mirror of
https://github.com/siderolabs/talos.git
synced 2025-08-26 09:01:17 +02:00
86 lines
2.7 KiB
Go
86 lines
2.7 KiB
Go
/* This Source Code Form is subject to the terms of the Mozilla Public
|
|
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
|
|
|
|
package userdata
|
|
|
|
import (
|
|
"encoding/pem"
|
|
"strings"
|
|
|
|
"github.com/hashicorp/go-multierror"
|
|
"github.com/talos-systems/talos/pkg/crypto/x509"
|
|
"golang.org/x/xerrors"
|
|
)
|
|
|
|
// KubernetesSecurity represents the set of security options specific to
|
|
// Kubernetes.
|
|
type KubernetesSecurity struct {
|
|
CA *x509.PEMEncodedCertificateAndKey `yaml:"ca"`
|
|
}
|
|
|
|
// KubernetesSecurityCheck defines the function type for checks
|
|
type KubernetesSecurityCheck func(*KubernetesSecurity) error
|
|
|
|
// Validate triggers the specified validation checks to run
|
|
func (k *KubernetesSecurity) Validate(checks ...KubernetesSecurityCheck) error {
|
|
var result *multierror.Error
|
|
|
|
for _, check := range checks {
|
|
result = multierror.Append(result, check(k))
|
|
}
|
|
|
|
return result.ErrorOrNil()
|
|
}
|
|
|
|
// CheckKubernetesCA verfies the KubernetesSecurity settings are valid
|
|
// nolint: dupl
|
|
func CheckKubernetesCA() KubernetesSecurityCheck {
|
|
return func(k *KubernetesSecurity) error {
|
|
var result *multierror.Error
|
|
|
|
// Verify the required sections are present
|
|
if k.CA == nil {
|
|
result = multierror.Append(result, xerrors.Errorf("[%s] %q: %w", "security.kubernetes.ca", "", ErrRequiredSection))
|
|
}
|
|
|
|
// Bail early since we're already missing the required sections
|
|
if result.ErrorOrNil() != nil {
|
|
return result.ErrorOrNil()
|
|
}
|
|
|
|
if k.CA.Crt == nil {
|
|
result = multierror.Append(result, xerrors.Errorf("[%s] %q: %w", "security.kubernetes.ca.crt", "", ErrRequiredSection))
|
|
}
|
|
|
|
if k.CA.Key == nil {
|
|
result = multierror.Append(result, xerrors.Errorf("[%s] %q: %w", "security.kubernetes.ca.key", "", ErrRequiredSection))
|
|
}
|
|
|
|
// test if k.CA fields are present ( x509 package handles the b64 decode
|
|
// during yaml unmarshal, so we have the bytes if it was successful )
|
|
var block *pem.Block
|
|
block, _ = pem.Decode(k.CA.Crt)
|
|
// nolint: gocritic
|
|
if block == nil {
|
|
result = multierror.Append(result, xerrors.Errorf("[%s] %q: %w", "security.kubernetes.ca.crt", k.CA.Crt, ErrInvalidCert))
|
|
} else {
|
|
if block.Type != "CERTIFICATE" {
|
|
result = multierror.Append(result, xerrors.Errorf("[%s] %q: %w", "security.kubernetes.ca.crt", k.CA.Crt, ErrInvalidCertType))
|
|
}
|
|
}
|
|
|
|
block, _ = pem.Decode(k.CA.Key)
|
|
// nolint: gocritic
|
|
if block == nil {
|
|
result = multierror.Append(result, xerrors.Errorf("[%s] %q: %w", "security.kubernetes.ca.key", k.CA.Key, ErrInvalidCert))
|
|
} else {
|
|
if !strings.HasSuffix(block.Type, "PRIVATE KEY") {
|
|
result = multierror.Append(result, xerrors.Errorf("[%s] %q: %w", "security.kubernetes.ca.key", k.CA.Key, ErrInvalidCertType))
|
|
}
|
|
}
|
|
|
|
return result.ErrorOrNil()
|
|
}
|
|
}
|