATE KEY----- -MIIJKQIBAAKCAgEAwdDdguS2eVb950cmuyK/fTEBy+I1OFwPSg6S2zF5v/98Sva8 -7Y/qFBrv1EzYusU+OWuH0nnyk14bOGl+imbvk+tdiXr4i8tIY8QnBrUbyNvPwemc -RejQQb1P5YX0An3BS8vckt1e1zahhyb+Uch/ApLFzv3nOEGg7OTA5vfyNs/OUcaz -7XuKrFQipxLAwEpPbukI8ThH2uLwiRxWUrLGmOeWocM4JFCk6LaQLWkTzl9WgKTY -wzrI24LaUgb60urlUi0bmE8AJRZBdmVCiEapxiHDre8c3CaLh8aF1LQ95ZraF8NZ -AvMxJvSK0R7I05V+eZH+xdBH2n5naLjVuvm96VPbDGlcWRwi+ZKZXAvi6YMNJ5g5 -64u2Nl+eACtd9Kg6C9AIU8vSX9WrX4UcwaohQVjxUmHNL6YqHXhltyPdN3coFxDS -Pyp46x8Y2BIWs1x1qnlor5xOOQhYPoIQzMgrgJw6wRLWdIkyP/NOazSwet2i4cpe -LD3wgXpuylQpOf06WChGN7NRx9JQSA7y6JKJq38jyB4+iNpU7NfkCQQndwvowPUB -OSXNAUOgv2QtQEiODhNPsHhSHM6L4xSpwFzh7dDywpPCeb6Fzyp/EslaLiFoEQr2 -Wc0xM/Xssqa6yBjSpATBqP1exQVr7LQn50lf9penN4FOQRZ9k/49DLX1RFUCAwEA -AQKCAgEAvDSuZaTi7QFknWmiWqZrfI5SSEHpnEkJL8jnIqLwr1jQwZrH64iMrela -arYU34kZ23hn9CMnQ6Nmm2kV0CAVFXbA5ffb0yQbr4WSwBiuWmXZYVwQvHJPiQbk -xuVFBgZH5eqYzqTYq/QI9s0OuSwQ6dbM7yvvk9lnA6M/DwpG0qMInrBtmHcXOjCZ -VdQICLIgYHs6i8MzQ4KMQRibWsLvxxtcUsjXg6wr9y8Q4offC8/YmCN7ulkjIsX2 -ayEMADTJavsSiNxuL5VlDCtYaCz2P8gZ1JUVWVK0u6wz2VENqiCtF9ZCYXL2j/V3 -t4pFSfEpV7RFyqFupOWKVU7nfSF3H6QDTq/3XAm3So8MwaD4Ft/tdMNpOz6+lqC0 -7ukgP2SCzDoEnHzPI5bmRtyTvf3QivedIj+/3Z4hOjiPj1XwUXUitIUFSMg/qW8o -Vctw6uZq4z/p8s/RpE8eR3HYcDx0WrOIsfuI7JpEYV8rHW6qrrkbrBmmjnCwiQcW -2H5HmEixa9DtQxvACESaxgjYvATQVq1vCrCQZNKh52DX0QNT8iCEga1EYtzouO/h -g039+aFtPlFgL4zPjqweGBXjpPOCKM7kznwM4yiuHL5aEc6IQLGSVuQY4Be4X4kp -44VV/c5DDBuxIoqh6kru8gItRNBTZ6AKu9olQjZYXjAq1w0ELAECggEBAOFSaqIm -9ahfIQlj3zvXztqwmW/QHzoFDPoFOpiGJoMHEREJqvWtnoFcmHFhWFjIDQJALsfN -kJc7oDOqUY9STqvkpp4CdwdvLMUJUPC1+rFOQTOv6hADCIe9l34bGQ43x52aEgFr -znwJFYuGzLPRJUdxtWGQbSXppQaua+AdRUSDw2aLp4ngVL57IB2bl4UFo1Qbs22Q -WzvD3+T4QggHBPm+ebypkWS8zs+W19HNwTvgJ23CB1EkN/QXKl7KIMuXdH9/XMxn -WULgjGtmIoNIr4a3jgBZrOfnLQU06/fPpVaIVGsl1b45PQmFGSR+Z/uQXx8z4czm -xF69TNg4TRUW9jUCggEBANw0Tot9Ch0GFuCVSadsjIOX6RDVKM61OiJCfvnsE8QR -aWWwZrshDYJ63+jKyJl41dKGK3+aARb7Q4dOsJJzxgx6ROBheV4e4TVmPFvS38Vs -LOO1q9xHHjhxoJxm15apxig5XFBJX3cxfGNq0qEmRZPVTtJYxKHMQKpUuaI54lAV -+ssWz1RDclnQajBbQVu682uYinlpxZkiFRRkexbho3Nr82ngdM5vp5b6ODgqHAfr -yT0hyUgi38EDhiNWnga5GEnE4/UB3CPqPCng+aLORYH+lMeMNsn3Mje0FrA7WbT+ -/3EzTu9yz2gGYEjFLVD+9lvEi0Q3fN07SagO0wi8WaECggEAYwp+Eq57VroR5HXA -3yYaJ6humWZrA27K6G859WcqMHf/uXR9cCYTwRr5awT193hft3iM14h1IPS1k2Av -H4d3SzljP5snxN3KWQWiTVxASIV0RYryoH0k172vhF/W4JgGJzFc7sD7byvzC3SC -MBwjfcbuimcYgwyzXD947XcQRnCAiGekigdQWLX4ROtqa68xvru6X9OPNrL/jD7P -j4W+WyStkA8c+KHBaiAM14zQfkgmLKmX28PG0IUKO8YvKi51p8FNAg//fVUEhATN -8NUXSmkOgvrn9Lt534sGmdPtAh9EtCBaVpYETVXy2kax4DLyjN2aSB27fUVKLNR6 -lWWVbQKCAQAMHbyspCaoTit4E/7HfYuFuhgS2wexx/r445vE+J5lzWd1Nu2QIlNx -+HzVfELpXuK1ALjn/ntM3mpqyYOhq0kcaqXbisF40k4l+AgeLU4uuLMHnHlmV2ts -Q6RItsfp/FFw6ScRK9ha4JgtiDUqtMZjSftaS5QWKvzr4lmMeY7gRTVVc13ZDxT9 -qCAPpRXFjFXUd8I2yAEdWei7BIRZT/UEZs4v5y/GJBKelgn93SNJtEmQWYmPtIuH -PUBmNV/gktKpTHIWixGn0D2bOEvED4F3k6BwEmD5X+addgVBkSJweQ9pFR+kwTZ0 -TNWDa4YAzOaVSg03pa3zJk35N0eZVXPBAoIBAQCQNH0bvCY0L5Lq+UnNi/PLES54 -8CCY5UjQ7wzEny50aILlkHzHi/zm1u1M2sWtrPUYMt+Hiwo/Np+Zu77P+zdRZeLR -C/ngI7FRQi2SvarptxVzFg5w8hO63dga7tVO+kQ3nENivgxtPEkrF2WLCJXzx8uy -d3t0IfoOsKMLLR9UwvyzrEf2Z3c75WIIn/ii51zcEuoqttZ82Wdz+O7WZGK5XG3o -lVVu0HK225ml5vsKZjdAUHwS/M6cTnQcN+YxfGWFy+6o9pG9L9hjfpNxXbB0iNsR -crX83p28+Mnq5TGs0Kbvr9lnCNe9bGrqbl85rBvKRFRoDlfB2feo5hk02Bpe ------END RSA PRIVATE KEY-----`) -var backendCertificate = []byte(`-----BEGIN CERTIFICATE----- -MIIDiDCCAnCgAwIBAgIUJgFO0eypsogvehekMVrJ/eXj1MYwDQYJKoZIhvcNAQEL -BQAwXDELMAkGA1UEBhMCeHgxCjAIBgNVBAgMAXgxCjAIBgNVBAcMAXgxCjAIBgNV -BAoMAXgxCjAIBgNVBAsMAXgxCzAJBgNVBAMMAmNhMRAwDgYJKoZIhvcNAQkBFgF4 -MB4XDTIwMDcyMzE5NTEwMFoXDTI1MDcyMjE5NTEwMFowJDEiMCAGA1UEAxMZdGVz -dC1zZXJ2aWNlMi50ZXN0LW5zLnN2YzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC -AQoCggEBAPSmCdoH7RzBeGaGBGqBOV1I4Ex2Da2kUCPVeNfW3mPpJTUVi+QLwSDS -YTLnyw9tHRQgwV+rU1GTJSpcEk6CpiYdMavGnyH0C0iXKqXeJDfbU19ioUIInMxG -OkfcL98fWgj/mih52zjBIh5f9Q7gCmzH6di4zXMQODTiDhrcjPzmMtMPvRJs+kol -4Hh+tWH3s/hOeqiaWpw01UKis181SdEgX2uwNJYdHBbKF390vVIx/qpcFKUAw9to -CviyRMKv+DAK0jBoAsQVIU1Kt4reUrWyzonyO2wUrJmmFs997O04exkNlmFKa+bV -cA8DtBhX4hTMKRFIAaYb4Kh5v5Pg0l0CAwEAAaN6MHgwDgYDVR0PAQH/BAQDAgWg -MBMGA1UdJQQMMAoGCCsGAQUFBwMBMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFIe3 -Cry9ZA6zIWMvikdBZwBVprNzMCQGA1UdEQQdMBuCGXRlc3Qtc2VydmljZTIudGVz -dC1ucy5zdmMwDQYJKoZIhvcNAQELBQADggEBACg/8So7bv3e2UxL6TDAK43IV7lR -N+fIdkrxboiJY9XH7lPK4Cm7gNmxjzzlBeCbBRBNRrcbk4BoBRrDXMi2W13dtLE4 -jmGPke7MFu6C9J26GrfiIchMyZAgFTGOucs1SOXr5hoaOnLkm9H3ZlkhWgIf/EUX -B4WEHdxKZCYTlUoPFsfcZ3vImo2zhelo5RyG+P8aACc1V7cSaDbZ6CHEdTsP2E70 -9DKQHfkRr4MgrngoYiIZyj3IHK2kWnavLo0/XxBeoNVeenOrfmZAJ6QDSFAvTpMN -wWcx3Aj9jkGT+Cam2dvHFA+QaCni2uzOXlTyjLWwTjhc+Ml7FAL2Lc7U07c= ------END CERTIFICATE-----`) -var backendKey = []byte(`-----BEGIN RSA PRIVATE KEY----- -MIIEpAIBAAKCAQEA9KYJ2gftHMF4ZoYEaoE5XUjgTHYNraRQI9V419beY+klNRWL -5AvBINJhMufLD20dFCDBX6tTUZMlKlwSToKmJh0xq8afIfQLSJcqpd4kN9tTX2Kh -QgiczEY6R9wv3x9aCP+aKHnbOMEiHl/1DuAKbMfp2LjNcxA4NOIOGtyM/OYy0w+9 -Emz6SiXgeH61Yfez+E56qJpanDTVQqKzXzVJ0SBfa7A0lh0cFsoXf3S9UjH+qlwU -pQDD22gK+LJEwq/4MArSMGgCxBUhTUq3it5StbLOifI7bBSsmaYWz33s7Th7GQ2W -YUpr5tVwDwO0GFfiFMwpEUgBphvgqHm/k+DSXQIDAQABAoIBAGzU2BkX4ZEjN85T -2+8NIVmwK6eX9KnEKKpoMmPCABhuBNFCjoKaAAX70KV2m8x2+7KSh7NpYZ0uWiAn -6TTnxcW6wvfpWa0fBU37gUtcMLxwYvxRwe7AKhBtRUvmVZ1qMwFBw3AyFSWANQ9S -HI/LdpfBrvNr8mk3U+mijifA6S8u0co/QwlHmh1fRzLruP6VrTIAVs67+JvkKMBw -O3hxF/ImTIR8YwlPx4ckP4OXSftLTYKFVxDZBHtxyT5ED5GLx7nCPossL9mRpAYU -XLje+5K4UNoLSFu9SaSZbBUDqbsSUsyJTWX1J+AYEThPUywV9lVBBtUj8JKOQ9kr -i+Nt8HkCgYEA9o0WH97Orn/iyxe6KgbIGKPS46tcFGYAIgNTMEaeegfBIrg7kah3 -NV84d/Im3lYShCjGrnuoOHY2Wz4/a0DCbf+bgJWB/ZHpE00z+gBjfPE94as7wxC2 -TO4HYg5kiy3b1RKaXWvOBrQ5fpZvdYo5WjWweNF6rTCanVPH5g7fenMCgYEA/gZJ -THt54MJdUOTBR1GS3l3da4yYJPNgRAFBdp8FRc8u0CTYTfLo0oNFfJHu+F/Ph5dj -VWxhA+as+4rqJi+w8KZCCp/8LKjlJKzcCpv93E2UxM7e6WTa7Z/TmLi97i8FI39c -62B8XJTVW/IRTqojW0noY62FqYrIWZ8ymrWnO+8CgYBVp044ZD+JgARaajPSxehe -Jwvs7Gtg6s7BAka0TtRfsLH4TejkAZLoh9wmT4oRU/W61C+yDmOyud7IdCe0Kxtg -+5waX9Z5MWe3vOqBwADQNz84VzS73+J1d3w5JKbpc1UcAQp/yiQZUCNpRvoR66Nh -I6XbU2s7H9eXMLQRyLj64QKBgQCSZfkUdQ0Wta2mE1A41BB6y0ny08JTeVf/mWGr -BZa6Vt854iIvOlFoEXOYiVpaFo26LUt4Tc/Tubvz9GlhvJaS+p6RFQb2jhgRfPYL -vz8dGjElA7yAcjmiPTxrhf0gKkUh4iMhHChQCw6zwNyso21hDUU7PSQNRAiXbiJx -+0L4TQKBgQDyAry0K7dTbEmsacFpHsxqE/F0O2tmFE0WzrDkKkjVu38jshMhDu5D -1X179FWkKL6dYrFdig5SHBM2T3Yjha6VF7o1apYqj5HoVhS/mz80xXCqUBVrg88v -aOz9qqvSZQDZYwbOfr/vLMvJMp4M5gWWdxgaqoteLo1dQU20cYwlqA== ------END RSA PRIVATE KEY-----`) -var backendCaCertificate = []byte(`-----BEGIN CERTIFICATE----- -MIIDNDCCAhwCCQD9J4txHjsBLTANBgkqhkiG9w0BAQsFADBcMQswCQYDVQQGEwJ4 -eDEKMAgGA1UECAwBeDEKMAgGA1UEBwwBeDEKMAgGA1UECgwBeDEKMAgGA1UECwwB -eDELMAkGA1UEAwwCY2ExEDAOBgkqhkiG9w0BCQEWAXgwHhcNMjAwNzIzMTk1NjA3 -WhcNMjEwNzIzMTk1NjA3WjBcMQswCQYDVQQGEwJ4eDEKMAgGA1UECAwBeDEKMAgG -A1UEBwwBeDEKMAgGA1UECgwBeDEKMAgGA1UECwwBeDELMAkGA1UEAwwCY2ExEDAO -BgkqhkiG9w0BCQEWAXgwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDu -lMNXqY4D9EhgkDrKYcQD+Qai0rSWXSx2u28NCsQ36oR+J6UocSA1+0aFnZHo2s2P -sRndP1/AqEELpYl4XtAqrDUrhgH0KuvlIIp0LLDGLoJaOvv89VnNyuqSg4KtkGNZ -leiEBOUk7vITQkWtt3+QNVZPx/lMWUjI8QCvtaVKNcd7C9P6HCTuSbfkkHUdLLwM -Ud1zp6T/YHFxGGNtN0XDMapQJid4pfQF4vj89H5JT4GArOgUTEDfkVy7Go5/1F8I -X5sG9WbCLcClfPAHFZNM1igTMVEau0uF6wkL3UIBImyExFEwgN3HT88kIVN+tZSZ -n7bEnx9uWQKExZNOwf6TAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAH5dU7u4+RRD -C3nodTMJjd4UD7kdO2Stp9sLsPsbFhWQGpW10J0v+m7+ISgxOfbpNU9NI3dlDsCo -h4sG4MYfJio28r7ohkbzgBc3xKpLKK54XvPFhmrUiHccJT0PV6F3MJyBCn1Bxdya -+phcQapwRda/ytrqV5Xf55Od1n9plPnl+eV89teBV8qpd/cufIiFPeO8zhHI3wfh -AUbPo2yBwdFXKZxLo5rR3yTlJBkRjfodHNTcJffio2fEzPQumP+qCkHWx37aR3kW -9iRvhus3UcCluc76CrV2XJvXzgbXjU0YBDqRmiShVCGm+eTftq1v9wDLRhgadxPu -RzFJLb91brg= ------END CERTIFICATE-----`) -var clientCaCrt = []byte(`-----BEGIN CERTIFICATE----- -MIIFcDCCA1gCCQDgTBDe5gjLSDANBgkqhkiG9w0BAQsFADB6MQswCQYDVQQGEwJV -UzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzEY -MBYGA1UECgwPTXkgb3JnYW5pemF0aW9uMRAwDgYDVQQLDAdNeSB1bml0MRIwEAYD -VQQDDAlsb2NhbGhvc3QwHhcNMjAwNTIyMDczNTQxWhcNMzAwNTIwMDczNTQxWjB6 -MQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91 -bnRhaW4gVmlldzEYMBYGA1UECgwPTXkgb3JnYW5pemF0aW9uMRAwDgYDVQQLDAdN -eSB1bml0MRIwEAYDVQQDDAlsb2NhbGhvc3QwggIiMA0GCSqGSIb3DQEBAQUAA4IC -DwAwggIKAoICAQCj89Np0QeBHn6pyDUrzd45Ow9oHTBgvrDAmhND0i+WkcoDAOrX -V4W6aNLibM/5stR7PRwl93cwkLawE84YHevH7/69EeTjYqIUUTF/Otxh+qTZMDUu -Z3hcW7Pu/JnfHbmliR+ci4kr7KkVAYHJtT9DcyWAs5KUudPGKpQprVKtnJ04J/hV -gDrZbBVKU/N7Ik0ta0MWy97LegbRaGrcY/h7ICoaeMDL0UGU8b61tUCVObmhAnM6 -jK6xk/PtMk2d4we3yIWhowrGbp8vxN25WtFXIvJfyrrLFvpsl1f/dLwOzxU8RIt0 -soXkF5ig6BkjzXtG+WM8ZHBGgL1salP6B0IhLjIjsyZVNORyRJEn0SxDnVKtYLuO -tjcDZb1Ij/KzWdyXCMD8uJECO9z1Zt2kCfsZDjCal+nyas9Otn3djERaGaaQZd1q -oL/ioQSTgRhHO3Jx721YaetfM5Bf4h/xGIZlR0wsUPM86rN3s5LcN01C8MLMt3op -l5ECQE4zlCq2j7EZwlTcq7B5onwUDqQYImD/AHIaOMAeAxHCfeGAl9t+84pnd9iU -BG3XnaSdrhJJApK7Pa7peu7FDaeAkl71VQW0URHjCedCHNdqk1pbsCJMKfpMuRWp -LldTG83/bCyuNsku8rkKmkY25MSt80EpyYxg0ZfP2GqSX9+wbH67EJlEfQIDAQAB -MA0GCSqGSIb3DQEBCwUAA4ICAQAqaCc/LkDdJq/QS27qhCKEI885ZYOHuk8N64G6 -7Mfk6YhkSf5/Ln4qwP0f4HJCgupRMRLFs96qIh2HeEvytQk/xd8j111BHBUmjx3E -tS271x6PTkwkHa5j7kxE85b/wnUjVZ58NKccstp/Ub/ajssPdS7Ohzm0DGTjktja -Bavju5Q3fyBl4OmICOVDqIVBqNUfszesBtW9QcSgW7VcL2X+5/H/tu2YYnJG8IXp -v4uJRZ2rimhQZFFvcihCMN6wR7M5hqDPyffloHy+tFYFNd+Wc+RHU/DU2i83ySa/ -BwRD5J8iTHplDFosCo1u6EoALWQx/WM/l4E9P895LFFoF/8tvHUeLAQXjUbqEPUq -sbHlhZK18vxYUu/n+OtRdHDimjjoEWZHgoUNnNardukcLdGvk2dbmWltd8NA+kjh -e88NQn5x5mKUfENtK/GYKN4duguR6mOKlKBuobLcjeplnrHcRoWsvYOPJr0L9Ki3 -F1XEUPu0NgZyx5kTX3znm+7UV/W1rZeRppHSeqVfwHE+N2FEds65rMF1sEvw3fZv -mwAA1eyVJXIGum9MHf9XAgjjyubtwzPdCE6NQ9nYBuXr6sAqZx6irTHrtHl7zmbJ -St3GLAs3qHVMa6Va1imhvInbV6m9CauCbt4vAs6xVtR/jIaq1NKHP63f+bHp8hhK -4ulSKQ== ------END CERTIFICATE-----`) +func clientCert() []byte { return readTestFile("client.pem") } + +func clientKey() []byte { return readTestFile("client-key.pem") } + +func backendCertificate() []byte { return readTestFile("server.pem") } + +func backendKey() []byte { return readTestFile("server-key.pem") } + +func backendCaCertificate() []byte { return readTestFile("server-ca.pem") } + +func clientCaCrt() []byte { return readTestFile("client-ca.pem") } diff --git a/staging/src/k8s.io/kube-aggregator/pkg/apiserver/testdata/README.md b/staging/src/k8s.io/kube-aggregator/pkg/apiserver/testdata/README.md new file mode 100644 index 0000000000000..a78ddfbd05a3f --- /dev/null +++ b/staging/src/k8s.io/kube-aggregator/pkg/apiserver/testdata/README.md @@ -0,0 +1 @@ +Keys in this directory are generated for testing purposes only. diff --git a/staging/src/k8s.io/kube-aggregator/pkg/apiserver/testdata/client-ca-key.pem b/staging/src/k8s.io/kube-aggregator/pkg/apiserver/testdata/client-ca-key.pem new file mode 100644 index 0000000000000..7f0d60b58c72c --- /dev/null +++ b/staging/src/k8s.io/kube-aggregator/pkg/apiserver/testdata/client-ca-key.pem @@ -0,0 +1,5 @@ +-----BEGIN EC PRIVATE KEY----- +MHcCAQEEIHM3EPGDat3kZv4DmyI6X0k6gHGP9JSS3R9t0sCvcj1coAoGCCqGSM49 +AwEHoUQDQgAEA4QqivypLZVLaoFYAS0UWyfyNRSXRtgMWEabvsoHO31CRa2ZS3m8 +glOQ21aLysVdF6vAP31O9fqysuGMm0UI7w== +-----END EC PRIVATE KEY----- diff --git a/staging/src/k8s.io/kube-aggregator/pkg/apiserver/testdata/client-ca.pem b/staging/src/k8s.io/kube-aggregator/pkg/apiserver/testdata/client-ca.pem new file mode 100644 index 0000000000000..589af4bfdeaa8 --- /dev/null +++ b/staging/src/k8s.io/kube-aggregator/pkg/apiserver/testdata/client-ca.pem @@ -0,0 +1,10 @@ +-----BEGIN CERTIFICATE----- +MIIBbTCCARSgAwIBAgIUDMmq4/Gw2N1o5TWBLWsm65RiVkIwCgYIKoZIzj0EAwIw +FDESMBAGA1UEAxMJQ2xpZW50LUNBMCAXDTIxMDUyMjIzNTIwMFoYDzIxMjEwNDI4 +MjM1MjAwWjAUMRIwEAYDVQQDEwlDbGllbnQtQ0EwWTATBgcqhkjOPQIBBggqhkjO +PQMBBwNCAAQDhCqK/KktlUtqgVgBLRRbJ/I1FJdG2AxYRpu+ygc7fUJFrZlLebyC +U5DbVovKxV0Xq8A/fU71+rKy4YybRQjvo0IwQDAOBgNVHQ8BAf8EBAMCAQYwDwYD +VR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUaDl2pG6N7NoORQjpHprKDSOL8+0wCgYI +KoZIzj0EAwIDRwAwRAIgbS1tdj6El37kUwF9yZDXKfjLUlRBBLmIYhP0mdui6/AC +IB4F/weuM/6IjCdcPJRxvdC7qjCdV0xnFqvQ+BhuUGSF +-----END CERTIFICATE----- diff --git a/staging/src/k8s.io/kube-aggregator/pkg/apiserver/testdata/client-key.pem b/staging/src/k8s.io/kube-aggregator/pkg/apiserver/testdata/client-key.pem new file mode 100644 index 0000000000000..c690227c2d06c --- /dev/null +++ b/staging/src/k8s.io/kube-aggregator/pkg/apiserver/testdata/client-key.pem @@ -0,0 +1,5 @@ +-----BEGIN EC PRIVATE KEY----- +MHcCAQEEIJVbghSTWVClgCMEMWHf4Z5QRHplGl3OZzNvvYVc1hVLoAoGCCqGSM49 +AwEHoUQDQgAEI7HyyXMDVAU8o3kQpInG+Ec1mCELWJrKz2owv0jONgc7dkDjKHuP +7UkDuKGrUpS2MW0UkqajJAODEUwSF1wH5A== +-----END EC PRIVATE KEY----- diff --git a/staging/src/k8s.io/kube-aggregator/pkg/apiserver/testdata/client.pem b/staging/src/k8s.io/kube-aggregator/pkg/apiserver/testdata/client.pem new file mode 100644 index 0000000000000..494d4b757a12f --- /dev/null +++ b/staging/src/k8s.io/kube-aggregator/pkg/apiserver/testdata/client.pem @@ -0,0 +1,11 @@ +-----BEGIN CERTIFICATE----- +MIIBoTCCAUegAwIBAgIUci8u0GG5LGSaykYqdgYL9ZIO/v4wCgYIKoZIzj0EAwIw +FDESMBAGA1UEAxMJQ2xpZW50LUNBMCAXDTIxMDUyMjIzNTIwMFoYDzIxMjEwNDI4 +MjM1MjAwWjAUMRIwEAYDVQQDEwlNeSBDbGllbnQwWTATBgcqhkjOPQIBBggqhkjO +PQMBBwNCAAQjsfLJcwNUBTyjeRCkicb4RzWYIQtYmsrPajC/SM42Bzt2QOMoe4/t +SQO4oatSlLYxbRSSpqMkA4MRTBIXXAfko3UwczAOBgNVHQ8BAf8EBAMCBaAwEwYD +VR0lBAwwCgYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUaS3acr6g +cfHE/zty3M0nd9aDo30wHwYDVR0jBBgwFoAUaDl2pG6N7NoORQjpHprKDSOL8+0w +CgYIKoZIzj0EAwIDSAAwRQIhAPjuVM2rWOhyzfRqAAdn8a/LJxjLf1+bjrb/cyT4 +h0LbAiBE8MY0gARwVYoRgYmVMXyewwjW+SVu+y8+kQv7uCFJzg== +-----END CERTIFICATE----- diff --git a/staging/src/k8s.io/kube-aggregator/pkg/apiserver/testdata/generate.client-ca.json b/staging/src/k8s.io/kube-aggregator/pkg/apiserver/testdata/generate.client-ca.json new file mode 100644 index 0000000000000..986ffcc0f8c6b --- /dev/null +++ b/staging/src/k8s.io/kube-aggregator/pkg/apiserver/testdata/generate.client-ca.json @@ -0,0 +1,6 @@ +{ + "CN": "Client-CA", + "ca": { + "expiry": "876000h" + } +} \ No newline at end of file diff --git a/staging/src/k8s.io/kube-aggregator/pkg/apiserver/testdata/generate.client.json b/staging/src/k8s.io/kube-aggregator/pkg/apiserver/testdata/generate.client.json new file mode 100644 index 0000000000000..17b45773c639f --- /dev/null +++ b/staging/src/k8s.io/kube-aggregator/pkg/apiserver/testdata/generate.client.json @@ -0,0 +1,3 @@ +{ + "CN": "My Client" +} \ No newline at end of file diff --git a/staging/src/k8s.io/kube-aggregator/pkg/apiserver/testdata/generate.profiles.json b/staging/src/k8s.io/kube-aggregator/pkg/apiserver/testdata/generate.profiles.json new file mode 100644 index 0000000000000..902369caaaf78 --- /dev/null +++ b/staging/src/k8s.io/kube-aggregator/pkg/apiserver/testdata/generate.profiles.json @@ -0,0 +1,22 @@ +{ + "signing": { + "profiles": { + "client": { + "expiry": "876000h", + "usages": [ + "signing", + "key encipherment", + "client auth" + ] + }, + "server": { + "expiry": "876000h", + "usages": [ + "signing", + "key encipherment", + "server auth" + ] + } + } + } +} \ No newline at end of file diff --git a/staging/src/k8s.io/kube-aggregator/pkg/apiserver/testdata/generate.server-ca.json b/staging/src/k8s.io/kube-aggregator/pkg/apiserver/testdata/generate.server-ca.json new file mode 100644 index 0000000000000..f5257ffbb3171 --- /dev/null +++ b/staging/src/k8s.io/kube-aggregator/pkg/apiserver/testdata/generate.server-ca.json @@ -0,0 +1,6 @@ +{ + "CN": "Server-CA", + "ca": { + "expiry": "876000h" + } +} \ No newline at end of file diff --git a/staging/src/k8s.io/kube-aggregator/pkg/apiserver/testdata/generate.server.json b/staging/src/k8s.io/kube-aggregator/pkg/apiserver/testdata/generate.server.json new file mode 100644 index 0000000000000..73662bec73ec8 --- /dev/null +++ b/staging/src/k8s.io/kube-aggregator/pkg/apiserver/testdata/generate.server.json @@ -0,0 +1,4 @@ +{ + "CN": "test-service2.test-ns.svc", + "hosts": ["test-service2.test-ns.svc"] +} \ No newline at end of file diff --git a/staging/src/k8s.io/kube-aggregator/pkg/apiserver/testdata/generate.sh b/staging/src/k8s.io/kube-aggregator/pkg/apiserver/testdata/generate.sh new file mode 100755 index 0000000000000..4aab6e4e2bec1 --- /dev/null +++ b/staging/src/k8s.io/kube-aggregator/pkg/apiserver/testdata/generate.sh @@ -0,0 +1,23 @@ +#!/usr/bin/env bash + +# Copyright 2021 The Kubernetes Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +cfssl gencert -initca generate.client-ca.json | cfssljson -bare client-ca +cfssl gencert -initca generate.server-ca.json | cfssljson -bare server-ca + +cfssl gencert -ca client-ca.pem -ca-key client-ca-key.pem -config generate.profiles.json --profile=client generate.client.json | cfssljson -bare client +cfssl gencert -ca server-ca.pem -ca-key server-ca-key.pem -config generate.profiles.json --profile=server generate.server.json | cfssljson -bare server + +rm ./*.csr diff --git a/staging/src/k8s.io/kube-aggregator/pkg/apiserver/testdata/server-ca-key.pem b/staging/src/k8s.io/kube-aggregator/pkg/apiserver/testdata/server-ca-key.pem new file mode 100644 index 0000000000000..91b2b4e6f3341 --- /dev/null +++ b/staging/src/k8s.io/kube-aggregator/pkg/apiserver/testdata/server-ca-key.pem @@ -0,0 +1,5 @@ +-----BEGIN EC PRIVATE KEY----- +MHcCAQEEIBoMWQC4K4Vp/wKA7yHBVWgjV69lpGhAZZAAcsf8osUVoAoGCCqGSM49 +AwEHoUQDQgAEPwxv8IjkfU5AivcK0IiurHL9H6EiGh+zZ0S8r+PBW0DXFPXcAjQc +tE8gVHu3fp90y1JVTriaxriU/x8Lbrp8ZA== +-----END EC PRIVATE KEY----- diff --git a/staging/src/k8s.io/kube-aggregator/pkg/apiserver/testdata/server-ca.pem b/staging/src/k8s.io/kube-aggregator/pkg/apiserver/testdata/server-ca.pem new file mode 100644 index 0000000000000..4b203f3e3b961 --- /dev/null +++ b/staging/src/k8s.io/kube-aggregator/pkg/apiserver/testdata/server-ca.pem @@ -0,0 +1,10 @@ +-----BEGIN CERTIFICATE----- +MIIBbzCCARSgAwIBAgIUf0aG2C1P7KaDGobg9oeN3uhQlu4wCgYIKoZIzj0EAwIw +FDESMBAGA1UEAxMJU2VydmVyLUNBMCAXDTIxMDUyMjIzNTIwMFoYDzIxMjEwNDI4 +MjM1MjAwWjAUMRIwEAYDVQQDEwlTZXJ2ZXItQ0EwWTATBgcqhkjOPQIBBggqhkjO +PQMBBwNCAAQ/DG/wiOR9TkCK9wrQiK6scv0foSIaH7NnRLyv48FbQNcU9dwCNBy0 +TyBUe7d+n3TLUlVOuJrGuJT/Hwtuunxko0IwQDAOBgNVHQ8BAf8EBAMCAQYwDwYD +VR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUjcdIlU1vGLSUWBcSqCEJTgqlSacwCgYI +KoZIzj0EAwIDSQAwRgIhAIujFeJKprddp+9aCZZUv05jCS5JiopW2bn/FJJRQ6OK +AiEA1NS6trAbfgk6vYS2D2vamuF4XC9LggyxbcoaMf+GAn4= +-----END CERTIFICATE----- diff --git a/staging/src/k8s.io/kube-aggregator/pkg/apiserver/testdata/server-key.pem b/staging/src/k8s.io/kube-aggregator/pkg/apiserver/testdata/server-key.pem new file mode 100644 index 0000000000000..4d12d1ada76fb --- /dev/null +++ b/staging/src/k8s.io/kube-aggregator/pkg/apiserver/testdata/server-key.pem @@ -0,0 +1,5 @@ +-----BEGIN EC PRIVATE KEY----- +MHcCAQEEIFizWdUWI/ggduZByisCOjPljfUq/f++RwQl0scxeOU/oAoGCCqGSM49 +AwEHoUQDQgAEvw23SM/msE+rsXx919gkNM+A7HBJ99YXqvsV0zRd6ykiQV5rszGw +DHF/3sKTbb38eLcF/sORWVEFc4+QqnZLkw== +-----END EC PRIVATE KEY----- diff --git a/staging/src/k8s.io/kube-aggregator/pkg/apiserver/testdata/server.pem b/staging/src/k8s.io/kube-aggregator/pkg/apiserver/testdata/server.pem new file mode 100644 index 0000000000000..e1711daa6c776 --- /dev/null +++ b/staging/src/k8s.io/kube-aggregator/pkg/apiserver/testdata/server.pem @@ -0,0 +1,12 @@ +-----BEGIN CERTIFICATE----- +MIIB2jCCAX+gAwIBAgIUKcO5RlFpX+/7Ed5WR/kqFtuOjJswCgYIKoZIzj0EAwIw +FDESMBAGA1UEAxMJU2VydmVyLUNBMCAXDTIxMDUyMjIzNTIwMFoYDzIxMjEwNDI4 +MjM1MjAwWjAkMSIwIAYDVQQDExl0ZXN0LXNlcnZpY2UyLnRlc3QtbnMuc3ZjMFkw +EwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEvw23SM/msE+rsXx919gkNM+A7HBJ99YX +qvsV0zRd6ykiQV5rszGwDHF/3sKTbb38eLcF/sORWVEFc4+QqnZLk6OBnDCBmTAO +BgNVHQ8BAf8EBAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIw +ADAdBgNVHQ4EFgQUkDkrXrpDB9jRA2CnWRAbb4GZWdgwHwYDVR0jBBgwFoAUjcdI +lU1vGLSUWBcSqCEJTgqlSacwJAYDVR0RBB0wG4IZdGVzdC1zZXJ2aWNlMi50ZXN0 +LW5zLnN2YzAKBggqhkjOPQQDAgNJADBGAiEAt/gcJpu0+whAUjTvkcS1zwnaLjuY +nij9Q+UNkxle7UICIQDmyixha4e/2gufANiSeYKu9IzSJ6vyRgvbAlZ0ihAsOA== +-----END CERTIFICATE-----