kubernetes-sigs
diff --git a/‎pkg/admission/certoutput/certoutput.go
Lines changed: 367 additions & 0 deletions b/‎pkg/admission/certoutput/certoutput.go
Lines changed: 367 additions & 0 deletions
@@ -0,0 +1,367 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package certoutput
+
+import (
+	"bytes"
+	"fmt"
+	"net/url"
+	"strings"
+
+	admissionregistrationv1beta1 "k8s.io/api/admissionregistration/v1beta1"
+	corev1 "k8s.io/api/core/v1"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/api/meta"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	apitypes "k8s.io/apimachinery/pkg/types"
+
+	"github.com/kubernetes-sigs/controller-runtime/pkg/admission/certprovisioner"
+	"github.com/kubernetes-sigs/controller-runtime/pkg/client"
+)
+
+var (
+	// Use an annotation in the following format:
+	// secret.certprovisioner.kubernetes.io/<webhook-name>: <secret-namespace>/<secret-name>
+	// the webhook cert manager library will provision the certificate for the webhook by
+	// storing it in the specified secret.
+	SecretCertInjectionAnnotationKeyPrefix = "secret.certprovisioner.kubernetes.io/"
+
+	// Use an annotation in the following format:
+	// local.certprovisioner.kubernetes.io/<webhook-name>: path/to/certs/
+	// the webhook cert manager library will provision the certificate for the webhook by
+	// storing it under the specified path.
+	// format: local.certprovisioner.kubernetes.io/webhookName: path/to/certs/
+	LocalCertInjectionAnnotationKeyPrefix = "local.certprovisioner.kubernetes.io/"
+
+	CACertName     = "ca-cert.pem"
+	ServerKeyName  = "key.pem"
+	ServerCertName = "cert.pem"
+)
+
+type Options struct {
+	Type *CertOutputType
+}
+
+const (
+	SecretType CertOutputType = "secret-certoutput-type"
+)
+
+type CertOutputType string
+
+// CertsOutput provides method to handle webhooks.
+type CertsOutput interface {
+	// Handle process one webhook.
+	Handle(webhook *admissionregistrationv1beta1.Webhook) error
+}
+
+func New(webhookConfig runtime.Object, client client.Client, cp certprovisioner.CertProvisioner, op Options) (CertsOutput, error) {
+	if op.Type == nil {
+		t := SecretType
+		op.Type = &t
+	}
+	switch *op.Type {
+	case SecretType:
+		return newSecretCertsReadWriter(webhookConfig, client, cp)
+	default:
+		return nil, fmt.Errorf("unknown CertOutputType: %v", op.Type)
+	}
+}
+
+func newSecretCertsReadWriter(webhookConfig runtime.Object, client client.Client, cp certprovisioner.CertProvisioner) (CertsOutput, error) {
+	webhookToSecret := map[string]apitypes.NamespacedName{}
+	accessor, err := meta.Accessor(webhookConfig)
+	if err != nil {
+		return nil, err
+	}
+	annotations := accessor.GetAnnotations()
+	if annotations == nil {
+		return nil, nil
+	}
+
+	for k, v := range annotations {
+		if strings.HasPrefix(k, SecretCertInjectionAnnotationKeyPrefix) {
+			webhookName := strings.TrimPrefix(k, SecretCertInjectionAnnotationKeyPrefix)
+			webhookToSecret[webhookName] = apitypes.NewNamespacedNameFromString(v)
+		}
+	}
+
+	return &secretCertsOutput{
+		client:           client,
+		webhookConfig:    webhookConfig,
+		webhookToSecrets: webhookToSecret,
+		certInput:        cp,
+	}, nil
+}
+
+var _ CertsOutput = &secretCertsOutput{}
+
+type secretCertsOutput struct {
+	client client.Client
+
+	// The webhookConfiguration it is going to handle.
+	webhookConfig runtime.Object
+	// A map from wehbook name to the individual webhook.
+	webhookMap map[string]*admissionregistrationv1beta1.Webhook
+	// A map from webhook name to the service namespace and name.
+	webhookToSecrets map[string]apitypes.NamespacedName
+
+	certInput certprovisioner.CertProvisioner
+}
+
+// syncSecretWithWebhook ensures the certificate and CA exist and valid for the given webhook.
+// syncSecretWithWebhook will modify the passed-in webhook.
+func (s *secretCertsOutput) Handle(webhook *admissionregistrationv1beta1.Webhook) error {
+	return handleCommon(webhook, s)
+}
+
+func handleCommon(webhook *admissionregistrationv1beta1.Webhook, ch certsHandler) error {
+
+	webhookName := webhook.Name
+	if ch.skip(webhookName) {
+		return nil
+	}
+
+	certs, err := ch.read(webhookName)
+	if apierrors.IsNotFound(err) {
+		certs, err = ch.write(webhookName)
+		if err != nil {
+			return err
+		}
+	} else if err != nil {
+		return err
+	}
+
+	// Recreate the cert if it's invalid.
+	if !validCertInSecret(certs) {
+		certs, err = ch.write(webhookName)
+		if err != nil {
+			return err
+		}
+		if err != nil {
+			return err
+		}
+	}
+
+	// Ensure the CA bundle in the webhook configuration has the signing CA.
+	caBundle := webhook.ClientConfig.CABundle
+	caCert := certs.CACert
+	if !bytes.Contains(caBundle, caCert) {
+		webhook.ClientConfig.CABundle = append(caBundle, caCert...)
+	}
+	return nil
+}
+
+// certsHandler provides methods for handling certificates for webhook.
+type certsHandler interface {
+	// skip returns if the webhook should be skipped.
+	skip(webhookName string) bool
+	// read reads a wehbook name and returns the certs for it.
+	read(webhookName string) (*certprovisioner.Certs, error)
+	// write writes the certs and return the certs it wrote.
+	write(webhookName string) (*certprovisioner.Certs, error)
+}
+
+var _ certsHandler = &secretCertsOutput{}
+
+func (s *secretCertsOutput) skip(webhookName string) bool {
+	_, found := s.webhookToSecrets[webhookName]
+	return !found
+}
+
+func (s *secretCertsOutput) write(webhookName string) (
+	*certprovisioner.Certs, error) {
+	sec, found := s.webhookToSecrets[webhookName]
+	if !found {
+		return nil, fmt.Errorf("failed to find the secret name by the webhook name: %q", webhookName)
+	}
+
+	webhook := s.webhookMap[webhookName]
+	commonName, err := webhookClientConfigToCommonName(&webhook.ClientConfig)
+	if err != nil {
+		return nil, err
+	}
+
+	secret := &corev1.Secret{}
+	err = s.client.Get(nil, sec, secret)
+	if apierrors.IsNotFound(err) {
+		certs, err := s.certInput.ProvisionServingCert(commonName)
+		if err != nil {
+			return nil, err
+		}
+		secret = certsToSecret(certs, sec)
+		// TODO fix and enable it
+		//err = setOwnerRef(secret, s.webhookConfig)
+		err = s.client.Create(nil, secret)
+		return certs, err
+	} else if err != nil {
+		return nil, err
+	}
+
+	certs, err := secretToCerts(secret)
+	if err != nil {
+		return nil, err
+	}
+	// Recreate the cert if it's invalid.
+	if !validCertInSecret(certs) {
+		certs, err := s.certInput.ProvisionServingCert(commonName)
+		if err != nil {
+			return nil, err
+		}
+		secret = certsToSecret(certs, sec)
+		// TODO fix and enable it
+		//err = setOwnerRef(secret, s.webhookConfig)
+		err = s.client.Update(nil, secret)
+		return certs, err
+	}
+	return certs, nil
+}
+
+func (s *secretCertsOutput) read(webhookName string) (*certprovisioner.Certs, error) {
+	sec, found := s.webhookToSecrets[webhookName]
+	if !found {
+		return nil, fmt.Errorf("failed to find the secret name by the webhook name: %q", webhookName)
+	}
+	secret := &corev1.Secret{}
+	err := s.client.Get(nil, sec, secret)
+	if err != nil {
+		return nil, err
+	}
+	return secretToCerts(secret)
+}
+
+// Mark the webhook as the owner of the secret by setting the ownerReference in the secret.
+func setOwnerRef(secret, webhookConfig runtime.Object) error {
+	accessor, err := meta.Accessor(webhookConfig)
+	// TODO: typeAccessor.GetAPIVersion() and typeAccessor.GetKind() returns empty apiVersion and Kind, fix it.
+	typeAccessor, err := meta.TypeAccessor(webhookConfig)
+	if err != nil {
+		return err
+	}
+	blockOwnerDeletion := false
+	// Due to
+	// https://github.com/kubernetes/kubernetes/blob/5da925ad4fd070e687dc5255c177d5e7d542edd7/staging/src/k8s.io/apimachinery/pkg/apis/meta/v1/controller_ref.go#L35
+	isController := true
+	ownerRef := metav1.OwnerReference{
+		APIVersion:         typeAccessor.GetAPIVersion(),
+		Kind:               typeAccessor.GetKind(),
+		Name:               accessor.GetName(),
+		UID:                accessor.GetUID(),
+		BlockOwnerDeletion: &blockOwnerDeletion,
+		Controller:         &isController,
+	}
+	secretAccessor, err := meta.Accessor(secret)
+	if err != nil {
+		return err
+	}
+	secretAccessor.SetOwnerReferences([]metav1.OwnerReference{ownerRef})
+	return nil
+}
+
+func validCertInSecret(certs *certprovisioner.Certs) bool {
+	// TODO: 1) validate the key and the cert are valid pair e.g. call crypto/tls.X509KeyPair()
+	// 2) validate the cert with the CA cert
+	// 3) validate the cert is for a certain DNSName
+	// e.g.
+	// c, err := tls.X509KeyPair(cert, key)
+	// err := c.Verify(options)
+
+	return true
+}
+
+func secretToCerts(secret *corev1.Secret) (*certprovisioner.Certs, error) {
+	checkList := []string{CACertName, ServerCertName, ServerKeyName}
+	for _, key := range checkList {
+		if _, ok := secret.Data[key]; !ok {
+			return nil, fmt.Errorf("failed to find required key: %q in the secret", key)
+		}
+	}
+	return &certprovisioner.Certs{
+		CACert: secret.Data[CACertName],
+		Cert:   secret.Data[ServerCertName],
+		Key:    secret.Data[ServerKeyName],
+	}, nil
+}
+
+func certsToSecret(certs *certprovisioner.Certs, sec apitypes.NamespacedName) *corev1.Secret {
+	return &corev1.Secret{
+		TypeMeta: metav1.TypeMeta{
+			APIVersion: "v1",
+			Kind:       "Secret",
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Namespace: sec.Namespace,
+			Name:      sec.Name,
+		},
+		Data: map[string][]byte{
+			CACertName:     certs.CACert,
+			ServerKeyName:  certs.Key,
+			ServerCertName: certs.Cert,
+		},
+	}
+}
+
+func webhookClientConfigToCommonName(config *admissionregistrationv1beta1.WebhookClientConfig) (string, error) {
+	if config.Service != nil && config.URL != nil {
+		return "", fmt.Errorf("service and URL can't be set at the same time in a webhook: %#v", config)
+	}
+	if config.Service == nil && config.URL == nil {
+		return "", fmt.Errorf("one of service and URL need to be set in a webhook: %#v", config)
+	}
+	if config.Service != nil {
+		return certprovisioner.ServiceToCommonName(config.Service.Namespace, config.Service.Name), nil
+	}
+	if config.URL != nil {
+		u, err := url.Parse(*config.URL)
+		return u.Host, err
+	}
+	return "", nil
+}
+
+//// fsCertsOutput deals with the local FS.
+//// This is designed for running as static pod on the master node.
+//type fsCertsOutput struct {
+//	// The webhookConfiguration it is going to handle.
+//	webhookConfig runtime.Object
+//	// A map from webhook name to the path to write the certificates.
+//	WebhookToPath map[string]string
+//}
+//
+//var _ CertsOutput = &fsCertsOutput{}
+//
+//func (s *fsCertsOutput) Handle(webhook *admissionregistrationv1beta1.Webhook) error {
+//	// TODO: implement this
+//	return nil
+//}
+//
+//var _ certsHandler = &fsCertsOutput{}
+//
+//func (s *fsCertsOutput) skip(webhookName string) bool {
+//	// TODO: implement this
+//	return true
+//}
+//
+//func (s *fsCertsOutput) write(webhookName string) (
+//	*certprovisioner.Certs, error) {
+//	// TODO: implement this
+//	return nil, nil
+//}
+//
+//func (s *fsCertsOutput) read(webhookName string) (*certprovisioner.Certs, error) {
+//	// TODO: implement this
+//	return nil, nil
+//}