Skip to content

Commit

Permalink
Revert: Fixed the hub client certificate doesn't have any IP address
Browse files Browse the repository at this point in the history
This reverts commit df85591.

Signed-off-by: WillardHu <[email protected]>
  • Loading branch information
WillardHu committed Dec 2, 2024
1 parent e32898f commit a76e959
Show file tree
Hide file tree
Showing 6 changed files with 14 additions and 43 deletions.
9 changes: 0 additions & 9 deletions cloud/pkg/cloudhub/config/config.go
Original file line number Diff line number Diff line change
@@ -1,7 +1,6 @@
package config

import (
"net"
"sync"

"k8s.io/klog/v2"
Expand Down Expand Up @@ -97,11 +96,3 @@ func (c *Configure) UpdateCerts(cert, key []byte) {
c.Key = key
}
}

func (c *Configure) ConvAdvertiseAddressToIPs() []net.IP {
ips := make([]net.IP, 0, len(c.AdvertiseAddress))
for _, addr := range c.AdvertiseAddress {
ips = append(ips, net.ParseIP(addr))
}
return ips
}
4 changes: 0 additions & 4 deletions cloud/pkg/cloudhub/servers/httpserver/certificate/certs.go
Original file line number Diff line number Diff line change
Expand Up @@ -154,10 +154,6 @@ func signEdgeCert(r io.ReadCloser, usagesStr string) (*pem.Block, error) {
hubconfig.Config.CaKey,
usages,
edgeCertSigningDuration,
&certutil.AltNames{
IPs: hubconfig.Config.ConvAdvertiseAddressToIPs(),
DNSNames: hubconfig.Config.DNSNames,
},
))
if err != nil {
return nil, fmt.Errorf("fail to signCerts, err: %v", err)
Expand Down
8 changes: 7 additions & 1 deletion cloud/pkg/cloudhub/servers/httpserver/pre_server.go
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@ import (
"context"
"crypto/x509"
"fmt"
"net"
"time"

corev1 "k8s.io/api/core/v1"
Expand Down Expand Up @@ -107,7 +108,12 @@ func createCertsToSecret(ctx context.Context) error {
if err != nil {
klog.Info("CloudCoreCert and key don't exist in the secret, and will be signed by CA")

ips := make([]net.IP, 0, len(hubconfig.Config.AdvertiseAddress))
for _, addr := range hubconfig.Config.AdvertiseAddress {
ips = append(ips, net.ParseIP(addr))
}
h := certs.GetHandler(certs.HandlerTypeX509)

keywrap, err := h.GenPrivateKey()
if err != nil {
return fmt.Errorf("faield to generate the private key, err: %v", err)
Expand All @@ -123,7 +129,7 @@ func createCertsToSecret(ctx context.Context) error {
Usages: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
AltNames: certutil.AltNames{
DNSNames: hubconfig.Config.DNSNames,
IPs: hubconfig.Config.ConvAdvertiseAddressToIPs(),
IPs: ips,
},
}, hubconfig.Config.Ca, hubconfig.Config.CaKey, key.Public(), year100)
certPEM, err := h.SignCerts(opts)
Expand Down
26 changes: 4 additions & 22 deletions pkg/security/certs/types.go
Original file line number Diff line number Diff line change
Expand Up @@ -59,12 +59,7 @@ type SignCertsOptions struct {
expiration time.Duration
}

func SignCertsOptionsWithCA(
cfg certutil.Config,
caDER, caKeyDER []byte,
publicKey any,
expiration time.Duration,
) SignCertsOptions {
func SignCertsOptionsWithCA(cfg certutil.Config, caDER, caKeyDER []byte, publicKey any, expiration time.Duration) SignCertsOptions {
return SignCertsOptions{
cfg: cfg,
caDER: caDER,
Expand All @@ -74,13 +69,8 @@ func SignCertsOptionsWithCA(
}
}

func SignCertsOptionsWithCSR(
csrDER, caDER, caKeyDER []byte,
usages []x509.ExtKeyUsage,
expiration time.Duration,
alt *certutil.AltNames,
) SignCertsOptions {
opts := SignCertsOptions{
func SignCertsOptionsWithCSR(csrDER, caDER, caKeyDER []byte, usages []x509.ExtKeyUsage, expiration time.Duration) SignCertsOptions {
return SignCertsOptions{
csrDER: csrDER,
caDER: caDER,
caKeyDER: caKeyDER,
Expand All @@ -89,17 +79,9 @@ func SignCertsOptionsWithCSR(
},
expiration: expiration,
}
if alt != nil {
opts.cfg.AltNames = *alt
}
return opts
}

func SignCertsOptionsWithK8sCSR(
csrDER []byte,
usages []x509.ExtKeyUsage,
expiration time.Duration,
) SignCertsOptions {
func SignCertsOptionsWithK8sCSR(csrDER []byte, usages []x509.ExtKeyUsage, expiration time.Duration) SignCertsOptions {
return SignCertsOptions{
csrDER: csrDER,
cfg: certutil.Config{
Expand Down
2 changes: 1 addition & 1 deletion pkg/security/certs/x509_ca_certs_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@ func TestSignX509Certs(t *testing.T) {
}, certpkw, nil)

opts := SignCertsOptionsWithCSR(csrblock.Bytes, cablock.Bytes, capkw.DER(),
[]x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth}, 24*time.Hour, nil)
[]x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth}, 24*time.Hour)
certblock, err := certh.SignCerts(opts)
if err != nil {
t.Fatal(err)
Expand Down
8 changes: 2 additions & 6 deletions pkg/security/certs/x509_certs.go
Original file line number Diff line number Diff line change
Expand Up @@ -76,13 +76,9 @@ func (h x509CertsHandler) SignCerts(opts SignCertsOptions) (*pem.Block, error) {
}
opts.cfg.CommonName = csr.Subject.CommonName
opts.cfg.Organization = csr.Subject.Organization
opts.cfg.AltNames.DNSNames = csr.DNSNames
opts.cfg.AltNames.IPs = csr.IPAddresses
pubkey = csr.PublicKey
if len(csr.DNSNames) > 0 {
opts.cfg.AltNames.DNSNames = csr.DNSNames
}
if len(csr.IPAddresses) > 0 {
opts.cfg.AltNames.IPs = csr.IPAddresses
}
}
if len(opts.cfg.CommonName) == 0 {
return nil, errors.New("must specify a CommonName")
Expand Down

0 comments on commit a76e959

Please sign in to comment.