kubernetes-sigs
diff --git a/‎pkg/webhook/internal/cert/generator/certgenerator.go
Lines changed: 4 additions & 0 deletions b/‎pkg/webhook/internal/cert/generator/certgenerator.go
Lines changed: 4 additions & 0 deletions
diff --git a/‎pkg/webhook/internal/cert/generator/fake/certgenerator.go
Lines changed: 14 additions & 0 deletions b/‎pkg/webhook/internal/cert/generator/fake/certgenerator.go
Lines changed: 14 additions & 0 deletions
diff --git a/‎pkg/webhook/internal/cert/generator/selfsigned.go
Lines changed: 55 additions & 8 deletions b/‎pkg/webhook/internal/cert/generator/selfsigned.go
Lines changed: 55 additions & 8 deletions
diff --git a/‎pkg/webhook/internal/cert/generator/selfsigned_test.go
Lines changed: 110 additions & 32 deletions b/‎pkg/webhook/internal/cert/generator/selfsigned_test.go
Lines changed: 110 additions & 32 deletions
diff --git a/‎pkg/webhook/internal/cert/generator/suite_test.go
Lines changed: 37 additions & 0 deletions b/‎pkg/webhook/internal/cert/generator/suite_test.go
Lines changed: 37 additions & 0 deletions
diff --git a/‎pkg/webhook/internal/cert/generator/util.go
Lines changed: 61 additions & 0 deletions b/‎pkg/webhook/internal/cert/generator/util.go
Lines changed: 61 additions & 0 deletions
@@ -23,6 +23,8 @@ type Artifacts struct {
 	Key []byte
 	// PEM encoded serving certificate
 	Cert []byte
+	// PEM encoded CA private key
+	CAKey []byte
 	// PEM encoded CA certificate
 	CACert []byte
 }
@@ -31,4 +33,6 @@ type Artifacts struct {
 type CertGenerator interface {
 	// Generate returns a Artifacts struct.
 	Generate(CommonName string) (*Artifacts, error)
+	// SetCA sets the PEM-encoded CA private key and CA cert for signing the generated serving cert.
+	SetCA(caKey, caCert []byte)
 }
@@ -17,23 +17,37 @@ limitations under the License.
 package fake
 
 import (
+	"bytes"
 	"fmt"
 
 	"sigs.k8s.io/controller-runtime/pkg/webhook/internal/cert/generator"
 )
 
 // CertGenerator is a certGenerator for testing.
 type CertGenerator struct {
+	CAKey                  []byte
+	CACert                 []byte
 	DNSNameToCertArtifacts map[string]*generator.Artifacts
 }
 
 var _ generator.CertGenerator = &CertGenerator{}
 
+// SetCA sets the PEM-encoded CA private key and CA cert for signing the generated serving cert.
+func (cp *CertGenerator) SetCA(CAKey, CACert []byte) {
+	cp.CAKey = CAKey
+	cp.CACert = CACert
+}
+
 // Generate generates certificates by matching a common name.
 func (cp *CertGenerator) Generate(commonName string) (*generator.Artifacts, error) {
 	certs, found := cp.DNSNameToCertArtifacts[commonName]
 	if !found {
 		return nil, fmt.Errorf("failed to find common name %q in the certGenerator", commonName)
 	}
+	if cp.CAKey != nil && cp.CACert != nil &&
+		!bytes.Contains(cp.CAKey, []byte("invalid")) && !bytes.Contains(cp.CACert, []byte("invalid")) {
+		certs.CAKey = cp.CAKey
+		certs.CACert = cp.CACert
+	}
 	return certs, nil
 }
@@ -17,8 +17,10 @@ limitations under the License.
 package generator
 
 import (
+	"crypto/rsa"
 	"crypto/x509"
 	"fmt"
+	"time"
 
 	"k8s.io/client-go/util/cert"
 )
@@ -30,24 +32,42 @@ func ServiceToCommonName(serviceNamespace, serviceName string) string {
 
 // SelfSignedCertGenerator implements the certGenerator interface.
 // It provisions self-signed certificates.
-type SelfSignedCertGenerator struct{}
+type SelfSignedCertGenerator struct {
+	caKey  []byte
+	caCert []byte
+}
 
 var _ CertGenerator = &SelfSignedCertGenerator{}
 
+// SetCA sets the PEM-encoded CA private key and CA cert for signing the generated serving cert.
+func (cp *SelfSignedCertGenerator) SetCA(caKey, caCert []byte) {
+	cp.caKey = caKey
+	cp.caCert = caCert
+}
+
 // Generate creates and returns a CA certificate, certificate and
 // key for the server. serverKey and serverCert are used by the server
 // to establish trust for clients, CA certificate is used by the
 // client to verify the server authentication chain.
 // The cert will be valid for 365 days.
 func (cp *SelfSignedCertGenerator) Generate(commonName string) (*Artifacts, error) {
-	signingKey, err := cert.NewPrivateKey()
-	if err != nil {
-		return nil, fmt.Errorf("failed to create the CA private key: %v", err)
-	}
-	signingCert, err := cert.NewSelfSignedCACert(cert.Config{CommonName: "webhook-cert-ca"}, signingKey)
-	if err != nil {
-		return nil, fmt.Errorf("failed to create the CA cert: %v", err)
+	var signingKey *rsa.PrivateKey
+	var signingCert *x509.Certificate
+	var valid bool
+	var err error
+
+	valid, signingKey, signingCert = cp.validCACert()
+	if !valid {
+		signingKey, err = cert.NewPrivateKey()
+		if err != nil {
+			return nil, fmt.Errorf("failed to create the CA private key: %v", err)
+		}
+		signingCert, err = cert.NewSelfSignedCACert(cert.Config{CommonName: "webhook-cert-ca"}, signingKey)
+		if err != nil {
+			return nil, fmt.Errorf("failed to create the CA cert: %v", err)
+		}
 	}
+
 	key, err := cert.NewPrivateKey()
 	if err != nil {
 		return nil, fmt.Errorf("failed to create the private key: %v", err)
@@ -65,6 +85,33 @@ func (cp *SelfSignedCertGenerator) Generate(commonName string) (*Artifacts, erro
 	return &Artifacts{
 		Key:    cert.EncodePrivateKeyPEM(key),
 		Cert:   cert.EncodeCertPEM(signedCert),
+		CAKey:  cert.EncodePrivateKeyPEM(signingKey),
 		CACert: cert.EncodeCertPEM(signingCert),
 	}, nil
 }
+
+func (cp *SelfSignedCertGenerator) validCACert() (bool, *rsa.PrivateKey, *x509.Certificate) {
+	if !ValidCACert(cp.caKey, cp.caCert, cp.caCert, "",
+		time.Now().AddDate(1, 0, 0)) {
+		return false, nil, nil
+	}
+
+	var ok bool
+	key, err := cert.ParsePrivateKeyPEM(cp.caKey)
+	if err != nil {
+		return false, nil, nil
+	}
+	privateKey, ok := key.(*rsa.PrivateKey)
+	if !ok {
+		return false, nil, nil
+	}
+
+	certs, err := cert.ParseCertsPEM(cp.caCert)
+	if err != nil {
+		return false, nil, nil
+	}
+	if len(certs) != 1 {
+		return false, nil, nil
+	}
+	return true, privateKey, certs[0]
+}
@@ -19,38 +19,116 @@ package generator
 import (
 	"crypto/x509"
 	"encoding/pem"
-	"testing"
+
+	. "github.com/onsi/ginkgo"
+	. "github.com/onsi/gomega"
 )
 
-func TestProvisionServingCert(t *testing.T) {
+var _ = Describe("Cert Generator", func() {
 	cn := "mysvc.myns.svc"
-	cp := SelfSignedCertGenerator{}
-	certs, _ := cp.Generate(cn)
-
-	// First, create the set of root certificates. For this example we only
-	// have one. It's also possible to omit this in order to use the
-	// default root set of the current operating system.
-	roots := x509.NewCertPool()
-	ok := roots.AppendCertsFromPEM(certs.CACert)
-	if !ok {
-		t.Fatalf("failed to parse root certificate: %s", certs.CACert)
-	}
-
-	block, _ := pem.Decode(certs.Cert)
-	if block == nil {
-		t.Fatalf("failed to parse certificate PEM: %s", certs.Cert)
-	}
-	cert, err := x509.ParseCertificate(block.Bytes)
-	if err != nil {
-		t.Fatalf("failed to parse certificate: %v", err)
-	}
-
-	opts := x509.VerifyOptions{
-		DNSName: cn,
-		Roots:   roots,
-	}
-
-	if _, err := cert.Verify(opts); err != nil {
-		t.Fatalf("failed to verify certificate: %v", err)
-	}
-}
+	Describe("CA doesn't exist", func() {
+		It("should generate CA", func() {
+			cp := SelfSignedCertGenerator{}
+			certs, err := cp.Generate(cn)
+			Expect(err).NotTo(HaveOccurred())
+
+			// First, create the set of root certificates. For this example we only
+			// have one. It's also possible to omit this in order to use the
+			// default root set of the current operating system.
+			roots := x509.NewCertPool()
+			ok := roots.AppendCertsFromPEM(certs.CACert)
+			Expect(ok).To(BeTrue())
+
+			block, _ := pem.Decode(certs.Cert)
+			Expect(block).NotTo(BeNil())
+
+			cert, err := x509.ParseCertificate(block.Bytes)
+			Expect(err).NotTo(HaveOccurred())
+
+			opts := x509.VerifyOptions{
+				DNSName: cn,
+				Roots:   roots,
+			}
+
+			_, err = cert.Verify(opts)
+			Expect(err).NotTo(HaveOccurred())
+		})
+	})
+
+	Describe("CA doesn't exist", func() {
+		Context("CA is valid", func() {
+			It("should reuse existing CA", func() {
+				cp := SelfSignedCertGenerator{}
+				certs, err := cp.Generate("foo.example.com")
+				Expect(err).NotTo(HaveOccurred())
+
+				cp = SelfSignedCertGenerator{}
+				cp.SetCA(certs.CAKey, certs.CACert)
+				certs, err = cp.Generate(cn)
+				Expect(err).NotTo(HaveOccurred())
+
+				Expect(certs.CAKey).To(Equal(cp.caKey))
+				Expect(certs.CACert).To(Equal(cp.caCert))
+
+				// First, create the set of root certificates. For this example we only
+				// have one. It's also possible to omit this in order to use the
+				// default root set of the current operating system.
+				roots := x509.NewCertPool()
+				ok := roots.AppendCertsFromPEM(certs.CACert)
+				Expect(ok).To(BeTrue())
+
+				block, _ := pem.Decode(certs.Cert)
+				Expect(block).NotTo(BeNil())
+
+				cert, err := x509.ParseCertificate(block.Bytes)
+				Expect(err).NotTo(HaveOccurred())
+
+				opts := x509.VerifyOptions{
+					DNSName: cn,
+					Roots:   roots,
+				}
+
+				_, err = cert.Verify(opts)
+				Expect(err).NotTo(HaveOccurred())
+			})
+		})
+
+		Context("CA is invalid", func() {
+			It("should reuse existing CA", func() {
+				cp := SelfSignedCertGenerator{}
+				certs, err := cp.Generate("foo.example.com")
+				Expect(err).NotTo(HaveOccurred())
+
+				cp = SelfSignedCertGenerator{}
+				cp.SetCA([]byte("invalidCAKey"), []byte("invalidCACert"))
+
+				certs, err = cp.Generate(cn)
+				Expect(err).NotTo(HaveOccurred())
+
+				Expect(certs.CAKey).NotTo(Equal(cp.caKey))
+				Expect(certs.CACert).NotTo(Equal(cp.caCert))
+
+				// First, create the set of root certificates. For this example we only
+				// have one. It's also possible to omit this in order to use the
+				// default root set of the current operating system.
+				roots := x509.NewCertPool()
+				ok := roots.AppendCertsFromPEM(certs.CACert)
+				Expect(ok).To(BeTrue())
+
+				block, _ := pem.Decode(certs.Cert)
+				Expect(block).NotTo(BeNil())
+
+				cert, err := x509.ParseCertificate(block.Bytes)
+				Expect(err).NotTo(HaveOccurred())
+
+				opts := x509.VerifyOptions{
+					DNSName: cn,
+					Roots:   roots,
+				}
+
+				_, err = cert.Verify(opts)
+				Expect(err).NotTo(HaveOccurred())
+			})
+		})
+	})
+})
@@ -0,0 +1,37 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package generator
+
+import (
+	"testing"
+
+	. "github.com/onsi/ginkgo"
+	. "github.com/onsi/gomega"
+
+	"sigs.k8s.io/controller-runtime/pkg/envtest"
+	logf "sigs.k8s.io/controller-runtime/pkg/runtime/log"
+)
+
+func TestSource(t *testing.T) {
+	RegisterFailHandler(Fail)
+	RunSpecsWithDefaultAndCustomReporters(t, "Cert Generator Test Suite", []Reporter{envtest.NewlineReporter{}})
+}
+
+var _ = BeforeSuite(func(done Done) {
+	logf.SetLogger(logf.ZapLoggerTo(GinkgoWriter, true))
+	close(done)
+}, 60)
@@ -0,0 +1,61 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package generator
+
+import (
+	"crypto/tls"
+	"crypto/x509"
+	"encoding/pem"
+	"time"
+)
+
+// ValidCACert think cert and key are valid if they meet the following requirements:
+// - key and cert are valid pair
+// - caCert is the root ca of cert
+// - cert is for dnsName
+// - cert won't expire before time
+func ValidCACert(key, cert, caCert []byte, dnsName string, time time.Time) bool {
+	if len(key) == 0 || len(cert) == 0 || len(caCert) == 0 {
+		return false
+	}
+	// Verify key and cert are valid pair
+	_, err := tls.X509KeyPair(cert, key)
+	if err != nil {
+		return false
+	}
+
+	// Verify cert is valid for at least 1 year.
+	pool := x509.NewCertPool()
+	if !pool.AppendCertsFromPEM(caCert) {
+		return false
+	}
+	block, _ := pem.Decode([]byte(cert))
+	if block == nil {
+		return false
+	}
+	c, err := x509.ParseCertificate(block.Bytes)
+	if err != nil {
+		return false
+	}
+	ops := x509.VerifyOptions{
+		DNSName:     dnsName,
+		Roots:       pool,
+		CurrentTime: time,
+	}
+	_, err = c.Verify(ops)
+	return err == nil
+}