fs cert writer

Mengqi Yu · Mengqi Yu · commit 81b9fa7c3bcc · 2018-06-22T11:52:15.000-07:00
diff --git a/pkg/admission/cert/writer/certwriter.go b/pkg/admission/cert/writer/certwriter.go
@@ -66,13 +66,13 @@ func NewCertWriter(ops Options) (CertWriter, error) {
 		Client:        ops.Client,
 		CertGenerator: ops.CertGenerator,
 	}
-	//f := &FSCertWriter{
-	//	CertGenerator: ops.CertGenerator,
-	//}
+	f := &FSCertWriter{
+		CertGenerator: ops.CertGenerator,
+	}
 	return &MultiCertWriter{
 		CertWriters: []CertWriter{
 			s,
-			//f,
+			f,
 		},
 	}, nil
 }
diff --git a/pkg/admission/cert/writer/certwriter_test.go b/pkg/admission/cert/writer/certwriter_test.go
@@ -57,7 +57,7 @@ var _ = Describe("NewProvider", func() {
 						Client:        cl,
 						CertGenerator: &generator.SelfSignedCertGenerator{},
 					},
-					//&FSCertWriterProvider{
+					//&FSCertWriter{
 					//	CertGenerator: &certgenerator.SelfSignedCertGenerator{},
 					//},
 				},
diff --git a/pkg/admission/cert/writer/fs.go b/pkg/admission/cert/writer/fs.go
@@ -16,125 +16,175 @@ limitations under the License.
 
 package writer
 
-//import (
-//	"fmt"
-//	"strings"
-//
-//	admissionregistrationv1beta1 "k8s.io/api/admissionregistration/v1beta1"
-//	"k8s.io/apimachinery/pkg/api/meta"
-//	"k8s.io/apimachinery/pkg/runtime"
-//	"sigs.k8s.io/controller-runtime/pkg/admission/certgenerator"
-//)
-//
-//const (
-//	// FSCertProvisionAnnotationKeyPrefix should be used in an annotation in the following format:
-//	// fs.certprovisioner.kubernetes.io/<webhook-name>: path/to/certs/
-//	// the webhook cert manager library will provision the certificate for the webhook by
-//	// storing it under the specified path.
-//	// format: local.certprovisioner.kubernetes.io/webhookName: path/to/certs/
-//	FSCertProvisionAnnotationKeyPrefix = "fs.certprovisioner.kubernetes.io/"
-//)
-//
-//// FSCertWriterProvider deals with writing to the local filesystem.
-//type FSCertWriterProvider struct {
-//	CertGenerator certgenerator.CertGenerator
-//}
-//
-//var _ CertWriter = &FSCertWriterProvider{}
-//
-//// Provide creates a new CertWriter and initialized with the passed-in webhookConfig.
-//func (s *FSCertWriterProvider) Provide(webhookConfig runtime.Object) (CertWriter, error) {
-//	fsWebhookMap := map[string]*webhookAndPath{}
-//
-//	accessor, err := meta.Accessor(webhookConfig)
-//	if err != nil {
-//		return nil, err
-//	}
-//	annotations := accessor.GetAnnotations()
-//	if annotations == nil {
-//		return nil, nil
-//	}
-//
-//	// Parse the annotations to extract info
-//	for k, v := range annotations {
-//      // an example annotation: local.certprovisioner.kubernetes.io/webhookName: path/to/certs/
-//		if strings.HasPrefix(k, FSCertProvisionAnnotationKeyPrefix) {
-//			webhookName := strings.TrimPrefix(k, FSCertProvisionAnnotationKeyPrefix)
-//			fsWebhookMap[webhookName] = &webhookAndPath{
-//				path: v,
-//			}
-//		}
-//	}
-//
-//	webhooks, err := getWebhooksFromObject(webhookConfig)
-//	if err != nil {
-//		return nil, err
-//	}
-//	for i, webhook := range webhooks {
-//		if p, found := fsWebhookMap[webhook.Name]; found {
-//			p.webhook = &webhooks[i]
-//		}
-//	}
-//
-//	// validation
-//	for k, v := range fsWebhookMap {
-//		if v.webhook == nil {
-//			return nil, fmt.Errorf("expecting a webhook named %q", k)
-//		}
-//	}
-//
-//	generator := s.CertGenerator
-//	if s.CertGenerator == nil {
-//		generator = &certgenerator.SelfSignedCertGenerator{}
-//	}
-//
-//	return &fsCertWriter{
-//		CertGenerator: generator,
-//		webhookConfig: webhookConfig,
-//		webhookToPath: fsWebhookMap,
-//	}, nil
-//}
-//
-//// fsCertWriter deals with writing to the local filesystem.
-//type fsCertWriter struct {
-//	CertGenerator certgenerator.CertGenerator
-//
-//	webhookConfig runtime.Object
-//	webhookToPath map[string]*webhookAndPath
-//}
-//
-//type webhookAndPath struct {
-//	webhook *admissionregistrationv1beta1.Webhook
-//	path    string
-//}
-//
-//var _ certReadWriter = &fsCertWriter{}
-//
-//// EnsureCert processes the webhooks managed by this CertWriter.
-//// It provisions the certificate and update the CA in the webhook.
-//// It will write the certificate to the filesystem.
-//func (s *fsCertWriter) EnsureCert() error {
-//	var err error
-//	for _, v := range s.webhookToPath {
-//		err = handleCommon(v.webhook, s)
-//		if err != nil {
-//			return err
-//		}
-//	}
-//	return nil
-//}
-//
-//func (s *fsCertWriter) write(webhookName string) (*certgenerator.CertArtifacts, error) {
-//	// TODO: implement this
-//	return nil, nil
-//}
-//
-//func (s *fsCertWriter) overwrite(webhookName string) (*certgenerator.CertArtifacts, error) {
-//	// TODO: implement this
-//	return nil, nil
-//}
-//
-//func (s *fsCertWriter) read(webhookName string) (*certgenerator.CertArtifacts, error) {
-//	// TODO: implement this
-//	return nil, nil
-//}
+import (
+	"fmt"
+	"io/ioutil"
+	"path"
+	"strings"
+
+	admissionregistrationv1beta1 "k8s.io/api/admissionregistration/v1beta1"
+	"k8s.io/apimachinery/pkg/api/meta"
+	"k8s.io/apimachinery/pkg/runtime"
+	certgenerator "sigs.k8s.io/controller-runtime/pkg/admission/cert/generator"
+	"sigs.k8s.io/controller-runtime/pkg/admission/cert/writer/internal/atomic"
+)
+
+const (
+	// FSCertProvisionAnnotationKeyPrefix should be used in an annotation in the following format:
+	// fs.certprovisioner.kubernetes.io/<webhook-name>: path/to/certs/
+	// the webhook cert manager library will provision the certificate for the webhook by
+	// storing it under the specified path.
+	// format: fs.certprovisioner.kubernetes.io/webhookName: path/to/certs/
+	FSCertProvisionAnnotationKeyPrefix = "fs.certprovisioner.kubernetes.io/"
+)
+
+// FSCertWriter provisions the certificate by reading and writing to the filesystem.
+type FSCertWriter struct {
+	CertGenerator certgenerator.CertGenerator
+}
+
+var _ CertWriter = &FSCertWriter{}
+
+// EnsureCerts provisions certificates for a webhook configuration by writing them in the filesystem.
+func (s *FSCertWriter) EnsureCerts(webhookConfig runtime.Object) error {
+	webhookMap := map[string]*webhookAndPath{}
+
+	accessor, err := meta.Accessor(webhookConfig)
+	if err != nil {
+		return err
+	}
+	annotations := accessor.GetAnnotations()
+	if annotations == nil {
+		return nil
+	}
+
+	// Parse the annotations to extract info
+	for k, v := range annotations {
+		// an example annotation: fs.certprovisioner.kubernetes.io/webhookName: path/to/certs/
+		if strings.HasPrefix(k, FSCertProvisionAnnotationKeyPrefix) {
+			webhookName := strings.TrimPrefix(k, FSCertProvisionAnnotationKeyPrefix)
+			webhookMap[webhookName] = &webhookAndPath{
+				path: v,
+			}
+		}
+	}
+
+	webhooks, err := getWebhooksFromObject(webhookConfig)
+	if err != nil {
+		return err
+	}
+	for i, webhook := range webhooks {
+		if p, found := webhookMap[webhook.Name]; found {
+			p.webhook = &webhooks[i]
+		}
+	}
+
+	// validation
+	for k, v := range webhookMap {
+		if v.webhook == nil {
+			return fmt.Errorf("expecting a webhook named %q", k)
+		}
+	}
+
+	generator := s.CertGenerator
+	if s.CertGenerator == nil {
+		generator = &certgenerator.SelfSignedCertGenerator{}
+	}
+
+	cw := &fsCertWriter{
+		certGenerator: generator,
+		webhookConfig: webhookConfig,
+		webhookMap:    webhookMap,
+	}
+	return cw.ensureCert()
+}
+
+// fsCertWriter deals with writing to the local filesystem.
+type fsCertWriter struct {
+	certGenerator certgenerator.CertGenerator
+
+	webhookConfig runtime.Object
+	webhookMap    map[string]*webhookAndPath
+}
+
+type webhookAndPath struct {
+	webhook *admissionregistrationv1beta1.Webhook
+	path    string
+}
+
+var _ certReadWriter = &fsCertWriter{}
+
+func (s *fsCertWriter) ensureCert() error {
+	var err error
+	for _, v := range s.webhookMap {
+		err = handleCommon(v.webhook, s)
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func (f *fsCertWriter) write(webhookName string) (*certgenerator.Artifacts, error) {
+	return f.doWrite(webhookName)
+}
+
+func (f *fsCertWriter) overwrite(webhookName string) (*certgenerator.Artifacts, error) {
+	return f.doWrite(webhookName)
+}
+
+func (f *fsCertWriter) doWrite(webhookName string) (*certgenerator.Artifacts, error) {
+	v := f.webhookMap[webhookName]
+	commonName, err := dnsNameForWebhook(&v.webhook.ClientConfig)
+	if err != nil {
+		return nil, err
+	}
+	certs, err := f.certGenerator.Generate(commonName)
+	if err != nil {
+		return nil, err
+	}
+	aw, err := atomic.NewAtomicWriter(v.path, fmt.Sprintf("processing webhook %q", webhookName))
+	if err != nil {
+		return nil, err
+	}
+	err = aw.Write(certToProjectionMap(certs))
+	return certs, err
+}
+
+func (f *fsCertWriter) read(webhookName string) (*certgenerator.Artifacts, error) {
+	dir := f.webhookMap[webhookName].path
+	caBytes, err := ioutil.ReadFile(path.Join(dir, CACertName))
+	if err != nil {
+		return nil, err
+	}
+	certBytes, err := ioutil.ReadFile(path.Join(dir, ServerCertName))
+	if err != nil {
+		return nil, err
+	}
+	keyBytes, err := ioutil.ReadFile(path.Join(dir, ServerKeyName))
+	if err != nil {
+		return nil, err
+	}
+	return &certgenerator.Artifacts{
+		CACert: caBytes,
+		Cert:   certBytes,
+		Key:    keyBytes,
+	}, nil
+}
+
+func certToProjectionMap(cert *certgenerator.Artifacts) map[string]atomic.FileProjection {
+	return map[string]atomic.FileProjection{
+		CACertName: {
+			Data: cert.CACert,
+			Mode: 0666,
+		},
+		ServerCertName: {
+			Data: cert.Cert,
+			Mode: 0666,
+		},
+		ServerKeyName: {
+			Data: cert.Key,
+			Mode: 0666,
+		},
+	}
+}
