diff --git a/go.mod b/go.mod index 3ad02296f..ffce8b41e 100644 --- a/go.mod +++ b/go.mod @@ -10,7 +10,6 @@ require ( github.com/gobwas/glob v0.2.3 github.com/gofrs/flock v0.8.0 github.com/kelseyhightower/envconfig v1.4.0 - github.com/nightlyone/lockfile v1.0.0 // indirect github.com/onsi/ginkgo v1.15.0 github.com/onsi/gomega v1.10.5 github.com/openshift/cluster-network-operator v0.0.0-20200922032245-f47200e8dbc0 @@ -18,7 +17,7 @@ require ( github.com/operator-framework/operator-sdk v1.4.2 github.com/phoracek/networkmanager-go v0.1.0 github.com/pkg/errors v0.9.1 - github.com/qinqon/kube-admission-webhook v0.14.0 + github.com/qinqon/kube-admission-webhook v0.15.0 github.com/tidwall/gjson v1.6.8 gopkg.in/yaml.v2 v2.4.0 k8s.io/api v0.20.2 diff --git a/go.sum b/go.sum index 80bd823c2..e1d608124 100644 --- a/go.sum +++ b/go.sum @@ -1208,8 +1208,6 @@ github.com/nbutton23/zxcvbn-go v0.0.0-20180912185939-ae427f1e4c1d/go.mod h1:o96d github.com/ncw/swift v1.0.47/go.mod h1:23YIA4yWVnGwv2dQlN4bB7egfYX6YLn0Yo/S6zZO/ZM= github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e h1:fD57ERR4JtEqsWbfPhv4DMiApHyliiK5xCTNVSPiaAs= github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno= -github.com/nightlyone/lockfile v1.0.0 h1:RHep2cFKK4PonZJDdEl4GmkabuhbsRMgk/k3uAmxBiA= -github.com/nightlyone/lockfile v1.0.0/go.mod h1:rywoIealpdNse2r832aiD9jRk8ErCatROs6LzC841CI= github.com/nozzle/throttler v0.0.0-20180817012639-2ea982251481 h1:Up6+btDp321ZG5/zdSLo48H9Iaq0UQGthrhWC6pCxzE= github.com/nozzle/throttler v0.0.0-20180817012639-2ea982251481/go.mod h1:yKZQO8QE2bHlgozqWDiRVqTFlLQSj30K/6SAK8EeYFw= github.com/nxadm/tail v1.4.4 h1:DQuhQpB1tVlglWS2hLQ5OV6B5r8aGxSrPc5Qo6uTN78= @@ -1447,8 +1445,8 @@ github.com/prometheus/prometheus v2.3.2+incompatible/go.mod h1:oAIUtOny2rjMX0OWN github.com/prometheus/tsdb v0.7.1/go.mod h1:qhTCs0VvXwvX/y3TZrWD7rabWM+ijKTux40TwIPHuXU= github.com/psampaz/go-mod-outdated v0.5.0/go.mod h1:Ow0f464qFSBVyz//3QyVLNPtL8/lLvjouMnjmVzNT/U= github.com/psampaz/go-mod-outdated v0.7.0/go.mod h1:r78NYWd1z+F9Zdsfy70svgXOz363B08BWnTyFSgEESs= -github.com/qinqon/kube-admission-webhook v0.14.0 h1:6xISgqhwTv3WKhHDT5Iypc72m6rqw700A4VMzqTymwk= -github.com/qinqon/kube-admission-webhook v0.14.0/go.mod h1:eYJw+S+JSprEMLzGNmE0GFIlSrBQw0lAVES/ZjgM2FI= +github.com/qinqon/kube-admission-webhook v0.15.0 h1:uST8Yhl+dVWx1gkb/iam3harXpZK3NFkERpzj2HMyBM= +github.com/qinqon/kube-admission-webhook v0.15.0/go.mod h1:eYJw+S+JSprEMLzGNmE0GFIlSrBQw0lAVES/ZjgM2FI= github.com/quasilyte/go-consistent v0.0.0-20190521200055-c6f3937de18c/go.mod h1:5STLWrekHfjyYwxBRVRXNOSewLJ3PWfDJd1VyTS21fI= github.com/rcrowley/go-metrics v0.0.0-20181016184325-3113b8401b8a/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4= github.com/remyoudompheng/bigfft v0.0.0-20170806203942-52369c62f446/go.mod h1:uYEyJGbgTkfkS4+E/PavXkNJcbFIpEtjt2B0KDQ5+9M= diff --git a/vendor/github.com/qinqon/kube-admission-webhook/pkg/certificate/manager.go b/vendor/github.com/qinqon/kube-admission-webhook/pkg/certificate/manager.go index 781eb34f9..ffc9950a1 100644 --- a/vendor/github.com/qinqon/kube-admission-webhook/pkg/certificate/manager.go +++ b/vendor/github.com/qinqon/kube-admission-webhook/pkg/certificate/manager.go @@ -120,7 +120,7 @@ func (m *Manager) getCACertsFromCABundle() ([]*x509.Certificate, error) { return cas, nil } -func (m *Manager) getLastAppendedCACertFromCABundle() (*x509.Certificate, error) { +func (m *Manager) getLastPrependedCACertFromCABundle() (*x509.Certificate, error) { cas, err := m.getCACertsFromCABundle() if err != nil { return nil, errors.Wrap(err, "failed getting CA certificates from CA bundle") @@ -128,7 +128,7 @@ func (m *Manager) getLastAppendedCACertFromCABundle() (*x509.Certificate, error) if len(cas) == 0 { return nil, nil } - return cas[len(cas)-1], nil + return cas[0], nil } func (m *Manager) rotateAll() error { @@ -262,7 +262,7 @@ func (m *Manager) nextRotationDeadlineForCA() time.Time { // Last rotated CA cert at CABundle is the last at the slice so this // calculate deadline from it. - caCert, err := m.getLastAppendedCACertFromCABundle() + caCert, err := m.getLastPrependedCACertFromCABundle() if err != nil { m.log.Info("Failed reading last CA cert from CABundle, forcing rotation", "err", err) return m.now() diff --git a/vendor/github.com/qinqon/kube-admission-webhook/pkg/certificate/secret.go b/vendor/github.com/qinqon/kube-admission-webhook/pkg/certificate/secret.go index e8fb961dd..ddc3a0db0 100644 --- a/vendor/github.com/qinqon/kube-admission-webhook/pkg/certificate/secret.go +++ b/vendor/github.com/qinqon/kube-admission-webhook/pkg/certificate/secret.go @@ -166,7 +166,7 @@ func (m *Manager) verifyTLSSecret(secretKey types.NamespacedName, caKeyPair *tri return errors.New("CA bundle has no certificates") } - lastCertFromCABundle := getLastCert(certsFromCABundle) + lastCertFromCABundle := getFirstCert(certsFromCABundle) if !reflect.DeepEqual(*lastCertFromCABundle, *caKeyPair.Cert) { return errors.New("CA bundle and CA secret certificate are different") @@ -236,9 +236,9 @@ func (m *Manager) getTLSKeyPair(secretKey types.NamespacedName) (*triple.KeyPair return nil, errors.Wrapf(err, "failed parsing TLS private key PEM at secret %s", secretKey) } - lastAppendedCert := getLastCert(certs) + lastPrependedCert := getFirstCert(certs) - return &triple.KeyPair{Key: privateKey.(*rsa.PrivateKey), Cert: lastAppendedCert}, nil + return &triple.KeyPair{Key: privateKey.(*rsa.PrivateKey), Cert: lastPrependedCert}, nil } func (m *Manager) getTLSCerts(secretKey types.NamespacedName) ([]*x509.Certificate, error) { @@ -265,11 +265,11 @@ func (m *Manager) caSecretKey() types.NamespacedName { return types.NamespacedName{Namespace: m.namespace, Name: m.webhookName + "-ca"} } -// Certs are appended to implement overlap so we take the last one +// Certs are prepended to implement overlap so we take the first one // it will match with the key -func getLastCert(certs []*x509.Certificate) *x509.Certificate { +func getFirstCert(certs []*x509.Certificate) *x509.Certificate { if len(certs) == 0 { return nil } - return certs[len(certs)-1] + return certs[0] } diff --git a/vendor/github.com/qinqon/kube-admission-webhook/pkg/certificate/triple/cert.go b/vendor/github.com/qinqon/kube-admission-webhook/pkg/certificate/triple/cert.go index 55aabf77b..808e77658 100644 --- a/vendor/github.com/qinqon/kube-admission-webhook/pkg/certificate/triple/cert.go +++ b/vendor/github.com/qinqon/kube-admission-webhook/pkg/certificate/triple/cert.go @@ -23,6 +23,7 @@ import ( "crypto/rand" cryptorand "crypto/rand" "crypto/rsa" + "crypto/tls" "crypto/x509" "crypto/x509/pkix" "encoding/pem" @@ -177,6 +178,11 @@ func VerifyTLS(certsPEM, keyPEM, caBundle []byte) error { return errors.Wrap(err, "failed to verify certificate") } + _, err = tls.X509KeyPair(certsPEM, keyPEM) + if err != nil { + return errors.Wrap(err, "failed parsing TLS public/private key") + } + logger.Info("TLS certificates chain verified") return nil } diff --git a/vendor/github.com/qinqon/kube-admission-webhook/pkg/certificate/triple/pem.go b/vendor/github.com/qinqon/kube-admission-webhook/pkg/certificate/triple/pem.go index f34666f12..206fd57f4 100644 --- a/vendor/github.com/qinqon/kube-admission-webhook/pkg/certificate/triple/pem.go +++ b/vendor/github.com/qinqon/kube-admission-webhook/pkg/certificate/triple/pem.go @@ -197,7 +197,9 @@ func AddCertToPEM(cert *x509.Certificate, pemCerts []byte) ([]byte, error) { return nil, fmt.Errorf("failed parsing current certs PEM: %w", err) } } - certs = append(certs, cert) + // Prepend cert since it's what TLS expects [1] + // [1] https://github.com/golang/go/blob/master/src/crypto/tls/tls.go#L292-L294 + certs = append([]*x509.Certificate{cert}, certs...) return EncodeCertsPEM(certs), nil } diff --git a/vendor/modules.txt b/vendor/modules.txt index d4b603566..68cc1835b 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -467,8 +467,6 @@ github.com/modern-go/concurrent github.com/modern-go/reflect2 # github.com/morikuni/aec v1.0.0 github.com/morikuni/aec -# github.com/nightlyone/lockfile v1.0.0 -## explicit # github.com/nozzle/throttler v0.0.0-20180817012639-2ea982251481 github.com/nozzle/throttler # github.com/nxadm/tail v1.4.4 @@ -689,7 +687,7 @@ github.com/prometheus/common/model github.com/prometheus/procfs github.com/prometheus/procfs/internal/fs github.com/prometheus/procfs/internal/util -# github.com/qinqon/kube-admission-webhook v0.14.0 +# github.com/qinqon/kube-admission-webhook v0.15.0 ## explicit github.com/qinqon/kube-admission-webhook/pkg/certificate github.com/qinqon/kube-admission-webhook/pkg/certificate/triple