add pkc8 der key

nais · Apr 18, 2024 · 6d304c0 · 6d304c0
1 parent 3fd6f12
commit 6d304c0
Show file tree

Hide file tree

Showing 5 changed files with 80 additions and 23 deletions.
diff --git a/go.mod b/go.mod
@@ -13,7 +13,6 @@ replace github.com/GoogleCloudPlatform/k8s-config-connector/mockgcp => ./invalid
 
 require (
 	github.com/GoogleCloudPlatform/k8s-config-connector v1.116.0
-	github.com/go-logr/logr v1.4.1
 	github.com/golangci/golangci-lint v1.57.2
 	github.com/nais/liberator v0.0.0-20240412093323-c3d6aeb3b6d3
 	github.com/onsi/ginkgo/v2 v2.17.1
@@ -75,6 +74,7 @@ require (
 	github.com/fzipp/gocyclo v0.6.0 // indirect
 	github.com/ghostiam/protogetter v0.3.5 // indirect
 	github.com/go-critic/go-critic v0.11.2 // indirect
+	github.com/go-logr/logr v1.4.1 // indirect
 	github.com/go-logr/zapr v1.3.0 // indirect
 	github.com/go-openapi/jsonpointer v0.19.6 // indirect
 	github.com/go-openapi/jsonreference v0.20.2 // indirect
@@ -103,7 +103,7 @@ require (
 	github.com/google/gnostic-models v0.6.8 // indirect
 	github.com/google/go-cmp v0.6.0 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
-	github.com/google/pprof v0.0.0-20210804190019-f964ff605595 // indirect
+	github.com/google/pprof v0.0.0-20231023181126-ff6d637d2a7b // indirect
 	github.com/google/uuid v1.6.0 // indirect
 	github.com/gordonklaus/ineffassign v0.1.0 // indirect
 	github.com/gostaticanalysis/analysisutil v0.7.1 // indirect
@@ -140,7 +140,7 @@ require (
 	github.com/matoous/godox v0.0.0-20230222163458-006bad1f9d26 // indirect
 	github.com/mattn/go-colorable v0.1.13 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
-	github.com/mattn/go-runewidth v0.0.9 // indirect
+	github.com/mattn/go-runewidth v0.0.13 // indirect
 	github.com/mgechev/revive v1.3.7 // indirect
 	github.com/mitchellh/go-homedir v1.1.0 // indirect
 	github.com/mitchellh/hashstructure v1.1.0 // indirect
@@ -165,6 +165,7 @@ require (
 	github.com/quasilyte/gogrep v0.5.0 // indirect
 	github.com/quasilyte/regex/syntax v0.0.0-20210819130434-b3f0c404a727 // indirect
 	github.com/quasilyte/stdinfo v0.0.0-20220114132959-f7386bf02567 // indirect
+	github.com/rivo/uniseg v0.4.4 // indirect
 	github.com/ryancurrah/gomodguard v1.3.1 // indirect
 	github.com/ryanrolds/sqlclosecheck v0.5.1 // indirect
 	github.com/sagikazarmark/locafero v0.4.0 // indirect

diff --git a/go.sum b/go.sum
@@ -53,8 +53,6 @@ github.com/Djarvur/go-err113 v0.0.0-20210108212216-aea10b59be24 h1:sHglBQTwgx+rW
 github.com/Djarvur/go-err113 v0.0.0-20210108212216-aea10b59be24/go.mod h1:4UJr5HIiMZrwgkSPdsjy2uOQExX/WEILpIrO9UPGuXs=
 github.com/GaijinEntertainment/go-exhaustruct/v3 v3.2.0 h1:sATXp1x6/axKxz2Gjxv8MALP0bXaNRfQinEwyfMcx8c=
 github.com/GaijinEntertainment/go-exhaustruct/v3 v3.2.0/go.mod h1:Nl76DrGNJTA1KJ0LePKBw/vznBX1EHbAZX8mwjR82nI=
-github.com/GoogleCloudPlatform/k8s-config-connector v1.115.0 h1:TXrr4LCw+gr4FKgZCJHk9cF3sZ7+THI7RqW3/IYwpvw=
-github.com/GoogleCloudPlatform/k8s-config-connector v1.115.0/go.mod h1:5WJhUhJ3proxdCHxwdC/iIev8Jiap4rGnkFF8R9e6yA=
 github.com/GoogleCloudPlatform/k8s-config-connector v1.116.0 h1:gkKsgDzWT9E+Eyjwn3nr+en0nw0GIWuiNDXQsySBJ6g=
 github.com/GoogleCloudPlatform/k8s-config-connector v1.116.0/go.mod h1:hHwygEI1RglaJp+UDpNXiBeUOMKXJbr/IubH/NUYZ+M=
 github.com/Masterminds/semver v1.5.0 h1:H65muMkzWKEuNDnfl9d70GUjFniHKHRbFPGBuZ3QEww=
@@ -288,8 +286,8 @@ github.com/google/pprof v0.0.0-20200212024743-f11f1df84d12/go.mod h1:ZgVRPoUq/hf
 github.com/google/pprof v0.0.0-20200229191704-1ebb73c60ed3/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
 github.com/google/pprof v0.0.0-20200430221834-fc25d7d30c6d/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
 github.com/google/pprof v0.0.0-20200708004538-1a94d8640e99/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
-github.com/google/pprof v0.0.0-20210804190019-f964ff605595 h1:uNrRgpnKjTfxu4qHaZAAs3eKTYV1EzGF3dAykpnxgDE=
-github.com/google/pprof v0.0.0-20210804190019-f964ff605595/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
+github.com/google/pprof v0.0.0-20231023181126-ff6d637d2a7b h1:RMpPgZTSApbPf7xaVel+QkoGPRLFLrwFO89uDUHEGf0=
+github.com/google/pprof v0.0.0-20231023181126-ff6d637d2a7b/go.mod h1:czg5+yv1E0ZGTi6S6vVK1mke0fV+FaUhNGcd6VRS9Ik=
 github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
@@ -319,7 +317,6 @@ github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T
 github.com/hexops/gotextdiff v1.0.3 h1:gitA9+qJrrTCsiCl7+kh75nPqQt1cx4ZkudSTLoUqJM=
 github.com/hexops/gotextdiff v1.0.3/go.mod h1:pSWU5MAI3yDq+fZBTazCSJysOMbxWL1BSow5/V2vxeg=
 github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
-github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
 github.com/imdario/mergo v0.3.16 h1:wwQJbIsHYGMUyLSPrEq1CT16AhnhNJQ51+4fdHUnCl4=
 github.com/imdario/mergo v0.3.16/go.mod h1:WBLT9ZmE3lPoWsEzCh9LPo3TiwVN+ZKEjmz+hD27ysY=
 github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
@@ -398,8 +395,9 @@ github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovk
 github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
 github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
 github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
-github.com/mattn/go-runewidth v0.0.9 h1:Lm995f3rfxdpd6TSmuVCHVb/QhupuXlYr8sCI/QdE+0=
 github.com/mattn/go-runewidth v0.0.9/go.mod h1:H031xJmbD/WCDINGzjvQ9THkh0rPKHF+m2gUSrubnMI=
+github.com/mattn/go-runewidth v0.0.13 h1:lTGmDsbAYt5DmK6OnoV7EuIF1wEIFAcxld6ypU4OSgU=
+github.com/mattn/go-runewidth v0.0.13/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w=
 github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
 github.com/mgechev/revive v1.3.7 h1:502QY0vQGe9KtYJ9FpxMz9rL+Fc/P13CI5POL4uHCcE=
 github.com/mgechev/revive v1.3.7/go.mod h1:RJ16jUbF0OWC3co/+XTxmFNgEpUPwnnA0BRllX2aDNA=
@@ -492,6 +490,9 @@ github.com/quasilyte/regex/syntax v0.0.0-20210819130434-b3f0c404a727 h1:TCg2WBOl
 github.com/quasilyte/regex/syntax v0.0.0-20210819130434-b3f0c404a727/go.mod h1:rlzQ04UMyJXu/aOvhd8qT+hvDrFpiwqp8MRXDY9szc0=
 github.com/quasilyte/stdinfo v0.0.0-20220114132959-f7386bf02567 h1:M8mH9eK4OUR4lu7Gd+PU1fV2/qnDNfzT635KRSObncs=
 github.com/quasilyte/stdinfo v0.0.0-20220114132959-f7386bf02567/go.mod h1:DWNGW8A4Y+GyBgPuaQJuWiy0XYftx4Xm/y5Jqk9I6VQ=
+github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
+github.com/rivo/uniseg v0.4.4 h1:8TfxU8dW6PdqD27gjM8MVNuicgxIjxpm4K7x4jp8sis=
+github.com/rivo/uniseg v0.4.4/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88=
 github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
 github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU5NdKM8=
 github.com/rogpeppe/go-internal v1.12.0/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99yedzYV+kq4uf4=

diff --git a/internal/controller/sqlsslcert_controller.go b/internal/controller/sqlsslcert_controller.go
@@ -2,27 +2,29 @@ package controller
 
 import (
 	"context"
+	"crypto/x509"
+	"encoding/pem"
 	"errors"
 	"fmt"
 	"time"
 
+	"github.com/GoogleCloudPlatform/k8s-config-connector/pkg/clients/generated/apis/sql/v1beta1"
 	"github.com/prometheus/client_golang/prometheus"
 	core_v1 "k8s.io/api/core/v1"
-	meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
-	"sigs.k8s.io/controller-runtime/pkg/metrics"
-
-	"github.com/GoogleCloudPlatform/k8s-config-connector/pkg/clients/generated/apis/sql/v1beta1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
 	"sigs.k8s.io/controller-runtime/pkg/log"
+	"sigs.k8s.io/controller-runtime/pkg/metrics"
 )
 
 const (
 	certKey     = "cert.pem"
-	keyKey      = "key.pem"
+	pemKeyKey   = "key.pem"
+	derKeyKey   = "key.pk8"
 	rootCertKey = "root-cert.pem"
 )
 
@@ -119,9 +121,16 @@ func (r *SQLSSLCertReconciler) reconcileSQLSSLCert(ctx context.Context, req ctrl
 
 		secret.Annotations[deploymentCorrelationIdKey] = sqlSslCert.Annotations[deploymentCorrelationIdKey]
 
+		derKey, err := pemToPkcs8Der(*sqlSslCert.Status.PrivateKey)
+		if err != nil {
+			logger.Info("Failed to convert cert to DER", "error", err)
+		}
+		secret.Data = map[string][]byte{
+			derKeyKey: derKey,
+		}
 		secret.StringData = map[string]string{
 			certKey:     *sqlSslCert.Status.Cert,
-			keyKey:      *sqlSslCert.Status.PrivateKey,
+			pemKeyKey:   *sqlSslCert.Status.PrivateKey,
 			rootCertKey: *sqlSslCert.Status.ServerCaCert,
 		}
 
@@ -143,3 +152,34 @@ func (r *SQLSSLCertReconciler) SetupWithManager(mgr ctrl.Manager) error {
 		For(&v1beta1.SQLSSLCert{}).
 		Complete(r)
 }
+
+func decodePrivateKeyPem(in []byte) ([]byte, error) {
+	for {
+		var block *pem.Block
+		block, in = pem.Decode(in)
+		if block == nil {
+			return nil, errors.New("failed to decode PEM block")
+		}
+		if block.Type == "RSA PRIVATE KEY" {
+			return block.Bytes, nil
+		}
+	}
+}
+func pemToPkcs8Der(pem string) ([]byte, error) {
+	der, err := decodePrivateKeyPem([]byte(pem))
+	if err != nil {
+		return nil, err
+	}
+
+	rsaKey, err := x509.ParsePKCS1PrivateKey(der)
+	if err != nil {
+		return nil, err
+	}
+
+	pkcs8WrappedRsaKey, err := x509.MarshalPKCS8PrivateKey(rsaKey)
+	if err != nil {
+		return nil, err
+	}
+
+	return pkcs8WrappedRsaKey, nil
+}
diff --git a/internal/controller/sqlsslcert_controller_test.go b/internal/controller/sqlsslcert_controller_test.go
@@ -2,13 +2,14 @@ package controller
 
 import (
 	"context"
+	"time"
+
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
 	core_v1 "k8s.io/api/core/v1"
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
 	"k8s.io/utils/ptr"
 	"sigs.k8s.io/controller-runtime/pkg/client/fake"
-	"time"
 
 	"github.com/GoogleCloudPlatform/k8s-config-connector/pkg/clients/generated/apis/sql/v1beta1"
 	meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -21,6 +22,19 @@ import (
 var _ = Describe("SQLSSLCert Controller", func() {
 	ctx := context.Background()
 
+	testKey := `
+-----BEGIN RSA PRIVATE KEY-----
+MIIBOwIBAAJBAKxZ8OQ2RkTHffug5/194IXuJNw19zI15twhJ0lxSzdzcsz3ApeF
+0nA1iGdu2g70W3VnGA+4jm0UprjcJmUCxc8CAwEAAQJBAKczEcizBnRO+98SeDyo
+0xnar5OaHtdtBytiVlSfPhLpqvSdN1ydLw7sDvDUu9slE4dDJTMgdHGNgq0FNeRa
+EsECIQDbTx6p45xsm5I6iG1xYn+8X3hX+J8Y5VKb6/vgpSddkQIhAMkvphhiI2nj
+kmjJ/wvrJSq1fnjgJYAOQMPNUcb4o71fAiBwnv3ZMpimsXFze5HwUyvTmZdcXcGd
+8E3u4k2zvDwt8QIhAL1HQQMLwbmry2EfOf8imfMWkghzCZTy0+fjUZ7a6mINAiAj
+KChGB9mxeIDV+wqRFCOK0IVOlBk4e+O2mk31LrXibw==
+-----END RSA PRIVATE KEY-----`
+
+	testDerKey := []byte{48, 130, 1, 85, 2, 1, 0, 48, 13, 6, 9, 42, 134, 72, 134, 247, 13, 1, 1, 1, 5, 0, 4, 130, 1, 63, 48, 130, 1, 59, 2, 1, 0, 2, 65, 0, 172, 89, 240, 228, 54, 70, 68, 199, 125, 251, 160, 231, 253, 125, 224, 133, 238, 36, 220, 53, 247, 50, 53, 230, 220, 33, 39, 73, 113, 75, 55, 115, 114, 204, 247, 2, 151, 133, 210, 112, 53, 136, 103, 110, 218, 14, 244, 91, 117, 103, 24, 15, 184, 142, 109, 20, 166, 184, 220, 38, 101, 2, 197, 207, 2, 3, 1, 0, 1, 2, 65, 0, 167, 51, 17, 200, 179, 6, 116, 78, 251, 223, 18, 120, 60, 168, 211, 25, 218, 175, 147, 154, 30, 215, 109, 7, 43, 98, 86, 84, 159, 62, 18, 233, 170, 244, 157, 55, 92, 157, 47, 14, 236, 14, 240, 212, 187, 219, 37, 19, 135, 67, 37, 51, 32, 116, 113, 141, 130, 173, 5, 53, 228, 90, 18, 193, 2, 33, 0, 219, 79, 30, 169, 227, 156, 108, 155, 146, 58, 136, 109, 113, 98, 127, 188, 95, 120, 87, 248, 159, 24, 229, 82, 155, 235, 251, 224, 165, 39, 93, 145, 2, 33, 0, 201, 47, 166, 24, 98, 35, 105, 227, 146, 104, 201, 255, 11, 235, 37, 42, 181, 126, 120, 224, 37, 128, 14, 64, 195, 205, 81, 198, 248, 163, 189, 95, 2, 32, 112, 158, 253, 217, 50, 152, 166, 177, 113, 115, 123, 145, 240, 83, 43, 211, 153, 151, 92, 93, 193, 157, 240, 77, 238, 226, 77, 179, 188, 60, 45, 241, 2, 33, 0, 189, 71, 65, 3, 11, 193, 185, 171, 203, 97, 31, 57, 255, 34, 153, 243, 22, 146, 8, 115, 9, 148, 242, 211, 231, 227, 81, 158, 218, 234, 98, 13, 2, 32, 35, 40, 40, 70, 7, 217, 177, 120, 128, 213, 251, 10, 145, 20, 35, 138, 208, 133, 78, 148, 25, 56, 123, 227, 182, 154, 77, 245, 46, 181, 226, 111}
+
 	Context("When reconciling a resource", func() {
 		var clientBuilder *fake.ClientBuilder
 		var k8sClient client.Client
@@ -49,7 +63,7 @@ var _ = Describe("SQLSSLCert Controller", func() {
 					Spec: v1beta1.SQLSSLCertSpec{},
 					Status: v1beta1.SQLSSLCertStatus{
 						Cert:         ptr.To("dummy-cert"),
-						PrivateKey:   ptr.To("dummy-private-key"),
+						PrivateKey:   ptr.To(testKey),
 						ServerCaCert: ptr.To("dummy-server-ca-cert"),
 					},
 				}
@@ -81,8 +95,9 @@ var _ = Describe("SQLSSLCert Controller", func() {
 					Expect(err).ToNot(HaveOccurred())
 
 					Expect(secret.StringData).To(HaveKeyWithValue(certKey, "dummy-cert"))
-					Expect(secret.StringData).To(HaveKeyWithValue(keyKey, "dummy-private-key"))
+					Expect(secret.StringData).To(HaveKeyWithValue(pemKeyKey, testKey))
 					Expect(secret.StringData).To(HaveKeyWithValue(rootCertKey, "dummy-server-ca-cert"))
+					Expect(secret.Data).To(HaveKeyWithValue(derKeyKey, testDerKey))
 				})
 
 				It("should set owner reference and managed by", func() {
@@ -179,7 +194,7 @@ var _ = Describe("SQLSSLCert Controller", func() {
 					Expect(err).ToNot(HaveOccurred())
 
 					Expect(secret.StringData).To(HaveKeyWithValue(certKey, "dummy-cert"))
-					Expect(secret.StringData).To(HaveKeyWithValue(keyKey, "dummy-private-key"))
+					Expect(secret.StringData).To(HaveKeyWithValue(pemKeyKey, testKey))
 					Expect(secret.StringData).To(HaveKeyWithValue(rootCertKey, "dummy-server-ca-cert"))
 				})
 			})
@@ -206,7 +221,7 @@ var _ = Describe("SQLSSLCert Controller", func() {
 						},
 						StringData: map[string]string{
 							certKey:     "existing-cert",
-							keyKey:      "existing-private-key",
+							pemKeyKey:   "existing-private-key",
 							rootCertKey: "existing-server-ca-cert",
 						},
 					}
@@ -224,7 +239,7 @@ var _ = Describe("SQLSSLCert Controller", func() {
 					Expect(err).ToNot(HaveOccurred())
 
 					Expect(secret.StringData).To(HaveKeyWithValue(certKey, "existing-cert"))
-					Expect(secret.StringData).To(HaveKeyWithValue(keyKey, "existing-private-key"))
+					Expect(secret.StringData).To(HaveKeyWithValue(pemKeyKey, "existing-private-key"))
 					Expect(secret.StringData).To(HaveKeyWithValue(rootCertKey, "existing-server-ca-cert"))
 				})
 

diff --git a/internal/controller/sqluser_controller.go b/internal/controller/sqluser_controller.go
@@ -175,7 +175,7 @@ func (r *SQLUserReconciler) reconcileSQLUser(ctx context.Context, req ctrl.Reque
 
 		rootCertPath := filepath.Join(nais_io_v1alpha1.DefaultSqeletorMountPath, rootCertKey)
 		certPath := filepath.Join(nais_io_v1alpha1.DefaultSqeletorMountPath, certKey)
-		keyPath := filepath.Join(nais_io_v1alpha1.DefaultSqeletorMountPath, keyKey)
+		keyPath := filepath.Join(nais_io_v1alpha1.DefaultSqeletorMountPath, pemKeyKey)
 
 		queries := url.Values{}
 		queries.Add("sslmode", "verify-ca")