Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
gitpod-io
GitHub Repository: gitpod-io/gitpod
 Path: blob/main/install/installer/pkg/components/auth/keypair.go
2501 views
1
// Copyright (c) 2023 Gitpod GmbH. All rights reserved.

2
// Licensed under the GNU Affero General Public License (AGPL).

3
// See License.AGPL.txt in the project root for license information.

4


5
package auth

6


7
import (

8
	"fmt"

9
	"math"

10
	"path"

11
	"time"

12


13
	"github.com/gitpod-io/gitpod/installer/pkg/common"

14


15
	certmanagerv1 "github.com/jetstack/cert-manager/pkg/apis/certmanager/v1"

16
	cmmeta "github.com/jetstack/cert-manager/pkg/apis/meta/v1"

17
	corev1 "k8s.io/api/core/v1"

18
	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"

19
	"k8s.io/apimachinery/pkg/runtime"

20
)

21


22
func keypair(ctx *common.RenderContext) ([]runtime.Object, error) {

23
	serverAltNames := []string{

24
		fmt.Sprintf("gitpod.%s", ctx.Namespace),

25
		fmt.Sprintf("%s.%s.svc", Component, ctx.Namespace),

26
		Component,

27
		fmt.Sprintf("%s-dev", Component),

28
	}

29


30
	return []runtime.Object{

31
		&certmanagerv1.Certificate{

32
			TypeMeta: common.TypeMetaCertificate,

33
			ObjectMeta: metav1.ObjectMeta{

34
				Name:      common.AuthPKISecretName,

35
				Namespace: ctx.Namespace,

36
				Labels:    common.DefaultLabels(Component),

37
			},

38
			Spec: certmanagerv1.CertificateSpec{

39
				Duration: &metav1.Duration{

40
					Duration: time.Duration(math.MaxInt64), // never expire automatically

41
				},

42
				SecretName: common.AuthPKISecretName,

43
				DNSNames:   serverAltNames,

44
				IssuerRef: cmmeta.ObjectReference{

45
					Name:  common.CertManagerCAIssuer,

46
					Kind:  certmanagerv1.ClusterIssuerKind,

47
					Group: "cert-manager.io",

48
				},

49
				PrivateKey: &certmanagerv1.CertificatePrivateKey{

50
					Encoding:  certmanagerv1.PKCS8,

51
					Size:      4096,

52
					Algorithm: certmanagerv1.RSAKeyAlgorithm,

53
				},

54
				SecretTemplate: &certmanagerv1.CertificateSecretTemplate{

55
					Labels: common.DefaultLabels(Component),

56
				},

57
			},

58
		},

59
	}, nil

60
}

61


62
func getPKI() ([]corev1.Volume, []corev1.VolumeMount, PKIConfig) {

63
	dir := "/secrets/auth-pki"

64
	signingDir := path.Join(dir, "signing")

65


66
	volumes := []corev1.Volume{

67
		{

68
			Name: "auth-pki-signing",

69
			VolumeSource: corev1.VolumeSource{

70
				Secret: &corev1.SecretVolumeSource{

71
					SecretName: common.AuthPKISecretName,

72
				},

73
			},

74
		},

75
	}

76


77
	mounts := []corev1.VolumeMount{

78
		{

79
			Name:      "auth-pki-signing",

80
			MountPath: signingDir,

81
			ReadOnly:  true,

82
		},

83
	}

84


85
	cfg := PKIConfig{

86
		Signing: KeyPair{

87
			ID:             "0001",

88
			PrivateKeyPath: path.Join(signingDir, "tls.key"),

89
			PublicKeyPath:  path.Join(signingDir, "tls.crt"),

90
		},

91
	}

92
	return volumes, mounts, cfg

93
}

94


95
type PKIConfig struct {

96
	// Signing KeyPair is always used to issue new auth tokens

97
	Signing KeyPair `json:"signing"`

98


99
	// Validating KeyPairs are used for checking validity only

100
	Validating []KeyPair `json:"validating,omitempty"`

101
}

102


103
type KeyPair struct {

104
	ID             string `json:"id"`

105
	PrivateKeyPath string `json:"privateKeyPath"`

106
	PublicKeyPath  string `json:"publicKeyPath"`

107
}

108


109