From 6ad77ed384a42df3779c5f48423eda5a43151d81 Mon Sep 17 00:00:00 2001 From: Juan Rodriguez Hortala Date: Fri, 28 Jan 2022 10:00:29 +0100 Subject: [PATCH 01/14] determine secret expiration by parsing certificates stored in secrets --- .../localscanner/certificate_expiration.go | 59 +++++++++++++++++++ .../certificate_expiration_test.go | 21 +++++++ 2 files changed, 80 insertions(+) create mode 100644 sensor/kubernetes/localscanner/certificate_expiration.go create mode 100644 sensor/kubernetes/localscanner/certificate_expiration_test.go diff --git a/sensor/kubernetes/localscanner/certificate_expiration.go b/sensor/kubernetes/localscanner/certificate_expiration.go new file mode 100644 index 0000000000000..4083e0586042f --- /dev/null +++ b/sensor/kubernetes/localscanner/certificate_expiration.go @@ -0,0 +1,59 @@ +package localscanner + +import ( + "time" + + "crypto/x509" + "math/rand" + + "github.com/cloudflare/cfssl/helpers" + "github.com/pkg/errors" + "github.com/stackrox/rox/generated/storage" + "github.com/stackrox/rox/pkg/mtls" + v1 "k8s.io/api/core/v1" +) + +func getSecretsCertRenewalTime(secrets map[storage.ServiceType]*v1.Secret) (time.Time, error) { + var ( + renewalTime time.Time + renewalTimeInitialized bool + ) + for _, secret := range secrets { + secretRenewalTime, err := getSecretRenewalTime(secret) + if err != nil { + return renewalTime, err + } + if !renewalTimeInitialized || secretRenewalTime.Before(renewalTime) { + renewalTimeInitialized = true + renewalTime = secretRenewalTime + } + } + return renewalTime, nil +} + +func getSecretRenewalTime(scannerSecret *v1.Secret) (time.Time, error) { + scannerCertBytes := scannerSecret.Data[mtls.ServiceCertFileName] + var ( + scannerCert *x509.Certificate + err error + ) + if len(scannerCertBytes) == 0 { + err = errors.Errorf("empty certificate for secret %s", scannerSecret.GetName()) + } else { + scannerCert, err = helpers.ParseCertificatePEM(scannerCertBytes) + } + if err != nil { + // Note this also covers a secret with no certificates stored, which should be refreshed immediately. + return time.Now(), err + } + + return getSecretRenewalTimeFromCertificate(scannerCert), nil +} + +func getSecretRenewalTimeFromCertificate(scannerCert *x509.Certificate) time.Time { + certValidityDurationSecs := scannerCert.NotAfter.Sub(scannerCert.NotBefore).Seconds() + durationBeforeRenewalAttempt := time.Second * + (time.Duration(certValidityDurationSecs/2) - time.Duration(rand.Intn(int(certValidityDurationSecs/10)))) + certRenewalTime := scannerCert.NotBefore.Add(durationBeforeRenewalAttempt) + return certRenewalTime +} diff --git a/sensor/kubernetes/localscanner/certificate_expiration_test.go b/sensor/kubernetes/localscanner/certificate_expiration_test.go new file mode 100644 index 0000000000000..345ea51059ec3 --- /dev/null +++ b/sensor/kubernetes/localscanner/certificate_expiration_test.go @@ -0,0 +1,21 @@ +package localscanner + +import ( + "crypto/x509" + "testing" + "time" + + "github.com/stretchr/testify/assert" +) + +func TestGetSecretRenewalTimeFromCertificate(t *testing.T) { + now := time.Now() + afterOffset := 2 * 24 * time.Hour + scannerCert := &x509.Certificate{ + NotBefore: now, + NotAfter: now.Add(afterOffset), + } + certRenewalTime := getSecretRenewalTimeFromCertificate(scannerCert) + certDuration := time.Until(certRenewalTime) + assert.LessOrEqual(t, certDuration, afterOffset/2) +} \ No newline at end of file From 1ba1e4792fc17247793deef60f9bf5db2b75936d Mon Sep 17 00:00:00 2001 From: Juan Rodriguez Hortala Date: Fri, 28 Jan 2022 10:05:01 +0100 Subject: [PATCH 02/14] fix style --- sensor/kubernetes/localscanner/certificate_expiration.go | 8 +++++--- .../localscanner/certificate_expiration_test.go | 2 +- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/sensor/kubernetes/localscanner/certificate_expiration.go b/sensor/kubernetes/localscanner/certificate_expiration.go index 4083e0586042f..9cd4c45c7c2b3 100644 --- a/sensor/kubernetes/localscanner/certificate_expiration.go +++ b/sensor/kubernetes/localscanner/certificate_expiration.go @@ -5,7 +5,6 @@ import ( "crypto/x509" "math/rand" - "github.com/cloudflare/cfssl/helpers" "github.com/pkg/errors" "github.com/stackrox/rox/generated/storage" @@ -13,9 +12,12 @@ import ( v1 "k8s.io/api/core/v1" ) -func getSecretsCertRenewalTime(secrets map[storage.ServiceType]*v1.Secret) (time.Time, error) { +// GetSecretsCertRenewalTime computes the time when the service certificates stored in a set of +// secrets should be refreshed. +// If different services have different expiration times then the earliest time is returned. +func GetSecretsCertRenewalTime(secrets map[storage.ServiceType]*v1.Secret) (time.Time, error) { var ( - renewalTime time.Time + renewalTime time.Time renewalTimeInitialized bool ) for _, secret := range secrets { diff --git a/sensor/kubernetes/localscanner/certificate_expiration_test.go b/sensor/kubernetes/localscanner/certificate_expiration_test.go index 345ea51059ec3..0407721a8ce3d 100644 --- a/sensor/kubernetes/localscanner/certificate_expiration_test.go +++ b/sensor/kubernetes/localscanner/certificate_expiration_test.go @@ -18,4 +18,4 @@ func TestGetSecretRenewalTimeFromCertificate(t *testing.T) { certRenewalTime := getSecretRenewalTimeFromCertificate(scannerCert) certDuration := time.Until(certRenewalTime) assert.LessOrEqual(t, certDuration, afterOffset/2) -} \ No newline at end of file +} From e1c021db5d5b317bf4db9cbfcefa474f5a2ed246 Mon Sep 17 00:00:00 2001 From: Juan Rodriguez Hortala Date: Fri, 28 Jan 2022 17:00:21 +0100 Subject: [PATCH 03/14] fix style --- sensor/kubernetes/localscanner/certificate_expiration.go | 1 + 1 file changed, 1 insertion(+) diff --git a/sensor/kubernetes/localscanner/certificate_expiration.go b/sensor/kubernetes/localscanner/certificate_expiration.go index 9cd4c45c7c2b3..f36e368328925 100644 --- a/sensor/kubernetes/localscanner/certificate_expiration.go +++ b/sensor/kubernetes/localscanner/certificate_expiration.go @@ -5,6 +5,7 @@ import ( "crypto/x509" "math/rand" + "github.com/cloudflare/cfssl/helpers" "github.com/pkg/errors" "github.com/stackrox/rox/generated/storage" From 9395f0ea1440ae283f84518603c30e778f4cbee6 Mon Sep 17 00:00:00 2001 From: Juan Rodriguez Hortala Date: Fri, 28 Jan 2022 17:01:05 +0100 Subject: [PATCH 04/14] fix style --- sensor/kubernetes/localscanner/certificate_expiration.go | 1 - 1 file changed, 1 deletion(-) diff --git a/sensor/kubernetes/localscanner/certificate_expiration.go b/sensor/kubernetes/localscanner/certificate_expiration.go index f36e368328925..9cd4c45c7c2b3 100644 --- a/sensor/kubernetes/localscanner/certificate_expiration.go +++ b/sensor/kubernetes/localscanner/certificate_expiration.go @@ -5,7 +5,6 @@ import ( "crypto/x509" "math/rand" - "github.com/cloudflare/cfssl/helpers" "github.com/pkg/errors" "github.com/stackrox/rox/generated/storage" From ac5d57415a361cc6966040cbecad9a4a1f8f27c2 Mon Sep 17 00:00:00 2001 From: Juan Rodriguez Hortala Date: Tue, 1 Feb 2022 15:20:40 +0100 Subject: [PATCH 05/14] use fixed time instead of now --- .../kubernetes/localscanner/certificate_expiration_test.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/sensor/kubernetes/localscanner/certificate_expiration_test.go b/sensor/kubernetes/localscanner/certificate_expiration_test.go index 0407721a8ce3d..b991f641b1697 100644 --- a/sensor/kubernetes/localscanner/certificate_expiration_test.go +++ b/sensor/kubernetes/localscanner/certificate_expiration_test.go @@ -9,11 +9,11 @@ import ( ) func TestGetSecretRenewalTimeFromCertificate(t *testing.T) { - now := time.Now() + beforeTime := time.Unix(0, 0) afterOffset := 2 * 24 * time.Hour scannerCert := &x509.Certificate{ - NotBefore: now, - NotAfter: now.Add(afterOffset), + NotBefore: beforeTime, + NotAfter: beforeTime.Add(afterOffset), } certRenewalTime := getSecretRenewalTimeFromCertificate(scannerCert) certDuration := time.Until(certRenewalTime) From ab76c5ce9ff7d831945b69549b2c824d3fc0e9ea Mon Sep 17 00:00:00 2001 From: Juan Rodriguez Hortala Date: Tue, 1 Feb 2022 15:53:26 +0100 Subject: [PATCH 06/14] remove references to scanner --- .../localscanner/certificate_expiration.go | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/sensor/kubernetes/localscanner/certificate_expiration.go b/sensor/kubernetes/localscanner/certificate_expiration.go index 9cd4c45c7c2b3..d13a43f73de99 100644 --- a/sensor/kubernetes/localscanner/certificate_expiration.go +++ b/sensor/kubernetes/localscanner/certificate_expiration.go @@ -33,16 +33,16 @@ func GetSecretsCertRenewalTime(secrets map[storage.ServiceType]*v1.Secret) (time return renewalTime, nil } -func getSecretRenewalTime(scannerSecret *v1.Secret) (time.Time, error) { - scannerCertBytes := scannerSecret.Data[mtls.ServiceCertFileName] +func getSecretRenewalTime(secret *v1.Secret) (time.Time, error) { + certBytes := secret.Data[mtls.ServiceCertFileName] var ( scannerCert *x509.Certificate err error ) - if len(scannerCertBytes) == 0 { - err = errors.Errorf("empty certificate for secret %s", scannerSecret.GetName()) + if len(certBytes) == 0 { + err = errors.Errorf("empty certificate for secret %s", secret.GetName()) } else { - scannerCert, err = helpers.ParseCertificatePEM(scannerCertBytes) + scannerCert, err = helpers.ParseCertificatePEM(certBytes) } if err != nil { // Note this also covers a secret with no certificates stored, which should be refreshed immediately. @@ -52,10 +52,10 @@ func getSecretRenewalTime(scannerSecret *v1.Secret) (time.Time, error) { return getSecretRenewalTimeFromCertificate(scannerCert), nil } -func getSecretRenewalTimeFromCertificate(scannerCert *x509.Certificate) time.Time { - certValidityDurationSecs := scannerCert.NotAfter.Sub(scannerCert.NotBefore).Seconds() +func getSecretRenewalTimeFromCertificate(certificate *x509.Certificate) time.Time { + certValidityDurationSecs := certificate.NotAfter.Sub(certificate.NotBefore).Seconds() durationBeforeRenewalAttempt := time.Second * (time.Duration(certValidityDurationSecs/2) - time.Duration(rand.Intn(int(certValidityDurationSecs/10)))) - certRenewalTime := scannerCert.NotBefore.Add(durationBeforeRenewalAttempt) + certRenewalTime := certificate.NotBefore.Add(durationBeforeRenewalAttempt) return certRenewalTime } From 49a9ef72c2f4b18eed27d43235acf23b3165aff8 Mon Sep 17 00:00:00 2001 From: Juan Rodriguez Hortala Date: Tue, 1 Feb 2022 16:39:37 +0100 Subject: [PATCH 07/14] test public method --- .../certificate_expiration_test.go | 76 ++++++++++++++++--- 1 file changed, 66 insertions(+), 10 deletions(-) diff --git a/sensor/kubernetes/localscanner/certificate_expiration_test.go b/sensor/kubernetes/localscanner/certificate_expiration_test.go index b991f641b1697..6f88e8379ab3b 100644 --- a/sensor/kubernetes/localscanner/certificate_expiration_test.go +++ b/sensor/kubernetes/localscanner/certificate_expiration_test.go @@ -1,21 +1,77 @@ package localscanner import ( - "crypto/x509" "testing" "time" - "github.com/stretchr/testify/assert" + testutilsMTLS "github.com/stackrox/rox/central/testutils/mtls" + "github.com/stackrox/rox/generated/storage" + "github.com/stackrox/rox/pkg/mtls" + "github.com/stackrox/rox/pkg/testutils/envisolator" + "github.com/stretchr/testify/suite" + v1 "k8s.io/api/core/v1" ) -func TestGetSecretRenewalTimeFromCertificate(t *testing.T) { - beforeTime := time.Unix(0, 0) - afterOffset := 2 * 24 * time.Hour - scannerCert := &x509.Certificate{ - NotBefore: beforeTime, - NotAfter: beforeTime.Add(afterOffset), +var ( + // should be the same as the expiration corresponding to `mtls.WithValidityExpiringInHours()`. + afterOffset = 3 * time.Hour +) + +func TestGetSecretRenewalTime(t *testing.T) { + suite.Run(t, new(getSecretRenewalTimeSuite)) +} + +type getSecretRenewalTimeSuite struct { + suite.Suite + envIsolator *envisolator.EnvIsolator +} + +func (s *getSecretRenewalTimeSuite) SetupSuite() { + s.envIsolator = envisolator.NewEnvIsolator(s.T()) +} + +func (s *getSecretRenewalTimeSuite) SetupTest() { + err := testutilsMTLS.LoadTestMTLSCerts(s.envIsolator) + s.Require().NoError(err) +} + +func (s *getSecretRenewalTimeSuite) TearDownTest() { + s.envIsolator.RestoreAll() +} + +func (s *getSecretRenewalTimeSuite) TestGetSecretsCertRenewalTime() { + certPEMHours, err := issueCertificatePEM(mtls.WithValidityExpiringInHours()) + s.Require().NoError(err) + certPEMDays, err := issueCertificatePEM(mtls.WithValidityExpiringInDays()) + s.Require().NoError(err) + + secrets := map[storage.ServiceType]*v1.Secret{ + storage.ServiceType_SCANNER_DB_SERVICE: { + Data: map[string][]byte{ + mtls.ServiceCertFileName: certPEMHours, + }, + }, + storage.ServiceType_SCANNER_SERVICE: { + Data: map[string][]byte{ + mtls.ServiceCertFileName: certPEMDays, + }, + }, } - certRenewalTime := getSecretRenewalTimeFromCertificate(scannerCert) + certRenewalTime, err := GetSecretsCertRenewalTime(secrets) + s.Require().NoError(err) certDuration := time.Until(certRenewalTime) - assert.LessOrEqual(t, certDuration, afterOffset/2) + s.LessOrEqual(certDuration, afterOffset/2) +} + +func issueCertificatePEM(issueOption mtls.IssueCertOption) ([]byte, error) { + ca, err := mtls.CAForSigning() + if err != nil { + return nil, err + } + subject := mtls.NewSubject("clusterId", storage.ServiceType_SCANNER_SERVICE) + cert, err := ca.IssueCertForSubject(subject, issueOption) + if err != nil { + return nil, err + } + return cert.CertPEM, err } From a47f8509a1d08d2e7534a1f6ea14fe15ecbc5137 Mon Sep 17 00:00:00 2001 From: Juan Rodriguez Hortala Date: Tue, 1 Feb 2022 16:53:01 +0100 Subject: [PATCH 08/14] improve naming of fields and methods --- .../localscanner/certificate_expiration.go | 21 ++++++++++--------- 1 file changed, 11 insertions(+), 10 deletions(-) diff --git a/sensor/kubernetes/localscanner/certificate_expiration.go b/sensor/kubernetes/localscanner/certificate_expiration.go index d13a43f73de99..3307d2f204916 100644 --- a/sensor/kubernetes/localscanner/certificate_expiration.go +++ b/sensor/kubernetes/localscanner/certificate_expiration.go @@ -5,6 +5,7 @@ import ( "crypto/x509" "math/rand" + "github.com/cloudflare/cfssl/helpers" "github.com/pkg/errors" "github.com/stackrox/rox/generated/storage" @@ -33,29 +34,29 @@ func GetSecretsCertRenewalTime(secrets map[storage.ServiceType]*v1.Secret) (time return renewalTime, nil } -func getSecretRenewalTime(secret *v1.Secret) (time.Time, error) { - certBytes := secret.Data[mtls.ServiceCertFileName] +func getSecretRenewalTime(certSecret *v1.Secret) (time.Time, error) { + certBytes := certSecret.Data[mtls.ServiceCertFileName] var ( - scannerCert *x509.Certificate + cert *x509.Certificate err error ) if len(certBytes) == 0 { - err = errors.Errorf("empty certificate for secret %s", secret.GetName()) + err = errors.Errorf("empty certificate for certSecret %s", certSecret.GetName()) } else { - scannerCert, err = helpers.ParseCertificatePEM(certBytes) + cert, err = helpers.ParseCertificatePEM(certBytes) } if err != nil { - // Note this also covers a secret with no certificates stored, which should be refreshed immediately. + // Note this also covers a certSecret with no certificates stored, which should be refreshed immediately. return time.Now(), err } - return getSecretRenewalTimeFromCertificate(scannerCert), nil + return calculateRenewalTime(cert), nil } -func getSecretRenewalTimeFromCertificate(certificate *x509.Certificate) time.Time { - certValidityDurationSecs := certificate.NotAfter.Sub(certificate.NotBefore).Seconds() +func calculateRenewalTime(cert *x509.Certificate) time.Time { + certValidityDurationSecs := cert.NotAfter.Sub(cert.NotBefore).Seconds() durationBeforeRenewalAttempt := time.Second * (time.Duration(certValidityDurationSecs/2) - time.Duration(rand.Intn(int(certValidityDurationSecs/10)))) - certRenewalTime := certificate.NotBefore.Add(durationBeforeRenewalAttempt) + certRenewalTime := cert.NotBefore.Add(durationBeforeRenewalAttempt) return certRenewalTime } From 328ddc55ec82e8fa0a57e763f7f04926ef5c7bc0 Mon Sep 17 00:00:00 2001 From: Juan Rodriguez Hortala Date: Tue, 1 Feb 2022 16:58:18 +0100 Subject: [PATCH 09/14] add comment explaining cert renewal time criteria --- sensor/kubernetes/localscanner/certificate_expiration.go | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/sensor/kubernetes/localscanner/certificate_expiration.go b/sensor/kubernetes/localscanner/certificate_expiration.go index 3307d2f204916..7dab26f0fb153 100644 --- a/sensor/kubernetes/localscanner/certificate_expiration.go +++ b/sensor/kubernetes/localscanner/certificate_expiration.go @@ -5,7 +5,6 @@ import ( "crypto/x509" "math/rand" - "github.com/cloudflare/cfssl/helpers" "github.com/pkg/errors" "github.com/stackrox/rox/generated/storage" @@ -38,7 +37,7 @@ func getSecretRenewalTime(certSecret *v1.Secret) (time.Time, error) { certBytes := certSecret.Data[mtls.ServiceCertFileName] var ( cert *x509.Certificate - err error + err error ) if len(certBytes) == 0 { err = errors.Errorf("empty certificate for certSecret %s", certSecret.GetName()) @@ -53,6 +52,8 @@ func getSecretRenewalTime(certSecret *v1.Secret) (time.Time, error) { return calculateRenewalTime(cert), nil } +// In order to ensure certificates are rotated before expiration, this returns a renewal time no later than +// half its expiration date. func calculateRenewalTime(cert *x509.Certificate) time.Time { certValidityDurationSecs := cert.NotAfter.Sub(cert.NotBefore).Seconds() durationBeforeRenewalAttempt := time.Second * From 61be725bce35ab5d09fdeba8ed95bb167d91ce69 Mon Sep 17 00:00:00 2001 From: Juan Rodriguez Hortala Date: Wed, 2 Feb 2022 09:11:23 +0100 Subject: [PATCH 10/14] fix style --- sensor/kubernetes/localscanner/certificate_expiration.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sensor/kubernetes/localscanner/certificate_expiration.go b/sensor/kubernetes/localscanner/certificate_expiration.go index 7dab26f0fb153..979b55ad88e83 100644 --- a/sensor/kubernetes/localscanner/certificate_expiration.go +++ b/sensor/kubernetes/localscanner/certificate_expiration.go @@ -4,12 +4,12 @@ import ( "time" "crypto/x509" - "math/rand" "github.com/cloudflare/cfssl/helpers" "github.com/pkg/errors" "github.com/stackrox/rox/generated/storage" "github.com/stackrox/rox/pkg/mtls" v1 "k8s.io/api/core/v1" + "math/rand" ) // GetSecretsCertRenewalTime computes the time when the service certificates stored in a set of From 08214f4c47114fdebc1ea861c3417760be460fb5 Mon Sep 17 00:00:00 2001 From: Juan Rodriguez Hortala Date: Thu, 3 Feb 2022 18:33:14 +0100 Subject: [PATCH 11/14] adapt to certificate set instead of secrets --- .../localscanner/certificate_expiration.go | 32 ++++++++++--------- .../certificate_expiration_test.go | 27 +++++++++------- 2 files changed, 33 insertions(+), 26 deletions(-) diff --git a/sensor/kubernetes/localscanner/certificate_expiration.go b/sensor/kubernetes/localscanner/certificate_expiration.go index 979b55ad88e83..a1ff5a5b4b2f3 100644 --- a/sensor/kubernetes/localscanner/certificate_expiration.go +++ b/sensor/kubernetes/localscanner/certificate_expiration.go @@ -4,49 +4,51 @@ import ( "time" "crypto/x509" + "math/rand" "github.com/cloudflare/cfssl/helpers" "github.com/pkg/errors" "github.com/stackrox/rox/generated/storage" - "github.com/stackrox/rox/pkg/mtls" - v1 "k8s.io/api/core/v1" - "math/rand" ) -// GetSecretsCertRenewalTime computes the time when the service certificates stored in a set of -// secrets should be refreshed. +var ( + // ErrEmptyCertificate indicates that the certificate stored in a secret is empty. + ErrEmptyCertificate = errors.New("empty certificate") +) + +// GetCertsRenewalTime computes the time when the service certificates should be refreshed. // If different services have different expiration times then the earliest time is returned. -func GetSecretsCertRenewalTime(secrets map[storage.ServiceType]*v1.Secret) (time.Time, error) { +func GetCertsRenewalTime(certificates *storage.TypedServiceCertificateSet) (time.Time, error) { var ( renewalTime time.Time renewalTimeInitialized bool ) - for _, secret := range secrets { - secretRenewalTime, err := getSecretRenewalTime(secret) + for _, certificate := range certificates.GetServiceCerts() { + certRenewalTime, err := getCertificateRenewalTime(certificate) if err != nil { return renewalTime, err } - if !renewalTimeInitialized || secretRenewalTime.Before(renewalTime) { + if !renewalTimeInitialized || certRenewalTime.Before(renewalTime) { renewalTimeInitialized = true - renewalTime = secretRenewalTime + renewalTime = certRenewalTime } } return renewalTime, nil } -func getSecretRenewalTime(certSecret *v1.Secret) (time.Time, error) { - certBytes := certSecret.Data[mtls.ServiceCertFileName] +func getCertificateRenewalTime(certificate *storage.TypedServiceCertificate) (time.Time, error) { + certBytes := certificate.GetCert().GetCertPem() var ( cert *x509.Certificate err error ) if len(certBytes) == 0 { - err = errors.Errorf("empty certificate for certSecret %s", certSecret.GetName()) + err = ErrEmptyCertificate } else { cert, err = helpers.ParseCertificatePEM(certBytes) } if err != nil { - // Note this also covers a certSecret with no certificates stored, which should be refreshed immediately. - return time.Now(), err + var zeroTime time.Time + return zeroTime, err } return calculateRenewalTime(cert), nil diff --git a/sensor/kubernetes/localscanner/certificate_expiration_test.go b/sensor/kubernetes/localscanner/certificate_expiration_test.go index 6f88e8379ab3b..0021e826ce3e7 100644 --- a/sensor/kubernetes/localscanner/certificate_expiration_test.go +++ b/sensor/kubernetes/localscanner/certificate_expiration_test.go @@ -9,7 +9,6 @@ import ( "github.com/stackrox/rox/pkg/mtls" "github.com/stackrox/rox/pkg/testutils/envisolator" "github.com/stretchr/testify/suite" - v1 "k8s.io/api/core/v1" ) var ( @@ -44,20 +43,26 @@ func (s *getSecretRenewalTimeSuite) TestGetSecretsCertRenewalTime() { s.Require().NoError(err) certPEMDays, err := issueCertificatePEM(mtls.WithValidityExpiringInDays()) s.Require().NoError(err) - - secrets := map[storage.ServiceType]*v1.Secret{ - storage.ServiceType_SCANNER_DB_SERVICE: { - Data: map[string][]byte{ - mtls.ServiceCertFileName: certPEMHours, + certificates := &storage.TypedServiceCertificateSet{ + CaPem: make([]byte, 0), + ServiceCerts: []*storage.TypedServiceCertificate{ + { + ServiceType: storage.ServiceType_SCANNER_SERVICE, + Cert: &storage.ServiceCertificate{ + CertPem: certPEMHours, + }, }, - }, - storage.ServiceType_SCANNER_SERVICE: { - Data: map[string][]byte{ - mtls.ServiceCertFileName: certPEMDays, + { + ServiceType: storage.ServiceType_SCANNER_DB_SERVICE, + Cert: &storage.ServiceCertificate{ + CertPem: certPEMDays, + }, }, }, } - certRenewalTime, err := GetSecretsCertRenewalTime(secrets) + + certRenewalTime, err := GetCertsRenewalTime(certificates) + s.Require().NoError(err) certDuration := time.Until(certRenewalTime) s.LessOrEqual(certDuration, afterOffset/2) From 95c75f98bd4bdf62f6bf81c4a0beeee4664e3f67 Mon Sep 17 00:00:00 2001 From: Juan Rodriguez Hortala Date: Mon, 7 Feb 2022 17:51:58 +0100 Subject: [PATCH 12/14] fix style --- sensor/kubernetes/localscanner/certificate_expiration.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sensor/kubernetes/localscanner/certificate_expiration.go b/sensor/kubernetes/localscanner/certificate_expiration.go index a1ff5a5b4b2f3..ead00b1b9da6b 100644 --- a/sensor/kubernetes/localscanner/certificate_expiration.go +++ b/sensor/kubernetes/localscanner/certificate_expiration.go @@ -4,10 +4,10 @@ import ( "time" "crypto/x509" - "math/rand" "github.com/cloudflare/cfssl/helpers" "github.com/pkg/errors" "github.com/stackrox/rox/generated/storage" + "math/rand" ) var ( From 8a004384433aaa5d413f31bb4906b65aff92a39a Mon Sep 17 00:00:00 2001 From: Juan Rodriguez Hortala Date: Mon, 7 Feb 2022 18:21:41 +0100 Subject: [PATCH 13/14] fix style --- sensor/kubernetes/localscanner/certificate_expiration.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sensor/kubernetes/localscanner/certificate_expiration.go b/sensor/kubernetes/localscanner/certificate_expiration.go index ead00b1b9da6b..446266fea3455 100644 --- a/sensor/kubernetes/localscanner/certificate_expiration.go +++ b/sensor/kubernetes/localscanner/certificate_expiration.go @@ -1,13 +1,13 @@ package localscanner import ( + "crypto/x509" + "math/rand" "time" - "crypto/x509" "github.com/cloudflare/cfssl/helpers" "github.com/pkg/errors" "github.com/stackrox/rox/generated/storage" - "math/rand" ) var ( From 223a2eab7f22cce8368a9205caca4777011049bb Mon Sep 17 00:00:00 2001 From: Juan Rodriguez Hortala Date: Tue, 8 Feb 2022 12:37:43 +0100 Subject: [PATCH 14/14] update testutilsMTLS import --- sensor/kubernetes/localscanner/certificate_expiration_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sensor/kubernetes/localscanner/certificate_expiration_test.go b/sensor/kubernetes/localscanner/certificate_expiration_test.go index 0021e826ce3e7..3d0a9365ca795 100644 --- a/sensor/kubernetes/localscanner/certificate_expiration_test.go +++ b/sensor/kubernetes/localscanner/certificate_expiration_test.go @@ -4,9 +4,9 @@ import ( "testing" "time" - testutilsMTLS "github.com/stackrox/rox/central/testutils/mtls" "github.com/stackrox/rox/generated/storage" "github.com/stackrox/rox/pkg/mtls" + testutilsMTLS "github.com/stackrox/rox/pkg/mtls/testutils" "github.com/stackrox/rox/pkg/testutils/envisolator" "github.com/stretchr/testify/suite" )