Add signerName field to CSR resource spec

Signed-off-by: James Munnelly <[email protected]>

Author: James Munnelly

api/openapi-spec/swagger.json

@@ -300,7 +300,7 @@ func (s *csrSimulator) ServeHTTP(w http.ResponseWriter, req *http.Request) {
 			PrivateKey:  s.serverPrivateKey,
 			Backdate:    s.backdate,
 		}
-		cr, err := capihelper.ParseCSR(csr)
+		cr, err := capihelper.ParseCSR(csr.Spec.Request)
 		if err != nil {
 			t.Fatal(err)
 		}

cmd/kubelet/app/server_bootstrap_test.go

@@ -29,6 +29,7 @@ var Funcs = func(codecs runtimeserializer.CodecFactory) []interface{} {
 		func(obj *certificates.CertificateSigningRequestSpec, c fuzz.Continue) {
 			c.FuzzNoCustom(obj) // fuzz self without calling this function again
 			obj.Usages = []certificates.KeyUsage{certificates.UsageKeyEncipherment}
+			obj.SignerName = "example.com/custom-sample-signer"
 		},
 	}
 }

pkg/apis/certificates/fuzzer/fuzzer.go

@@ -42,6 +42,12 @@ type CertificateSigningRequestSpec struct {
 	// Base64-encoded PKCS#10 CSR data
 	Request []byte
 
+	// Requested signer for the request. It is a qualified name in the form:
+	// `scope-hostname.io/name`.
+	// Distribution of trust for signers happens out of band.
+	// You can select on this field using `spec.signerName`.
+	SignerName string
+
 	// usages specifies a set of usage contexts the key will be
 	// valid for.
 	// See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3

pkg/apis/certificates/types.go

@@ -3,11 +3,13 @@ package(default_visibility = ["//visibility:public"])
 load(
     "@io_bazel_rules_go//go:def.bzl",
     "go_library",
+    "go_test",
 )
 
 go_library(
     name = "go_default_library",
     srcs = [
+        "conversion.go",
         "defaults.go",
         "doc.go",
         "helpers.go",
@@ -19,9 +21,11 @@ go_library(
     deps = [
         "//pkg/apis/certificates:go_default_library",
         "//staging/src/k8s.io/api/certificates/v1beta1:go_default_library",
+        "//staging/src/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
         "//staging/src/k8s.io/apimachinery/pkg/conversion:go_default_library",
         "//staging/src/k8s.io/apimachinery/pkg/runtime:go_default_library",
         "//staging/src/k8s.io/apimachinery/pkg/runtime/schema:go_default_library",
+        "//staging/src/k8s.io/apimachinery/pkg/util/sets:go_default_library",
     ],
 )
 
@@ -37,3 +41,10 @@ filegroup(
     srcs = [":package-srcs"],
     tags = ["automanaged"],
 )
+
+go_test(
+    name = "go_default_test",
+    srcs = ["defaults_test.go"],
+    embed = [":go_default_library"],
+    deps = ["//staging/src/k8s.io/api/certificates/v1beta1:go_default_library"],
+)

pkg/apis/certificates/v1beta1/BUILD

@@ -0,0 +1,38 @@
+/*
+Copyright 2020 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+import (
+	"fmt"
+
+	"k8s.io/apimachinery/pkg/runtime"
+)
+
+func addConversionFuncs(scheme *runtime.Scheme) error {
+	// Add field conversion funcs.
+	return scheme.AddFieldLabelConversionFunc(SchemeGroupVersion.WithKind("CertificateSigningRequest"),
+		func(label, value string) (string, string, error) {
+			switch label {
+			case "metadata.name",
+				"spec.signerName":
+				return label, value, nil
+			default:
+				return "", "", fmt.Errorf("field label not supported: %s", label)
+			}
+		},
+	)
+}

pkg/apis/certificates/v1beta1/conversion.go

@@ -17,15 +17,113 @@ limitations under the License.
 package v1beta1
 
 import (
+	"crypto/x509"
+	"reflect"
+	"strings"
+
 	certificatesv1beta1 "k8s.io/api/certificates/v1beta1"
 	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/util/sets"
 )
 
 func addDefaultingFuncs(scheme *runtime.Scheme) error {
 	return RegisterDefaults(scheme)
 }
+
 func SetDefaults_CertificateSigningRequestSpec(obj *certificatesv1beta1.CertificateSigningRequestSpec) {
 	if obj.Usages == nil {
 		obj.Usages = []certificatesv1beta1.KeyUsage{certificatesv1beta1.UsageDigitalSignature, certificatesv1beta1.UsageKeyEncipherment}
 	}
+
+	if obj.SignerName == nil {
+		signerName := DefaultSignerNameFromSpec(obj)
+		obj.SignerName = &signerName
+	}
+}
+
+// DefaultSignerNameFromSpec will determine the signerName that should be set
+// by attempting to inspect the 'request' content and the spec options.
+func DefaultSignerNameFromSpec(obj *certificatesv1beta1.CertificateSigningRequestSpec) string {
+	csr, err := ParseCSR(obj.Request)
+	switch {
+	case err != nil:
+		// Set the signerName to 'legacy-unknown' as the CSR could not be
+		// recognised.
+		return certificatesv1beta1.LegacyUnknownSignerName
+	case IsKubeletClientCSR(csr, obj.Usages):
+		return certificatesv1beta1.KubeAPIServerClientKubeletSignerName
+	case IsKubeletServingCSR(csr, obj.Usages):
+		return certificatesv1beta1.KubeletServingSignerName
+	default:
+		return certificatesv1beta1.LegacyUnknownSignerName
+	}
+}
+
+func IsKubeletServingCSR(req *x509.CertificateRequest, usages []certificatesv1beta1.KeyUsage) bool {
+	if !reflect.DeepEqual([]string{"system:nodes"}, req.Subject.Organization) {
+		return false
+	}
+
+	// at least one of dnsNames or ipAddresses must be specified
+	if len(req.DNSNames) == 0 && len(req.IPAddresses) == 0 {
+		return false
+	}
+
+	if len(req.EmailAddresses) > 0 || len(req.URIs) > 0 {
+		return false
+	}
+
+	requiredUsages := []certificatesv1beta1.KeyUsage{
+		certificatesv1beta1.UsageDigitalSignature,
+		certificatesv1beta1.UsageKeyEncipherment,
+		certificatesv1beta1.UsageServerAuth,
+	}
+	if !equalUnsorted(requiredUsages, usages) {
+		return false
+	}
+
+	if !strings.HasPrefix(req.Subject.CommonName, "system:node:") {
+		return false
+	}
+
+	return true
+}
+
+func IsKubeletClientCSR(req *x509.CertificateRequest, usages []certificatesv1beta1.KeyUsage) bool {
+	if !reflect.DeepEqual([]string{"system:nodes"}, req.Subject.Organization) {
+		return false
+	}
+
+	if len(req.DNSNames) > 0 || len(req.EmailAddresses) > 0 || len(req.IPAddresses) > 0 || len(req.URIs) > 0 {
+		return false
+	}
+
+	if !strings.HasPrefix(req.Subject.CommonName, "system:node:") {
+		return false
+	}
+
+	requiredUsages := []certificatesv1beta1.KeyUsage{
+		certificatesv1beta1.UsageDigitalSignature,
+		certificatesv1beta1.UsageKeyEncipherment,
+		certificatesv1beta1.UsageClientAuth,
+	}
+	if !equalUnsorted(requiredUsages, usages) {
+		return false
+	}
+
+	return true
+}
+
+// equalUnsorted compares two []string for equality of contents regardless of
+// the order of the elements
+func equalUnsorted(left, right []certificatesv1beta1.KeyUsage) bool {
+	l := sets.NewString()
+	for _, s := range left {
+		l.Insert(string(s))
+	}
+	r := sets.NewString()
+	for _, s := range right {
+		r.Insert(string(s))
+	}
+	return l.Equal(r)
 }