commit f58a76906588162b976fdf0a16064e3d5f55da11
author giolekva <giolekva@gmail.com> Wed Dec 15 18:05:39 2021 +0400
committer giolekva <giolekva@gmail.com> Wed Dec 15 18:05:39 2021 +0400
tree 4dff0e118826df0774c47e27dda7a16ee9f9ff3e
parent 313ee2b1737d155125aeab2d5d27c3d640372c29

Client: send join request with signed message to verify validity

core/nebula/api/manager.go

diff --git a/core/nebula/api/manager.go b/core/nebula/api/manager.go
index 40f6eeb..1b396ff 100644
--- a/core/nebula/api/manager.go
+++ b/core/nebula/api/manager.go
@@ -36,7 +36,7 @@
 	kubeClient   kubernetes.Interface
 	nebulaClient clientset.Interface
 	namespace    string
-	caSecretName string
+	caName       string
 }
 
 func (m *Manager) ListAll() ([]*nebulaCA, error) {
@@ -100,11 +100,7 @@
 }
 
 func (m *Manager) GetCACertQR(namespace, name string) ([]byte, error) {
-	ca, err := m.nebulaClient.LekvaV1().NebulaCAs(namespace).Get(context.TODO(), name, metav1.GetOptions{})
-	if err != nil {
-		return nil, err
-	}
-	secret, err := m.kubeClient.CoreV1().Secrets(namespace).Get(context.TODO(), ca.Spec.SecretName, metav1.GetOptions{})
+	secret, err := m.getCASecret(namespace, name)
 	if err != nil {
 		return nil, err
 	}
@@ -131,7 +127,7 @@
 }
 
 func (m *Manager) Sign(message []byte) ([]byte, error) {
-	secret, err := m.kubeClient.CoreV1().Secrets(m.namespace).Get(context.TODO(), m.caSecretName, metav1.GetOptions{})
+	secret, err := m.getCASecret(m.namespace, m.caName)
 	if err != nil {
 		return nil, err
 	}
@@ -143,7 +139,7 @@
 }
 
 func (m *Manager) VerifySignature(message, signature []byte) (bool, error) {
-	secret, err := m.kubeClient.CoreV1().Secrets(m.namespace).Get(context.TODO(), m.caSecretName, metav1.GetOptions{})
+	secret, err := m.getCASecret(m.namespace, m.caName)
 	if err != nil {
 		return false, err
 	}
@@ -154,6 +150,14 @@
 	return ed25519.Verify(edPriv.Public().(ed25519.PublicKey), message, signature), nil
 }
 
+func (m *Manager) getCASecret(namespace, name string) (*corev1.Secret, error) {
+	ca, err := m.nebulaClient.LekvaV1().NebulaCAs(namespace).Get(context.TODO(), name, metav1.GetOptions{})
+	if err != nil {
+		return nil, err
+	}
+	return m.kubeClient.CoreV1().Secrets(namespace).Get(context.TODO(), ca.Spec.SecretName, metav1.GetOptions{})
+}
+
 func (m *Manager) getNodeSecret(namespace, name string) (*corev1.Secret, error) {
 	node, err := m.nebulaClient.LekvaV1().NebulaNodes(namespace).Get(context.TODO(), name, metav1.GetOptions{})
 	if err != nil {