Skip to content

Commit 0ee7f00

Browse files
vrutkovsvrutkovs
committed
webhook-authenticator: set not-before/not-after annotations for webhook-authentication-integrated-oauth secret
1 parent bf5cc3c commit 0ee7f00

File tree

1 file changed

+22
-1
lines changed

1 file changed

+22
-1
lines changed

pkg/controllers/webhookauthenticator/webhookauthenticator_controller.go

Lines changed: 22 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,10 @@ package webhookauthenticator
22

33
import (
44
"context"
5+
"crypto/tls"
6+
"crypto/x509"
57
"encoding/base64"
8+
"encoding/pem"
69
"fmt"
710
"io/ioutil"
811
"net"
@@ -28,6 +31,7 @@ import (
2831
configinformers "github.com/openshift/client-go/config/informers/externalversions"
2932
applyoperatorv1 "github.com/openshift/client-go/operator/applyconfigurations/operator/v1"
3033
"github.com/openshift/library-go/pkg/controller/factory"
34+
"github.com/openshift/library-go/pkg/operator/certrotation"
3135
"github.com/openshift/library-go/pkg/operator/events"
3236
"github.com/openshift/library-go/pkg/operator/resource/resourceapply"
3337
"github.com/openshift/library-go/pkg/operator/status"
@@ -173,12 +177,29 @@ func (c *webhookAuthenticatorController) ensureKubeConfigSecret(ctx context.Cont
173177

174178
kubeconfigComplete := replacer.Replace(string(kubeconfigBytes))
175179

180+
_, err = tls.X509KeyPair(cert, key)
181+
if err != nil {
182+
return nil, fmt.Errorf("private key doesn't match the certificate of authenticator secret")
183+
}
184+
// extract not-before/not-after timestamps valid x509 certificate
185+
var block *pem.Block
186+
block, _ = pem.Decode(cert)
187+
if block == nil || block.Type != "CERTIFICATE" || len(block.Headers) != 0 {
188+
return nil, fmt.Errorf("invalid first block found in the certificate of authenticator secret")
189+
}
190+
parsedCert, err := x509.ParseCertificate(block.Bytes)
191+
if err != nil {
192+
return nil, fmt.Errorf("failed to parse the certificate of authenticator secret")
193+
}
194+
176195
requiredSecret := &corev1.Secret{
177196
ObjectMeta: metav1.ObjectMeta{
178197
Name: "webhook-authentication-integrated-oauth",
179198
Namespace: "openshift-config",
180199
Annotations: map[string]string{
181-
annotations.OpenShiftComponent: "apiserver-auth",
200+
annotations.OpenShiftComponent: "apiserver-auth",
201+
certrotation.CertificateNotBeforeAnnotation: parsedCert.NotBefore.Format(time.RFC3339),
202+
certrotation.CertificateNotAfterAnnotation: parsedCert.NotAfter.Format(time.RFC3339),
182203
},
183204
},
184205
Data: map[string][]byte{

0 commit comments

Comments
 (0)