pkg/tlsutil: add tls util interface and config definition

fanminshi · fanminshi · commit 553ba2f7452a · 2018-08-07T14:53:10.000-07:00
diff --git a/pkg/tlsutil/tls.go b/pkg/tlsutil/tls.go
@@ -0,0 +1,99 @@
+// Copyright 2018 The Operator-SDK Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package tlsutil
+
+import (
+	"k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+)
+
+// CertType defines the type of the cert.
+type CertType int
+
+const (
+	// ClientCert defines a client cert.
+	ClientCert CertType = iota
+	// ServingCert defines a serving cert.
+	ServingCert
+	// ClientAndServingCert defines both client and serving cert.
+	ClientAndServingCert
+)
+
+// CertConfig configures how to generate the Cert.
+type CertConfig struct {
+	// CertName is the name of the cert.
+	CertName string
+	// Optional CertType. Serving, client or both; defaults to both.
+	CertType CertType
+	// Optional CommonName is the common name of the cert; defaults to "".
+	CommonName string
+	// Optional Organization is Organization of the cert; defaults to "".
+	Organization []string
+	// Optional CA Key, if user wants to provide custom CA key via a file path.
+	CAKey string
+	// Optional CA Certificate, if user wants to provide custom CA cert via file path.
+	CACert string
+}
+
+// CertGenerator is an operator specific TLS tool that generates TLS assets for the deploying application.
+type CertGenerator interface {
+	// GenerateCert generates a secret containing TLS encryption key and cert, a Secret
+	// containing the CA key, and a ConfigMap containing the CA Certificate given the Custom
+	// Resource(CR) "cr", the Kubernetes Service "Service", and the CertConfig "config".
+	//
+	// The passed in "service" represents endpoint(s) of a communicating party. We assume that the
+	// deployed applications are typically communicated via the Kubernete Service. Therefore, the
+	// cert is generated to certify the endpoint(s) defined by the "service".
+	//
+	// If CA is not passed in via CertConfig, GenerateCert creates a unique self signed CA
+	// corresponding to the "cr" for signing the TLS cert and also puts the self signed CA and TLS
+	// key and Certs into the Kubernetes cluster before returning.
+	// If CA is passed in, GenerateCert use it for signing the TLS cert but
+	// only puts TLS key and cert into the cluster not the passed in CA; the user has to
+	// figure out what to do with the returned CA object.
+	// Note that the self signed CA is unique per CR; calling GenerateCert on the same CR
+	// returns the same CA. Also a secret is unique per CR + CertConfig.CertName combination;
+	// calling GenerateCert on the CR + CertConfig.CertName returns the same TLS key and cert secret.
+	// TODO: add caveats.
+	//
+	// TLS encryption key and cert Secret format:
+	// kind: Secret
+	// apiVersion: v1
+	// metadata:
+	//  name: <cr-kind>-<cr-name>-<CertConfig.CertName>
+	//  namespace: <cr-namespace>
+	// data:
+	//  tls.crt: ...
+	//  tls.key: ...
+	//
+	// CA Certificate ConfigMap format:
+	// kind: ConfigMap
+	//   apiVersion: v1
+	//   metadata:
+	//     name: <cr-kind>-<cr-name>-ca
+	//     namespace: <cr-namespace>
+	//   data:
+	//     ca.crt: ...
+	//
+	// CA Key Secret format:
+	//  kind: Secret
+	//  apiVersion: v1
+	//  metadata:
+	//   name: <cr-kind>-<cr-name>-ca
+	//   namespace: <cr-namespace>
+	//  data:
+	//   ca.key: ..
+	GenerateCert(cr runtime.Object, service *v1.Service, config *CertConfig) (*v1.Secret, *v1.ConfigMap, *v1.Secret, error)
+}
