pkg/providers/translation/util.go - apisix-ingress-controller - Git at Google

 // Licensed to the Apache Software Foundation (ASF) under one or more
 // contributor license agreements.  See the NOTICE file distributed with
 // this work for additional information regarding copyright ownership.
 // The ASF licenses this file to You under the Apache License, Version 2.0
 // (the "License"); you may not use this file except in compliance with
 // the License.  You may obtain a copy of the License at
 //
 //	http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
 package translation

 import (
 	"errors"
 	"net"

 	v1 "k8s.io/api/core/v1"
 )

 var (
 	_errInvalidAddress = errors.New("address is neither IP or CIDR")
 	// ErrUnknownSecretFormat means the secret doesn't contain required fields
 	ErrUnknownSecretFormat = errors.New("unknown secret format")
 	// ErrEmptyCert means the cert field in Kubernetes Secret is not found.
 	ErrEmptyCert = errors.New("missing cert field")
 	// ErrEmptyPrivKey means the key field in Kubernetes Secret is not found.
 	ErrEmptyPrivKey = errors.New("missing key field")
 )

 // ExtractKeyPair extracts certificate and private key pair from secret
 // Supports APISIX style ("cert" and "key") and Kube style ("tls.crt" and "tls.key)
 // If hasPrivateKey == false, also support extract CA from "ca.crt"
 func ExtractKeyPair(s *v1.Secret, hasPrivateKey bool) ([]byte, []byte, error) {
 	if _, ok := s.Data["cert"]; ok {
 		return extractApisixSecretKeyPair(s, hasPrivateKey)
 	} else if _, ok := s.Data[v1.TLSCertKey]; ok {
 		return extractKubeSecretKeyPair(s, hasPrivateKey)
 	} else if ca, ok := s.Data[v1.ServiceAccountRootCAKey]; ok && !hasPrivateKey {
 		return ca, nil, nil
 	} else {
 		return nil, nil, ErrUnknownSecretFormat
 	}
 }

 // ExtractCA extracts certificate from secret
 // Supports Kube style ("ca.crt")
 func ExtractCA(s *v1.Secret) ([]byte, error) {
 	if ca, ok := s.Data[v1.ServiceAccountRootCAKey]; ok {
 		return ca, nil
 	} else {
 		return nil, ErrUnknownSecretFormat
 	}
 }

 func extractApisixSecretKeyPair(s *v1.Secret, hasPrivateKey bool) (cert []byte, key []byte, err error) {
 	var ok bool
 	cert, ok = s.Data["cert"]
 	if !ok {
 		return nil, nil, ErrEmptyCert
 	}

 	if hasPrivateKey {
 		key, ok = s.Data["key"]
 		if !ok {
 			return nil, nil, ErrEmptyPrivKey
 		}
 	}
 	return
 }

 func extractKubeSecretKeyPair(s *v1.Secret, hasPrivateKey bool) (cert []byte, key []byte, err error) {
 	var ok bool
 	cert, ok = s.Data[v1.TLSCertKey]
 	if !ok {
 		return nil, nil, ErrEmptyCert
 	}

 	if hasPrivateKey {
 		key, ok = s.Data[v1.TLSPrivateKeyKey]
 		if !ok {
 			return nil, nil, ErrEmptyPrivKey
 		}
 	}
 	return
 }

 func ValidateRemoteAddrs(remoteAddrs []string) error {
 	for _, addr := range remoteAddrs {
 		if ip := net.ParseIP(addr); ip == nil {
 			// addr is not an IP address, try to parse it as a CIDR.
 			if _, _, err := net.ParseCIDR(addr); err != nil {
 				return _errInvalidAddress
 			}
 		}
 	}
 	return nil
 }
	// Licensed to the Apache Software Foundation (ASF) under one or more
	// contributor license agreements. See the NOTICE file distributed with
	// this work for additional information regarding copyright ownership.
	// The ASF licenses this file to You under the Apache License, Version 2.0
	// (the "License"); you may not use this file except in compliance with
	// the License. You may obtain a copy of the License at
	//
	// http://www.apache.org/licenses/LICENSE-2.0
	//
	// Unless required by applicable law or agreed to in writing, software
	// distributed under the License is distributed on an "AS IS" BASIS,
	// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	// See the License for the specific language governing permissions and
	// limitations under the License.
	package translation

	import (
	"errors"
	"net"

	v1 "k8s.io/api/core/v1"
	)

	var (
	_errInvalidAddress = errors.New("address is neither IP or CIDR")
	// ErrUnknownSecretFormat means the secret doesn't contain required fields
	ErrUnknownSecretFormat = errors.New("unknown secret format")
	// ErrEmptyCert means the cert field in Kubernetes Secret is not found.
	ErrEmptyCert = errors.New("missing cert field")
	// ErrEmptyPrivKey means the key field in Kubernetes Secret is not found.
	ErrEmptyPrivKey = errors.New("missing key field")
	)

	// ExtractKeyPair extracts certificate and private key pair from secret
	// Supports APISIX style ("cert" and "key") and Kube style ("tls.crt" and "tls.key)
	// If hasPrivateKey == false, also support extract CA from "ca.crt"
	func ExtractKeyPair(s *v1.Secret, hasPrivateKey bool) ([]byte, []byte, error) {
	if _, ok := s.Data["cert"]; ok {
	return extractApisixSecretKeyPair(s, hasPrivateKey)
	} else if _, ok := s.Data[v1.TLSCertKey]; ok {
	return extractKubeSecretKeyPair(s, hasPrivateKey)
	} else if ca, ok := s.Data[v1.ServiceAccountRootCAKey]; ok && !hasPrivateKey {
	return ca, nil, nil
	} else {
	return nil, nil, ErrUnknownSecretFormat
	}
	}

	// ExtractCA extracts certificate from secret
	// Supports Kube style ("ca.crt")
	func ExtractCA(s *v1.Secret) ([]byte, error) {
	if ca, ok := s.Data[v1.ServiceAccountRootCAKey]; ok {
	return ca, nil
	} else {
	return nil, ErrUnknownSecretFormat
	}
	}

	func extractApisixSecretKeyPair(s *v1.Secret, hasPrivateKey bool) (cert []byte, key []byte, err error) {
	var ok bool
	cert, ok = s.Data["cert"]
	if !ok {
	return nil, nil, ErrEmptyCert
	}

	if hasPrivateKey {
	key, ok = s.Data["key"]
	if !ok {
	return nil, nil, ErrEmptyPrivKey
	}
	}
	return
	}

	func extractKubeSecretKeyPair(s *v1.Secret, hasPrivateKey bool) (cert []byte, key []byte, err error) {
	var ok bool
	cert, ok = s.Data[v1.TLSCertKey]
	if !ok {
	return nil, nil, ErrEmptyCert
	}

	if hasPrivateKey {
	key, ok = s.Data[v1.TLSPrivateKeyKey]
	if !ok {
	return nil, nil, ErrEmptyPrivKey
	}
	}
	return
	}

	func ValidateRemoteAddrs(remoteAddrs []string) error {
	for _, addr := range remoteAddrs {
	if ip := net.ParseIP(addr); ip == nil {
	// addr is not an IP address, try to parse it as a CIDR.
	if _, _, err := net.ParseCIDR(addr); err != nil {
	return _errInvalidAddress
	}
	}
	}
	return nil
	}