|
| 1 | +// Copyright 2018 The Operator-SDK Authors |
| 2 | +// |
| 3 | +// Licensed under the Apache License, Version 2.0 (the "License"); |
| 4 | +// you may not use this file except in compliance with the License. |
| 5 | +// You may obtain a copy of the License at |
| 6 | +// |
| 7 | +// http://www.apache.org/licenses/LICENSE-2.0 |
| 8 | +// |
| 9 | +// Unless required by applicable law or agreed to in writing, software |
| 10 | +// distributed under the License is distributed on an "AS IS" BASIS, |
| 11 | +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 12 | +// See the License for the specific language governing permissions and |
| 13 | +// limitations under the License. |
| 14 | + |
| 15 | +package tlsutil |
| 16 | + |
| 17 | +import ( |
| 18 | + "k8s.io/api/core/v1" |
| 19 | + "k8s.io/apimachinery/pkg/runtime" |
| 20 | +) |
| 21 | + |
| 22 | +// CertType defines the type of the cert. |
| 23 | +type CertType int |
| 24 | + |
| 25 | +const ( |
| 26 | + // ClientCert defines a client cert. |
| 27 | + ClientCert CertType = iota |
| 28 | + // ServingCert defines a serving cert. |
| 29 | + ServingCert |
| 30 | + // ClientAndServingCert defines both client and serving cert. |
| 31 | + ClientAndServingCert |
| 32 | +) |
| 33 | + |
| 34 | +// CertConfig configures how to generate the Cert. |
| 35 | +type CertConfig struct { |
| 36 | + // CertName is the name of the cert. |
| 37 | + CertName string |
| 38 | + // Optional CertType. Serving, client or both; defaults to both. |
| 39 | + CertType CertType |
| 40 | + // Optional CommonName is the common name of the cert; defaults to "". |
| 41 | + CommonName string |
| 42 | + // Optional Organization is Organization of the cert; defaults to "". |
| 43 | + Organization []string |
| 44 | + // Optional CA Key, if user wants to provide custom CA key via a file path. |
| 45 | + CAKey string |
| 46 | + // Optional CA Certificate, if user wants to provide custom CA cert via file path. |
| 47 | + CACert string |
| 48 | + // TODO: consider to add passed in SAN fields. |
| 49 | +} |
| 50 | + |
| 51 | +// CertGenerator is an operator specific TLS tool that generates TLS assets for the deploying a user's application. |
| 52 | +type CertGenerator interface { |
| 53 | + // GenerateCert generates a secret containing TLS encryption key and cert, a Secret |
| 54 | + // containing the CA key, and a ConfigMap containing the CA Certificate given the Custom |
| 55 | + // Resource(CR) "cr", the Kubernetes Service "Service", and the CertConfig "config". |
| 56 | + // |
| 57 | + // GenerateCert creates and manages TLS key and cert and CA with the following: |
| 58 | + // CA creation and management: |
| 59 | + // - If CA is not given: |
| 60 | + // - a unique CA is generated for the CR. |
| 61 | + // - CA's key is packaged into a Secret as shown below. |
| 62 | + // - CA's cert is packaged in a ConfigMap as shown below. |
| 63 | + // - The CA Secret and ConfigMap are then put into the Cluster before returning then to |
| 64 | + // the user. |
| 65 | + // - If CA is given: |
| 66 | + // - CA's key is packaged into a Secret as shown below. |
| 67 | + // - CA's cert is packaged in a ConfigMap as shown below. |
| 68 | + // - The CA Secret and ConfigMap are returned to the user without putting them into the |
| 69 | + // cluster; the reason behind this is that we don't know how to manage the passed in |
| 70 | + // CA. Hence, we simply return them as in Kubernetes Objects, and let the user decides |
| 71 | + // what to do such as whether to put them into kubernte or not. |
| 72 | + // |
| 73 | + // TLS Key and Cert Creation and Management: |
| 74 | + // - A unique TLS key is generated per CR + CertConfig.CertName. For instance, calling |
| 75 | + // GenerateCert twice on the same CR + CertConfig.CertName returns the same TLS secret. |
| 76 | + // - We use the CA determined from the above to generate and to sign the cert of the TLS key. |
| 77 | + // - The signing process uses the passed in "service" to set the Subject Alternative Names(SAN) |
| 78 | + // for the certificate. We assume that the deployed applications are typically communicated |
| 79 | + // with via a Kubernetes Service. The SAN is set to the FQDN of the service |
| 80 | + // `<service-name>.<service-namespace>.svc.cluster.local`. |
| 81 | + // - Once TLS key and and Cert are created, they are packaged into a secret as shown below. |
| 82 | + // - Finally, the secret are put into the Kuberntes before returning it to the user. |
| 83 | + // |
| 84 | + // TLS encryption key and cert Secret format: |
| 85 | + // kind: Secret |
| 86 | + // apiVersion: v1 |
| 87 | + // metadata: |
| 88 | + // name: <cr-kind>-<cr-name>-<CertConfig.CertName> |
| 89 | + // namespace: <cr-namespace> |
| 90 | + // data: |
| 91 | + // tls.crt: ... |
| 92 | + // tls.key: ... |
| 93 | + // |
| 94 | + // CA Certificate ConfigMap format: |
| 95 | + // kind: ConfigMap |
| 96 | + // apiVersion: v1 |
| 97 | + // metadata: |
| 98 | + // name: <cr-kind>-<cr-name>-ca |
| 99 | + // namespace: <cr-namespace> |
| 100 | + // data: |
| 101 | + // ca.crt: ... |
| 102 | + // |
| 103 | + // CA Key Secret format: |
| 104 | + // kind: Secret |
| 105 | + // apiVersion: v1 |
| 106 | + // metadata: |
| 107 | + // name: <cr-kind>-<cr-name>-ca |
| 108 | + // namespace: <cr-namespace> |
| 109 | + // data: |
| 110 | + // ca.key: .. |
| 111 | + GenerateCert(cr runtime.Object, service *v1.Service, config *CertConfig) (*v1.Secret, *v1.ConfigMap, *v1.Secret, error) |
| 112 | +} |
0 commit comments