1 files changed, 75 insertions, 0 deletions
diff --git a/lib/gitlab/kubernetes/helm/v2/certificate.rb b/lib/gitlab/kubernetes/helm/v2/certificate.rb
new file mode 100644
index 00000000000..f603ff44ef3
--- /dev/null
+++ b/lib/gitlab/kubernetes/helm/v2/certificate.rb
@@ -0,0 +1,75 @@
+# frozen_string_literal: true
+module Gitlab
+  module Kubernetes
+    module Helm
+      module V2
+        class Certificate
+          INFINITE_EXPIRY = 1000.years
+          SHORT_EXPIRY = 30.minutes
+
+          attr_reader :key, :cert
+
+          def key_string
+            @key.to_s
+          end
+
+          def cert_string
+            @cert.to_pem
+          end
+
+          def self.from_strings(key_string, cert_string)
+            key = OpenSSL::PKey::RSA.new(key_string)
+            cert = OpenSSL::X509::Certificate.new(cert_string)
+            new(key, cert)
+          end
+
+          def self.generate_root
+            _issue(signed_by: nil, expires_in: INFINITE_EXPIRY, certificate_authority: true)
+          end
+
+          def issue(expires_in: SHORT_EXPIRY)
+            self.class._issue(signed_by: self, expires_in: expires_in, certificate_authority: false)
+          end
+
+          private
+
+          def self._issue(signed_by:, expires_in:, certificate_authority:)
+            key = OpenSSL::PKey::RSA.new(4096)
+            public_key = key.public_key
+
+            subject = OpenSSL::X509::Name.parse("/C=US")
+
+            cert = OpenSSL::X509::Certificate.new
+            cert.subject = subject
+
+            cert.issuer = signed_by&.cert&.subject || subject
+
+            cert.not_before = Time.now.utc
+            cert.not_after = expires_in.from_now.utc
+            cert.public_key = public_key
+            cert.serial = 0x0
+            cert.version = 2
+
+            if certificate_authority
+              extension_factory = OpenSSL::X509::ExtensionFactory.new
+              extension_factory.subject_certificate = cert
+              extension_factory.issuer_certificate = cert
+              cert.add_extension(extension_factory.create_extension('subjectKeyIdentifier', 'hash'))
+              cert.add_extension(extension_factory.create_extension('basicConstraints', 'CA:TRUE', true))
+              cert.add_extension(extension_factory.create_extension('keyUsage', 'cRLSign,keyCertSign', true))
+            end
+
+            cert.sign(signed_by&.key || key, OpenSSL::Digest::SHA256.new)
+
+            new(key, cert)
+          end
+
+          def initialize(key, cert)
+            @key = key
+            @cert = cert
+          end
+        end
+      end
+    end
+  end
+end