diff options
| -rw-r--r-- | app/models/clusters/applications/helm.rb | 6 | ||||
| -rw-r--r-- | lib/gitlab/kubernetes/helm/certificate.rb | 9 | ||||
| -rw-r--r-- | spec/lib/gitlab/kubernetes/helm/certificate_spec.rb | 27 | ||||
| -rw-r--r-- | spec/models/clusters/applications/helm_spec.rb | 3 | ||||
| -rw-r--r-- | spec/models/clusters/applications/ingress_spec.rb | 3 | ||||
| -rw-r--r-- | spec/models/clusters/applications/jupyter_spec.rb | 3 | ||||
| -rw-r--r-- | spec/models/clusters/applications/prometheus_spec.rb | 3 | ||||
| -rw-r--r-- | spec/models/clusters/applications/runner_spec.rb | 3 |
8 files changed, 51 insertions, 6 deletions
diff --git a/app/models/clusters/applications/helm.rb b/app/models/clusters/applications/helm.rb index f08224e94c2..0004997e1a0 100644 --- a/app/models/clusters/applications/helm.rb +++ b/app/models/clusters/applications/helm.rb @@ -31,8 +31,7 @@ module Clusters end def issue_cert - ca_cert_obj - .issue + ca_cert_obj.issue end def set_initial_status @@ -42,7 +41,8 @@ module Clusters end def install_command - tiller_cert = issue_cert + tiller_cert = ca_cert_obj.issue(expires_in: Gitlab::Kubernetes::Helm::Certificate::INFINITE_EXPIRY) + Gitlab::Kubernetes::Helm::InitCommand.new( name: name, files: { diff --git a/lib/gitlab/kubernetes/helm/certificate.rb b/lib/gitlab/kubernetes/helm/certificate.rb index dc8f4ca2489..d5afc737654 100644 --- a/lib/gitlab/kubernetes/helm/certificate.rb +++ b/lib/gitlab/kubernetes/helm/certificate.rb @@ -2,6 +2,9 @@ module Gitlab module Kubernetes module Helm class Certificate + INFINITE_EXPIRY = 1000.years + SHORT_EXPIRY = 30.minutes + attr_reader :key, :cert def key_string @@ -27,7 +30,7 @@ module Gitlab cert = OpenSSL::X509::Certificate.new cert.subject = cert.issuer = OpenSSL::X509::Name.parse(subject) cert.not_before = Time.now - cert.not_after = Time.now + 365 * 24 * 60 * 60 + cert.not_after = INFINITE_EXPIRY.from_now cert.public_key = public_key cert.serial = 0x0 cert.version = 2 @@ -44,7 +47,7 @@ module Gitlab new(key, cert) end - def issue + def issue(expires_in: SHORT_EXPIRY) key = OpenSSL::PKey::RSA.new(4096) public_key = key.public_key @@ -54,7 +57,7 @@ module Gitlab cert.subject = OpenSSL::X509::Name.parse(subject) cert.issuer = self.cert.subject cert.not_before = Time.now - cert.not_after = Time.now + 365 * 24 * 60 * 60 + cert.not_after = expires_in.from_now cert.public_key = public_key cert.serial = 0x0 cert.version = 2 diff --git a/spec/lib/gitlab/kubernetes/helm/certificate_spec.rb b/spec/lib/gitlab/kubernetes/helm/certificate_spec.rb new file mode 100644 index 00000000000..f8d00c95a36 --- /dev/null +++ b/spec/lib/gitlab/kubernetes/helm/certificate_spec.rb @@ -0,0 +1,27 @@ +require 'spec_helper' + +describe Gitlab::Kubernetes::Helm::Certificate do + describe '.generate_root' do + subject { described_class.generate_root } + + it 'should generate a root CA that expires a long way in the future' do + expect(subject.cert.not_after).to be > 999.years.from_now + end + end + + describe '#issue' do + subject { described_class.generate_root.issue } + + it 'should generate a cert that expires soon' do + expect(subject.cert.not_after).to be < 60.minutes.from_now + end + + context 'passing in INFINITE_EXPIRY' do + subject { described_class.generate_root.issue(expires_in: described_class::INFINITE_EXPIRY) } + + it 'should generate a cert that expires a long way in the future' do + expect(subject.cert.not_after).to be > 999.years.from_now + end + end + end +end diff --git a/spec/models/clusters/applications/helm_spec.rb b/spec/models/clusters/applications/helm_spec.rb index 535e9f15919..6396048492e 100644 --- a/spec/models/clusters/applications/helm_spec.rb +++ b/spec/models/clusters/applications/helm_spec.rb @@ -43,6 +43,9 @@ describe Clusters::Applications::Helm do expect(subject.files[:'cert.pem']).to be_present expect(subject.files[:'key.pem']).to be_present + + cert = OpenSSL::X509::Certificate.new(subject.files[:'cert.pem']) + expect(cert.not_after).to be > 999.years.from_now end end end diff --git a/spec/models/clusters/applications/ingress_spec.rb b/spec/models/clusters/applications/ingress_spec.rb index 6426818d349..c76aae432f9 100644 --- a/spec/models/clusters/applications/ingress_spec.rb +++ b/spec/models/clusters/applications/ingress_spec.rb @@ -108,6 +108,9 @@ describe Clusters::Applications::Ingress do expect(subject[:'cert.pem']).to be_present expect(subject[:'key.pem']).to be_present + + cert = OpenSSL::X509::Certificate.new(subject[:'cert.pem']) + expect(cert.not_after).to be < 60.minutes.from_now end end end diff --git a/spec/models/clusters/applications/jupyter_spec.rb b/spec/models/clusters/applications/jupyter_spec.rb index 4a470bbea74..a8cf44ac8a8 100644 --- a/spec/models/clusters/applications/jupyter_spec.rb +++ b/spec/models/clusters/applications/jupyter_spec.rb @@ -53,6 +53,9 @@ describe Clusters::Applications::Jupyter do expect(subject[:'cert.pem']).to be_present expect(subject[:'key.pem']).to be_present + + cert = OpenSSL::X509::Certificate.new(subject[:'cert.pem']) + expect(cert.not_after).to be < 60.minutes.from_now end context 'when the helm application does not have a ca_cert' do diff --git a/spec/models/clusters/applications/prometheus_spec.rb b/spec/models/clusters/applications/prometheus_spec.rb index c506d3a69e2..313bd741f88 100644 --- a/spec/models/clusters/applications/prometheus_spec.rb +++ b/spec/models/clusters/applications/prometheus_spec.rb @@ -168,6 +168,9 @@ describe Clusters::Applications::Prometheus do expect(subject[:'cert.pem']).to be_present expect(subject[:'key.pem']).to be_present + + cert = OpenSSL::X509::Certificate.new(subject[:'cert.pem']) + expect(cert.not_after).to be < 60.minutes.from_now end context 'when the helm application does not have a ca_cert' do diff --git a/spec/models/clusters/applications/runner_spec.rb b/spec/models/clusters/applications/runner_spec.rb index ab37603e4ec..65aaa1ee882 100644 --- a/spec/models/clusters/applications/runner_spec.rb +++ b/spec/models/clusters/applications/runner_spec.rb @@ -49,6 +49,9 @@ describe Clusters::Applications::Runner do expect(subject[:'cert.pem']).to be_present expect(subject[:'key.pem']).to be_present + + cert = OpenSSL::X509::Certificate.new(subject[:'cert.pem']) + expect(cert.not_after).to be < 60.minutes.from_now end context 'when the helm application does not have a ca_cert' do |