Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
cb21560b
Commit
cb21560b
authored
Jul 24, 2018
by
Dylan Griffith
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Ensure CA + Tiller cert never expire and Helm client cert expires quickly
parent
039a8ebd
Changes
8
Hide whitespace changes
Inline
Side-by-side
Showing
8 changed files
with
51 additions
and
6 deletions
+51
-6
app/models/clusters/applications/helm.rb
app/models/clusters/applications/helm.rb
+3
-3
lib/gitlab/kubernetes/helm/certificate.rb
lib/gitlab/kubernetes/helm/certificate.rb
+6
-3
spec/lib/gitlab/kubernetes/helm/certificate_spec.rb
spec/lib/gitlab/kubernetes/helm/certificate_spec.rb
+27
-0
spec/models/clusters/applications/helm_spec.rb
spec/models/clusters/applications/helm_spec.rb
+3
-0
spec/models/clusters/applications/ingress_spec.rb
spec/models/clusters/applications/ingress_spec.rb
+3
-0
spec/models/clusters/applications/jupyter_spec.rb
spec/models/clusters/applications/jupyter_spec.rb
+3
-0
spec/models/clusters/applications/prometheus_spec.rb
spec/models/clusters/applications/prometheus_spec.rb
+3
-0
spec/models/clusters/applications/runner_spec.rb
spec/models/clusters/applications/runner_spec.rb
+3
-0
No files found.
app/models/clusters/applications/helm.rb
View file @
cb21560b
...
@@ -31,8 +31,7 @@ module Clusters
...
@@ -31,8 +31,7 @@ module Clusters
end
end
def
issue_cert
def
issue_cert
ca_cert_obj
ca_cert_obj
.
issue
.
issue
end
end
def
set_initial_status
def
set_initial_status
...
@@ -42,7 +41,8 @@ module Clusters
...
@@ -42,7 +41,8 @@ module Clusters
end
end
def
install_command
def
install_command
tiller_cert
=
issue_cert
tiller_cert
=
ca_cert_obj
.
issue
(
expires_in:
Gitlab
::
Kubernetes
::
Helm
::
Certificate
::
INFINITE_EXPIRY
)
Gitlab
::
Kubernetes
::
Helm
::
InitCommand
.
new
(
Gitlab
::
Kubernetes
::
Helm
::
InitCommand
.
new
(
name:
name
,
name:
name
,
files:
{
files:
{
...
...
lib/gitlab/kubernetes/helm/certificate.rb
View file @
cb21560b
...
@@ -2,6 +2,9 @@ module Gitlab
...
@@ -2,6 +2,9 @@ module Gitlab
module
Kubernetes
module
Kubernetes
module
Helm
module
Helm
class
Certificate
class
Certificate
INFINITE_EXPIRY
=
1000
.
years
SHORT_EXPIRY
=
30
.
minutes
attr_reader
:key
,
:cert
attr_reader
:key
,
:cert
def
key_string
def
key_string
...
@@ -27,7 +30,7 @@ module Gitlab
...
@@ -27,7 +30,7 @@ module Gitlab
cert
=
OpenSSL
::
X509
::
Certificate
.
new
cert
=
OpenSSL
::
X509
::
Certificate
.
new
cert
.
subject
=
cert
.
issuer
=
OpenSSL
::
X509
::
Name
.
parse
(
subject
)
cert
.
subject
=
cert
.
issuer
=
OpenSSL
::
X509
::
Name
.
parse
(
subject
)
cert
.
not_before
=
Time
.
now
cert
.
not_before
=
Time
.
now
cert
.
not_after
=
Time
.
now
+
365
*
24
*
60
*
60
cert
.
not_after
=
INFINITE_EXPIRY
.
from_now
cert
.
public_key
=
public_key
cert
.
public_key
=
public_key
cert
.
serial
=
0x0
cert
.
serial
=
0x0
cert
.
version
=
2
cert
.
version
=
2
...
@@ -44,7 +47,7 @@ module Gitlab
...
@@ -44,7 +47,7 @@ module Gitlab
new
(
key
,
cert
)
new
(
key
,
cert
)
end
end
def
issue
def
issue
(
expires_in:
SHORT_EXPIRY
)
key
=
OpenSSL
::
PKey
::
RSA
.
new
(
4096
)
key
=
OpenSSL
::
PKey
::
RSA
.
new
(
4096
)
public_key
=
key
.
public_key
public_key
=
key
.
public_key
...
@@ -54,7 +57,7 @@ module Gitlab
...
@@ -54,7 +57,7 @@ module Gitlab
cert
.
subject
=
OpenSSL
::
X509
::
Name
.
parse
(
subject
)
cert
.
subject
=
OpenSSL
::
X509
::
Name
.
parse
(
subject
)
cert
.
issuer
=
self
.
cert
.
subject
cert
.
issuer
=
self
.
cert
.
subject
cert
.
not_before
=
Time
.
now
cert
.
not_before
=
Time
.
now
cert
.
not_after
=
Time
.
now
+
365
*
24
*
60
*
60
cert
.
not_after
=
expires_in
.
from_now
cert
.
public_key
=
public_key
cert
.
public_key
=
public_key
cert
.
serial
=
0x0
cert
.
serial
=
0x0
cert
.
version
=
2
cert
.
version
=
2
...
...
spec/lib/gitlab/kubernetes/helm/certificate_spec.rb
0 → 100644
View file @
cb21560b
require
'spec_helper'
describe
Gitlab
::
Kubernetes
::
Helm
::
Certificate
do
describe
'.generate_root'
do
subject
{
described_class
.
generate_root
}
it
'should generate a root CA that expires a long way in the future'
do
expect
(
subject
.
cert
.
not_after
).
to
be
>
999
.
years
.
from_now
end
end
describe
'#issue'
do
subject
{
described_class
.
generate_root
.
issue
}
it
'should generate a cert that expires soon'
do
expect
(
subject
.
cert
.
not_after
).
to
be
<
60
.
minutes
.
from_now
end
context
'passing in INFINITE_EXPIRY'
do
subject
{
described_class
.
generate_root
.
issue
(
expires_in:
described_class
::
INFINITE_EXPIRY
)
}
it
'should generate a cert that expires a long way in the future'
do
expect
(
subject
.
cert
.
not_after
).
to
be
>
999
.
years
.
from_now
end
end
end
end
spec/models/clusters/applications/helm_spec.rb
View file @
cb21560b
...
@@ -43,6 +43,9 @@ describe Clusters::Applications::Helm do
...
@@ -43,6 +43,9 @@ describe Clusters::Applications::Helm do
expect
(
subject
.
files
[
:'cert.pem'
]).
to
be_present
expect
(
subject
.
files
[
:'cert.pem'
]).
to
be_present
expect
(
subject
.
files
[
:'key.pem'
]).
to
be_present
expect
(
subject
.
files
[
:'key.pem'
]).
to
be_present
cert
=
OpenSSL
::
X509
::
Certificate
.
new
(
subject
.
files
[
:'cert.pem'
])
expect
(
cert
.
not_after
).
to
be
>
999
.
years
.
from_now
end
end
end
end
end
end
spec/models/clusters/applications/ingress_spec.rb
View file @
cb21560b
...
@@ -108,6 +108,9 @@ describe Clusters::Applications::Ingress do
...
@@ -108,6 +108,9 @@ describe Clusters::Applications::Ingress do
expect
(
subject
[
:'cert.pem'
]).
to
be_present
expect
(
subject
[
:'cert.pem'
]).
to
be_present
expect
(
subject
[
:'key.pem'
]).
to
be_present
expect
(
subject
[
:'key.pem'
]).
to
be_present
cert
=
OpenSSL
::
X509
::
Certificate
.
new
(
subject
[
:'cert.pem'
])
expect
(
cert
.
not_after
).
to
be
<
60
.
minutes
.
from_now
end
end
end
end
end
end
spec/models/clusters/applications/jupyter_spec.rb
View file @
cb21560b
...
@@ -53,6 +53,9 @@ describe Clusters::Applications::Jupyter do
...
@@ -53,6 +53,9 @@ describe Clusters::Applications::Jupyter do
expect
(
subject
[
:'cert.pem'
]).
to
be_present
expect
(
subject
[
:'cert.pem'
]).
to
be_present
expect
(
subject
[
:'key.pem'
]).
to
be_present
expect
(
subject
[
:'key.pem'
]).
to
be_present
cert
=
OpenSSL
::
X509
::
Certificate
.
new
(
subject
[
:'cert.pem'
])
expect
(
cert
.
not_after
).
to
be
<
60
.
minutes
.
from_now
end
end
context
'when the helm application does not have a ca_cert'
do
context
'when the helm application does not have a ca_cert'
do
...
...
spec/models/clusters/applications/prometheus_spec.rb
View file @
cb21560b
...
@@ -168,6 +168,9 @@ describe Clusters::Applications::Prometheus do
...
@@ -168,6 +168,9 @@ describe Clusters::Applications::Prometheus do
expect
(
subject
[
:'cert.pem'
]).
to
be_present
expect
(
subject
[
:'cert.pem'
]).
to
be_present
expect
(
subject
[
:'key.pem'
]).
to
be_present
expect
(
subject
[
:'key.pem'
]).
to
be_present
cert
=
OpenSSL
::
X509
::
Certificate
.
new
(
subject
[
:'cert.pem'
])
expect
(
cert
.
not_after
).
to
be
<
60
.
minutes
.
from_now
end
end
context
'when the helm application does not have a ca_cert'
do
context
'when the helm application does not have a ca_cert'
do
...
...
spec/models/clusters/applications/runner_spec.rb
View file @
cb21560b
...
@@ -49,6 +49,9 @@ describe Clusters::Applications::Runner do
...
@@ -49,6 +49,9 @@ describe Clusters::Applications::Runner do
expect
(
subject
[
:'cert.pem'
]).
to
be_present
expect
(
subject
[
:'cert.pem'
]).
to
be_present
expect
(
subject
[
:'key.pem'
]).
to
be_present
expect
(
subject
[
:'key.pem'
]).
to
be_present
cert
=
OpenSSL
::
X509
::
Certificate
.
new
(
subject
[
:'cert.pem'
])
expect
(
cert
.
not_after
).
to
be
<
60
.
minutes
.
from_now
end
end
context
'when the helm application does not have a ca_cert'
do
context
'when the helm application does not have a ca_cert'
do
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment