Skip to content
This repository has been archived by the owner on Oct 22, 2021. It is now read-only.

Commit

Permalink
Special workaround flag for an EKS bug
Browse files Browse the repository at this point in the history
  • Loading branch information
viovanov committed Sep 27, 2019
1 parent fb49fba commit 68d247d
Show file tree
Hide file tree
Showing 4 changed files with 41 additions and 21 deletions.
13 changes: 7 additions & 6 deletions pkg/bosh/converter/kube_converter.go
Original file line number Diff line number Diff line change
Expand Up @@ -92,12 +92,13 @@ func (kc *KubeConverter) Variables(manifestName string, variables []bdm.Variable
}

certRequest := esv1.CertificateRequest{
CommonName: v.Options.CommonName,
AlternativeNames: v.Options.AlternativeNames,
IsCA: v.Options.IsCA,
SignerType: v.Options.SignerType,
ServiceRef: v.Options.ServiceRef,
Usages: usages,
CommonName: v.Options.CommonName,
AlternativeNames: v.Options.AlternativeNames,
IsCA: v.Options.IsCA,
SignerType: v.Options.SignerType,
ServiceRef: v.Options.ServiceRef,
ActivateEKSWorkaroundForSAN: v.Options.ActivateEKSWorkaroundForSAN,
Usages: usages,
}
if len(certRequest.SignerType) == 0 {
certRequest.SignerType = esv1.LocalSigner
Expand Down
15 changes: 8 additions & 7 deletions pkg/bosh/manifest/manifest.go
Original file line number Diff line number Diff line change
Expand Up @@ -54,13 +54,14 @@ const (

// VariableOptions from BOSH deployment manifest
type VariableOptions struct {
CommonName string `json:"common_name"`
AlternativeNames []string `json:"alternative_names,omitempty"`
IsCA bool `json:"is_ca"`
CA string `json:"ca,omitempty"`
ExtendedKeyUsage []AuthType `json:"extended_key_usage,omitempty"`
SignerType string `json:"signer_type,omitempty"`
ServiceRef []esv1.ServiceReference `json:"serviceRef,omitempty"`
CommonName string `json:"common_name"`
AlternativeNames []string `json:"alternative_names,omitempty"`
IsCA bool `json:"is_ca"`
CA string `json:"ca,omitempty"`
ExtendedKeyUsage []AuthType `json:"extended_key_usage,omitempty"`
SignerType string `json:"signer_type,omitempty"`
ServiceRef []esv1.ServiceReference `json:"serviceRef,omitempty"`
ActivateEKSWorkaroundForSAN bool `json:"activateEKSWorkaroundForSAN,omitempty"`
}

// Variable from BOSH deployment manifest
Expand Down
17 changes: 9 additions & 8 deletions pkg/kube/apis/extendedsecret/v1alpha1/types.go
Original file line number Diff line number Diff line change
Expand Up @@ -62,14 +62,15 @@ type ServiceReference struct {

// CertificateRequest specifies the details for the certificate generation
type CertificateRequest struct {
CommonName string `json:"commonName"`
AlternativeNames []string `json:"alternativeNames"`
IsCA bool `json:"isCA"`
CARef SecretReference `json:"CARef"`
CAKeyRef SecretReference `json:"CAKeyRef"`
SignerType SignerType `json:"signerType,omitempty"`
Usages []certv1.KeyUsage `json:"usages,omitempty"`
ServiceRef []ServiceReference `json:"serviceRef,omitempty"`
CommonName string `json:"commonName"`
AlternativeNames []string `json:"alternativeNames"`
IsCA bool `json:"isCA"`
CARef SecretReference `json:"CARef"`
CAKeyRef SecretReference `json:"CAKeyRef"`
SignerType SignerType `json:"signerType,omitempty"`
Usages []certv1.KeyUsage `json:"usages,omitempty"`
ServiceRef []ServiceReference `json:"serviceRef,omitempty"`
ActivateEKSWorkaroundForSAN bool `json:"activateEKSWorkaroundForSAN,omitempty"`
}

// Request specifies details for the secret generation
Expand Down
17 changes: 17 additions & 0 deletions pkg/kube/controllers/extendedsecret/extendedsecret_reconciler.go
Original file line number Diff line number Diff line change
Expand Up @@ -233,6 +233,9 @@ func (r *ReconcileExtendedSecret) createSSHSecret(ctx context.Context, instance
}

func (r *ReconcileExtendedSecret) createCertificateSecret(ctx context.Context, instance *esv1.ExtendedSecret) error {

serviceIPForEKSWorkaround := ""

for _, serviceRef := range instance.Spec.Request.CertificateRequest.ServiceRef {
service := &corev1.Service{}

Expand All @@ -242,6 +245,10 @@ func (r *ReconcileExtendedSecret) createCertificateSecret(ctx context.Context, i
return errors.Wrapf(err, "Failed to get service reference '%s' for ExtendedSecret '%s'", serviceRef.Name, instance.Name)
}

if serviceIPForEKSWorkaround == "" {
serviceIPForEKSWorkaround = service.Spec.ClusterIP
}

instance.Spec.Request.CertificateRequest.AlternativeNames = append(append(
instance.Spec.Request.CertificateRequest.AlternativeNames,
service.Name,
Expand All @@ -265,6 +272,16 @@ func (r *ReconcileExtendedSecret) createCertificateSecret(ctx context.Context, i

switch instance.Spec.Request.CertificateRequest.SignerType {
case esv1.ClusterSigner:
if instance.Spec.Request.CertificateRequest.ActivateEKSWorkaroundForSAN {
if serviceIPForEKSWorkaround == "" {
return errors.Errorf("can't activate EKS workaround for ExtendedSecret '%s/%s'; couldn't find a ClusterIP for any service reference", instance.Namespace, instance.Name)
}

ctxlog.Infof(ctx, "Activating EKS workaround for ExtendedSecret '%s/%s'. Using IP '%s' as a common name. See 'https://github.com/awslabs/amazon-eks-ami/issues/341' for more details.", instance.Namespace, instance.Name, serviceIPForEKSWorkaround)

generationRequest.CommonName = serviceIPForEKSWorkaround
}

ctxlog.Info(ctx, "Generating certificate signing request and its key")
csr, key, err := r.generator.GenerateCertificateSigningRequest(generationRequest)
if err != nil {
Expand Down

0 comments on commit 68d247d

Please sign in to comment.