mirror of
https://github.com/gitpod-io/gitpod.git
synced 2025-12-08 17:36:30 +00:00
108 lines
2.7 KiB
Go
108 lines
2.7 KiB
Go
// Copyright (c) 2023 Gitpod GmbH. All rights reserved.
|
|
// Licensed under the GNU Affero General Public License (AGPL).
|
|
// See License.AGPL.txt in the project root for license information.
|
|
|
|
package auth
|
|
|
|
import (
|
|
"fmt"
|
|
"math"
|
|
"path"
|
|
"time"
|
|
|
|
"github.com/gitpod-io/gitpod/installer/pkg/common"
|
|
|
|
certmanagerv1 "github.com/jetstack/cert-manager/pkg/apis/certmanager/v1"
|
|
cmmeta "github.com/jetstack/cert-manager/pkg/apis/meta/v1"
|
|
corev1 "k8s.io/api/core/v1"
|
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
|
"k8s.io/apimachinery/pkg/runtime"
|
|
)
|
|
|
|
func keypair(ctx *common.RenderContext) ([]runtime.Object, error) {
|
|
serverAltNames := []string{
|
|
fmt.Sprintf("gitpod.%s", ctx.Namespace),
|
|
fmt.Sprintf("%s.%s.svc", Component, ctx.Namespace),
|
|
Component,
|
|
fmt.Sprintf("%s-dev", Component),
|
|
}
|
|
|
|
return []runtime.Object{
|
|
&certmanagerv1.Certificate{
|
|
TypeMeta: common.TypeMetaCertificate,
|
|
ObjectMeta: metav1.ObjectMeta{
|
|
Name: common.AuthPKISecretName,
|
|
Namespace: ctx.Namespace,
|
|
Labels: common.DefaultLabels(Component),
|
|
},
|
|
Spec: certmanagerv1.CertificateSpec{
|
|
Duration: &metav1.Duration{
|
|
Duration: time.Duration(math.MaxInt64), // never expire automatically
|
|
},
|
|
SecretName: common.AuthPKISecretName,
|
|
DNSNames: serverAltNames,
|
|
IssuerRef: cmmeta.ObjectReference{
|
|
Name: common.CertManagerCAIssuer,
|
|
Kind: certmanagerv1.ClusterIssuerKind,
|
|
Group: "cert-manager.io",
|
|
},
|
|
PrivateKey: &certmanagerv1.CertificatePrivateKey{
|
|
Encoding: certmanagerv1.PKCS8,
|
|
Size: 4096,
|
|
Algorithm: certmanagerv1.RSAKeyAlgorithm,
|
|
},
|
|
SecretTemplate: &certmanagerv1.CertificateSecretTemplate{
|
|
Labels: common.DefaultLabels(Component),
|
|
},
|
|
},
|
|
},
|
|
}, nil
|
|
}
|
|
|
|
func getPKI() ([]corev1.Volume, []corev1.VolumeMount, PKIConfig) {
|
|
dir := "/secrets/auth-pki"
|
|
signingDir := path.Join(dir, "signing")
|
|
|
|
volumes := []corev1.Volume{
|
|
{
|
|
Name: "auth-pki-signing",
|
|
VolumeSource: corev1.VolumeSource{
|
|
Secret: &corev1.SecretVolumeSource{
|
|
SecretName: common.AuthPKISecretName,
|
|
},
|
|
},
|
|
},
|
|
}
|
|
|
|
mounts := []corev1.VolumeMount{
|
|
{
|
|
Name: "auth-pki-signing",
|
|
MountPath: signingDir,
|
|
ReadOnly: true,
|
|
},
|
|
}
|
|
|
|
cfg := PKIConfig{
|
|
Signing: KeyPair{
|
|
ID: "0001",
|
|
PrivateKeyPath: path.Join(signingDir, "tls.key"),
|
|
PublicKeyPath: path.Join(signingDir, "tls.crt"),
|
|
},
|
|
}
|
|
return volumes, mounts, cfg
|
|
}
|
|
|
|
type PKIConfig struct {
|
|
// Signing KeyPair is always used to issue new auth tokens
|
|
Signing KeyPair `json:"signing"`
|
|
|
|
// Validating KeyPairs are used for checking validity only
|
|
Validating []KeyPair `json:"validating,omitempty"`
|
|
}
|
|
|
|
type KeyPair struct {
|
|
ID string `json:"id"`
|
|
PrivateKeyPath string `json:"privateKeyPath"`
|
|
PublicKeyPath string `json:"publicKeyPath"`
|
|
}
|