Merge pull request kubernetes#4008 from ElvinEfendi/refactor-get-fake…

…-cert refactor GetFakeSSLCert
lspas-volvo · Apr 14, 2019 · 461954f · 461954f
2 parents 4c37e0e + 13a7e2c
commit 461954f
Show file tree

Hide file tree

Showing 4 changed files with 40 additions and 38 deletions.
diff --git a/cmd/nginx/main.go b/cmd/nginx/main.go
@@ -54,8 +54,6 @@ const (
 	// High enough Burst to fit all expected use cases. Burst=0 is not set here, because
 	// client code is overriding it.
 	defaultBurst = 1e6
-
-	fakeCertificateName = "default-fake-certificate"
 )
 
 func main() {
@@ -109,20 +107,8 @@ func main() {
 		}
 	}
 
-	// create the default SSL certificate (dummy)
-	// TODO(elvinefendi) do this in a single function in ssl package
-	defCert, defKey := ssl.GetFakeSSLCert()
-	sslCert, err := ssl.CreateSSLCert(defCert, defKey)
-	if err != nil {
-		klog.Fatalf("unexpected error creating fake SSL Cert: %v", err)
-	}
-	err = ssl.StoreSSLCertOnDisk(fs, fakeCertificateName, sslCert)
-	if err != nil {
-		klog.Fatalf("unexpected error storing fake SSL Cert: %v", err)
-	}
-	conf.FakeCertificate = sslCert
+	conf.FakeCertificate = ssl.GetFakeSSLCert(fs)
 	klog.Infof("Created fake certificate with PemFileName: %v", conf.FakeCertificate.PemFileName)
-	// end create default fake SSL certificates
 
 	conf.Client = kubeClient
 

diff --git a/internal/ingress/controller/controller_test.go b/internal/ingress/controller/controller_test.go
@@ -921,17 +921,7 @@ func newNGINXController(t *testing.T) *NGINXController {
 		pod,
 		false)
 
-	// BEGIN create fake ssl cert
-	defCert, defKey := ssl.GetFakeSSLCert()
-	sslCert, err := ssl.CreateSSLCert(defCert, defKey)
-	if err != nil {
-		t.Fatalf("unexpected error creating fake SSL Cert: %v", err)
-	}
-	err = ssl.StoreSSLCertOnDisk(fs, fakeCertificateName, sslCert)
-	if err != nil {
-		t.Fatalf("unexpected error storing fake SSL Cert: %v", err)
-	}
-	// END create fake ssl cert
+	sslCert := ssl.GetFakeSSLCert(fs)
 	config := &Configuration{
 		FakeCertificate: sslCert,
 		ListenPorts: &ngx_config.ListenPorts{

diff --git a/internal/net/ssl/ssl.go b/internal/net/ssl/ssl.go
@@ -46,6 +46,10 @@ var (
 	oidExtensionSubjectAltName = asn1.ObjectIdentifier{2, 5, 29, 17}
 )
 
+const (
+	fakeCertificateName = "default-fake-certificate"
+)
+
 // getPemFileName returns absolute file path and file name of pem cert related to given fullSecretName
 func getPemFileName(fullSecretName string) (string, string) {
 	pemName := fmt.Sprintf("%v.pem", fullSecretName)
@@ -355,8 +359,7 @@ func AddOrUpdateDHParam(name string, dh []byte, fs file.Filesystem) (string, err
 
 // GetFakeSSLCert creates a Self Signed Certificate
 // Based in the code https://golang.org/src/crypto/tls/generate_cert.go
-func GetFakeSSLCert() ([]byte, []byte) {
-
+func GetFakeSSLCert(fs file.Filesystem) *ingress.SSLCert {
 	var priv interface{}
 	var err error
 
@@ -400,7 +403,17 @@ func GetFakeSSLCert() ([]byte, []byte) {
 
 	key := pem.EncodeToMemory(&pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(priv.(*rsa.PrivateKey))})
 
-	return cert, key
+	sslCert, err := CreateSSLCert(cert, key)
+	if err != nil {
+		klog.Fatalf("unexpected error creating fake SSL Cert: %v", err)
+	}
+
+	err = StoreSSLCertOnDisk(fs, fakeCertificateName, sslCert)
+	if err != nil {
+		klog.Fatalf("unexpected error storing fake SSL Cert: %v", err)
+	}
+
+	return sslCert
 }
 
 // FullChainCert checks if a certificate file contains issues in the intermediate CA chain

diff --git a/internal/net/ssl/ssl_test.go b/internal/net/ssl/ssl_test.go
@@ -139,20 +139,33 @@ func TestCACert(t *testing.T) {
 }
 
 func TestGetFakeSSLCert(t *testing.T) {
-	k, c := GetFakeSSLCert()
-	if len(k) == 0 {
-		t.Fatalf("expected a valid key")
+	fs := newFS(t)
+
+	sslCert := GetFakeSSLCert(fs)
+
+	if len(sslCert.PemCertKey) == 0 {
+		t.Fatalf("expected PemCertKey to not be empty")
+	}
+
+	if len(sslCert.PemFileName) == 0 {
+		t.Fatalf("expected PemFileName to not be empty")
+	}
+
+	if len(sslCert.CN) != 2 {
+		t.Fatalf("expected 2 entries in CN, but got %v", len(sslCert.CN))
 	}
-	if len(c) == 0 {
-		t.Fatalf("expected a valid certificate")
+
+	if sslCert.CN[0] != "Kubernetes Ingress Controller Fake Certificate" {
+		t.Fatalf("expected common name to be \"Kubernetes Ingress Controller Fake Certificate\" but got %v", sslCert.CN[0])
+	}
+
+	if sslCert.CN[1] != "ingress.local" {
+		t.Fatalf("expected a DNS name \"ingress.local\" but got: %v", sslCert.CN[1])
 	}
 }
 
 func TestConfigureCACert(t *testing.T) {
-	fs, err := file.NewFakeFS()
-	if err != nil {
-		t.Fatalf("unexpected error creating filesystem: %v", err)
-	}
+	fs := newFS(t)
 
 	cn := "demo-ca"
 	_, ca, err := generateRSACerts(cn)