initial cert provisioner

Author: Mengqi Yu

pkg/admission/certprovisioner/certprovisioner.go renamed to pkg/admission/certgenerator/certgenerator.go

@@ -14,7 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-package certprovisioner
+package certgenerator
 
 // Certs hosts a private key, its corresponding serving certificate and
 // the CA certificate that signs the serving certificate.
@@ -24,8 +24,8 @@ type Certs struct {
 	CACert []byte
 }
 
-// CertProvisioner is an interface to provision the serving certificate.
-type CertProvisioner interface {
-	// ProvisionServingCert returns a Certs struct.
-	ProvisionServingCert() (*Certs, error)
+// CertGenerator is an interface to provision the serving certificate.
+type CertGenerator interface {
+	// Generate returns a Certs struct.
+	Generate(CommonName string) (*Certs, error)
 }

pkg/admission/certprovisioner/certprovisioner_test.go renamed to pkg/admission/certgenerator/certgenerator_test.go

@@ -14,7 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-package certprovisioner
+package certgenerator
 
 import "fmt"
 

pkg/admission/certprovisioner/doc.go renamed to pkg/admission/certgenerator/doc.go

@@ -15,18 +15,16 @@ limitations under the License.
 */
 
 /*
-Package certprovisioner provides an interface and implementation to provision certificates.
+Package certgenerator provides an interface and implementation to provision certificates.
 
-Create a implementation instance of certprovisioner.
+Create a implementation instance of certgenerator.
 
-	cp := SelfSignedCertProvisioner{
-		CommonName: "foo.bar.com"
-	}
+	cp := SelfSignedCertGenerator{}
 
 Provision the certificates.
-	certs, err := cp.ProvisionServingCert()
+	certs, err := cp.Generate("foo.bar.com")
 	if err != nil {
 		// handle error
 	}
 */
-package certprovisioner
+package certgenerator

pkg/admission/certprovisioner/selfsignedcertprovisioner.go renamed to pkg/admission/certgenerator/selfsigned.go

@@ -14,7 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-package certprovisioner
+package certgenerator
 
 import (
 	"crypto/x509"
@@ -28,21 +28,18 @@ func ServiceToCommonName(serviceNamespace, serviceName string) string {
 	return fmt.Sprintf("%s.%s.svc", serviceName, serviceNamespace)
 }
 
-// SelfSignedCertProvisioner implements the CertProvisioner interface.
+// SelfSignedCertGenerator implements the CertGenerator interface.
 // It provisions self-signed certificates.
-type SelfSignedCertProvisioner struct {
-	// Required Common Name
-	CommonName string
-}
+type SelfSignedCertGenerator struct{}
 
-var _ CertProvisioner = &SelfSignedCertProvisioner{}
+var _ CertGenerator = &SelfSignedCertGenerator{}
 
-// ProvisionServingCert creates and returns a CA certificate, certificate and
+// Generate creates and returns a CA certificate, certificate and
 // key for the server. serverKey and serverCert are used by the server
 // to establish trust for clients, CA certificate is used by the
 // client to verify the server authentication chain.
 // The cert will be valid for 365 days.
-func (cp *SelfSignedCertProvisioner) ProvisionServingCert() (*Certs, error) {
+func (cp *SelfSignedCertGenerator) Generate(commonName string) (*Certs, error) {
 	signingKey, err := cert.NewPrivateKey()
 	if err != nil {
 		return nil, fmt.Errorf("failed to create the CA private key: %v", err)
@@ -57,7 +54,7 @@ func (cp *SelfSignedCertProvisioner) ProvisionServingCert() (*Certs, error) {
 	}
 	signedCert, err := cert.NewSignedCert(
 		cert.Config{
-			CommonName: cp.CommonName,
+			CommonName: commonName,
 			Usages:     []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
 		},
 		key, signingCert, signingKey,

pkg/admission/certprovisioner/selfsignedcertprovisioner_test.go renamed to pkg/admission/certgenerator/selfsigned_test.go

@@ -14,7 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-package certprovisioner
+package certgenerator
 
 import (
 	"crypto/x509"
@@ -24,8 +24,8 @@ import (
 
 func TestProvisionServingCert(t *testing.T) {
 	cn := "mysvc.myns.svc"
-	cp := SelfSignedCertProvisioner{CommonName: cn}
-	certs, _ := cp.ProvisionServingCert()
+	cp := SelfSignedCertGenerator{}
+	certs, _ := cp.Generate(cn)
 
 	// First, create the set of root certificates. For this example we only
 	// have one. It's also possible to omit this in order to use the

pkg/admission/certwriter/certwriter.go

@@ -0,0 +1,170 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package certwriter
+
+import (
+	"bytes"
+	"fmt"
+	"net/url"
+
+	admissionregistrationv1beta1 "k8s.io/api/admissionregistration/v1beta1"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/runtime"
+
+	"github.com/kubernetes-sigs/controller-runtime/pkg/admission/certgenerator"
+	"github.com/kubernetes-sigs/controller-runtime/pkg/client"
+)
+
+const (
+	// CACertName is the name of the CA certificate
+	CACertName = "ca-cert.pem"
+	// ServerKeyName is the name of the server private key
+	ServerKeyName = "key.pem"
+	// ServerCertName is the name of the serving certificate
+	ServerCertName = "cert.pem"
+)
+
+// Options are options for configuring a CertOutput.
+type Options struct {
+	Client        client.Client
+	CertGenerator certgenerator.CertGenerator
+}
+
+// CertWriter provides method to handle webhooks.
+type CertWriter interface {
+	// Create a new CertWriter with the given runtime.Object
+	New(runtime.Object) (CertWriter, error)
+	// Handle ensures that the webhooks it manages have the right certificates.
+	Handle() error
+}
+
+// New builds a new CertWriter for the provided webhook configuration.
+func New(webhookConfig runtime.Object, ops Options) (CertWriter, error) {
+	if ops.CertGenerator == nil {
+		ops.CertGenerator = &certgenerator.SelfSignedCertGenerator{}
+	}
+	if ops.Client == nil {
+		// TODO: default the client
+	}
+	s := &SecretCertWriter{
+		Client:        ops.Client,
+		CertGenerator: ops.CertGenerator,
+	}
+	sWriter, err := s.New(webhookConfig)
+	if err != nil {
+		return nil, err
+	}
+
+	f := &FSCertWriter{
+		CertGenerator: ops.CertGenerator,
+	}
+	fWriter, err := f.New(webhookConfig)
+	if err != nil {
+		return nil, err
+	}
+
+	return &MultiCertWriter{
+		CertWriters: []CertWriter{sWriter, fWriter},
+	}, nil
+}
+
+func handleCommon(webhook *admissionregistrationv1beta1.Webhook, ch certio) error {
+	// This happens when a webhook name is specified in the annotation, but this webhook doesn't exist.
+	if webhook == nil {
+		// TODO: add a log here if useful.
+		return nil
+	}
+	webhookName := webhook.Name
+
+	certs, err := ch.read(webhookName)
+	if apierrors.IsNotFound(err) {
+		certs, err = ch.write(webhookName)
+		if err != nil {
+			return err
+		}
+	} else if err != nil {
+		return err
+	}
+
+	// Recreate the cert if it's invalid.
+	if !validCert(certs) {
+		certs, err = ch.write(webhookName)
+		if err != nil {
+			return err
+		}
+		if err != nil {
+			return err
+		}
+	}
+
+	// Ensure the CA bundle in the webhook configuration has the signing CA.
+	caBundle := webhook.ClientConfig.CABundle
+	caCert := certs.CACert
+	if !bytes.Contains(caBundle, caCert) {
+		webhook.ClientConfig.CABundle = append(caBundle, caCert...)
+	}
+	return nil
+}
+
+// certio provides methods for handling certificates for webhook.
+type certio interface {
+	// read reads a wehbook name and returns the certs for it.
+	read(webhookName string) (*certgenerator.Certs, error)
+	// write writes the certs and return the certs it wrote.
+	write(webhookName string) (*certgenerator.Certs, error)
+}
+
+func validCert(certs *certgenerator.Certs) bool {
+	// TODO: 1) validate the key and the cert are valid pair e.g. call crypto/tls.X509KeyPair()
+	// 2) validate the cert with the CA cert
+	// 3) validate the cert is for a certain DNSName
+	// e.g.
+	// c, err := tls.X509KeyPair(cert, key)
+	// err := c.Verify(options)
+
+	return true
+}
+
+func getWebhooksFromObject(obj runtime.Object) ([]admissionregistrationv1beta1.Webhook, error) {
+	switch typed := obj.(type) {
+	case *admissionregistrationv1beta1.MutatingWebhookConfiguration:
+		return typed.Webhooks, nil
+	case *admissionregistrationv1beta1.ValidatingWebhookConfiguration:
+		return typed.Webhooks, nil
+	//case *unstructured.Unstructured:
+	// TODO: implement this if needed
+	default:
+		return nil, fmt.Errorf("unsupported type: %T, only support v1beta1.MutatingWebhookConfiguration and v1beta1.ValidatingWebhookConfiguration", typed)
+	}
+}
+
+func webhookClientConfigToCommonName(config *admissionregistrationv1beta1.WebhookClientConfig) (string, error) {
+	if config.Service != nil && config.URL != nil {
+		return "", fmt.Errorf("service and URL can't be set at the same time in a webhook: %#v", config)
+	}
+	if config.Service == nil && config.URL == nil {
+		return "", fmt.Errorf("one of service and URL need to be set in a webhook: %#v", config)
+	}
+	if config.Service != nil {
+		return certgenerator.ServiceToCommonName(config.Service.Namespace, config.Service.Name), nil
+	}
+	if config.URL != nil {
+		u, err := url.Parse(*config.URL)
+		return u.Host, err
+	}
+	return "", nil
+}

pkg/admission/certwriter/doc.go

@@ -0,0 +1,48 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+/*
+Package certwriter provide method to handle the CA and certificate for webhooks.
+
+Create a default CertWriter
+
+	// webhookConfiguration is either a mutatingWebhookConfiguration or a validatingWebhookConfiguration.
+	writer, err := New(webhookConfiguration, Options{Client: client}))
+	if err != nil {
+		// handler error
+	}
+
+
+Create a SecretCertWriter
+
+	s := &SecretCertWriter{
+		// Set Client and(or) CertGenerator if needed
+	}
+	writer, err := s.New(webhookConfiguration) // webhookConfiguration is an existing runtime.Object
+	if err != nil {
+		// handle error
+	}
+
+Provision the certificates using the initialized CertWriter.
+
+	// writer can be either one of the CertWriters created above
+	err = writer.Handle()
+	if err != nil {
+		// handler error
+	}
+
+*/
+package certwriter