var (
mtlsRootPaths = []string{defaultMtlsRootPath}
sslCertsBaseDir = "/etc/ssl/private"
+ k8sSpiffeDir = "/var/run/secrets/spiffe.io"
defaultRootCAFile string
defaultIntermediateCAFile string
return nil, lastErr
}
+func LoadServiceIdentityFromKubernetesCSIDriverSPIFFE(serviceIdentity string) (*FileBackedCertificate, error) {
+ type fileNamingConvention struct {
+ leaf string
+ key string
+ ca string
+ }
+
+ conventionsToTry := []*fileNamingConvention{
+ {"tls.crt", "tls.key", "ca.crt"},
+ {"fullchain.pem", "privkey.pem", "ca.pem"},
+ }
+
+ for _, c := range conventionsToTry {
+ ok := true
+ for _, file := range []string{c.leaf, c.key, c.ca} {
+ if err := fsutil.FileExistsAndIsReadable(path.Join(k8sSpiffeDir, file)); err != nil {
+ ok = false
+ }
+ }
+
+ if !ok {
+ continue
+ }
+
+ fbc := &FileBackedCertificate{
+ LeafPath: path.Join(k8sSpiffeDir, c.leaf),
+ IntermediatesPath: path.Join(k8sSpiffeDir, c.leaf),
+ PrivateKeyPath: path.Join(k8sSpiffeDir, c.key),
+ RootPath: path.Join(k8sSpiffeDir, c.ca),
+ }
+
+ if cert, err := fbc.LeafCertificate(); err == nil {
+ url := certutil.SpiffeUrlFromCertificate(cert)
+ if url != nil && url.Path == fmt.Sprintf("/service/%s", serviceIdentity) {
+ return fbc, nil
+ }
+
+ logger.V(1).Warningf("found certificate from csi-driver-spiffe, but it's for a different identity: %q", url)
+ }
+ }
+
+ return nil, fmt.Errorf("cannot find files for service identity %q in %q", serviceIdentity, k8sSpiffeDir)
+}
+
func newFileBackedCertificateFromBaseDir(mtlsRootPath string, serviceIdentity string) (*FileBackedCertificate, error) {
certDirectory := path.Join(mtlsRootPath, serviceIdentity)
if !cert.IsCA {
continue
}
+ if cert.Subject.String() == cert.Issuer.String() {
+ continue
+ }
newInts = append(newInts, cert)
}
defaultFileBackedRoots := &fileBackedRoots{}
+ csiSpiffeRoots := &fileBackedRoots{
+ RootPath: k8sSpiffeDir + "/ca.crt",
+ IntermediatesPath: k8sSpiffeDir + "/tls.crt",
+ }
+
+ csiSpiffeRootsAltName := &fileBackedRoots{
+ RootPath: k8sSpiffeDir + "/ca.pem",
+ IntermediatesPath: k8sSpiffeDir + "/fullchain.pem",
+ }
+
if homeDir := os.Getenv("HOME"); homeDir != "" {
userMtlsPath := path.Join(homeDir, ".cache", "mtls")
appendMtlsCertificateDir(userMtlsPath)
registerIdentityDriver("file_service_global", func(serviceName string) (CertificateProvider, error) {
return LoadServiceIdentityFromFilesystem(serviceName)
})
+ registerIdentityDriver("file_service_csi_spiffe", func(serviceName string) (CertificateProvider, error) {
+ return LoadServiceIdentityFromKubernetesCSIDriverSPIFFE(serviceName)
+ })
registerIdentityDriver("file_user_home", func(_ string) (CertificateProvider, error) {
return LoadUserIdentityFromFilesystem()
})
registerRootDriver("file_etc_mtls", func() (rootsPrimitive, error) {
return defaultFileBackedRoots, nil
})
+ registerRootDriver("file_csi_spiffe", func() (rootsPrimitive, error) {
+ return csiSpiffeRoots, nil
+ })
+ registerRootDriver("file_csi_spiffe_altname", func() (rootsPrimitive, error) {
+ return csiSpiffeRootsAltName, nil
+ })
}
projects / runtime.git / commitdiff