pkg/tlsutil: add support for custom CA

Author: rithujohn191

pkg/tlsutil/error.go

@@ -17,6 +17,8 @@ package tlsutil
 import "errors"
 
 var (
-	ErrCANotFound = errors.New("ca secret and configMap are not found")
+	ErrCANotFound        = errors.New("ca secret and configMap are not found")
+	ErrCAKeyAndCACertReq = errors.New("ca key and ca cert need to be provided when requesting a custom CA.")
+	ErrInternal          = errors.New("internal error while generating TLS assets.")
 	// TODO: add other tls util errors.
 )

pkg/tlsutil/tls.go

@@ -19,6 +19,7 @@ import (
 	"crypto/x509"
 	"errors"
 	"fmt"
+	"io/ioutil"
 	"strings"
 
 	"k8s.io/api/core/v1"
@@ -138,6 +139,9 @@ type SDKCertGenerator struct {
 	KubeClient kubernetes.Interface
 }
 
+// GenerateCert returns a secret containing the TLS encryption key and cert,
+// a ConfigMap containing the CA Certificate and a Secret containing the CA key or it
+// returns a error incase something goes wrong.
 func (scg *SDKCertGenerator) GenerateCert(cr runtime.Object, service *v1.Service, config *CertConfig) (*v1.Secret, *v1.ConfigMap, *v1.Secret, error) {
 	if err := verifyConfig(config); err != nil {
 		return nil, nil, nil, err
@@ -153,19 +157,57 @@ func (scg *SDKCertGenerator) GenerateCert(cr runtime.Object, service *v1.Service
 		return nil, nil, nil, err
 	}
 	caSecretAndConfigMapName := ToCASecretAndConfigMapName(k, n)
-	caSecret, caConfigMap, err := getCASecretAndConfigMapInCluster(scg.KubeClient, caSecretAndConfigMapName, ns)
+
+	var (
+		caSecret    *v1.Secret
+		caConfigMap *v1.ConfigMap
+	)
+
+	caSecret, caConfigMap, err = getCASecretAndConfigMapInCluster(scg.KubeClient, caSecretAndConfigMapName, ns)
 	if err != nil {
 		return nil, nil, nil, err
 	}
 
+	if config.CAKey != "" && config.CACert != "" {
+		// custom CA provided by the user.
+		customCAKeyData, err := ioutil.ReadFile(config.CAKey)
+		if err != nil {
+			return nil, nil, nil, fmt.Errorf("error reading CA Key from the given file name: %v", err)
+		}
+
+		customCACertData, err := ioutil.ReadFile(config.CACert)
+		if err != nil {
+			return nil, nil, nil, fmt.Errorf("error reading CA Cert from the given file name: %v", err)
+		}
+
+		customCAKey, err := parsePEMEncodedPrivateKey(customCAKeyData)
+		if err != nil {
+			return nil, nil, nil, fmt.Errorf("error parsing CA Key from the given file name: %v", err)
+		}
+
+		customCACert, err := parsePEMEncodedCert(customCACertData)
+		if err != nil {
+			return nil, nil, nil, fmt.Errorf("error parsing CA Cert from the given file name: %v", err)
+		}
+		caSecret, caConfigMap = toCASecretAndConfigmap(customCAKey, customCACert, caSecretAndConfigMapName)
+	} else if config.CAKey != "" || config.CACert != "" {
+		// if only one of the custom CA Key or Cert is provided
+		return nil, nil, nil, ErrCAKeyAndCACertReq
+	}
+
 	hasAppSecret := appSecret != nil
 	hasCASecretAndConfigMap := caSecret != nil && caConfigMap != nil
-	// TODO: handle passed in CA
-	if hasAppSecret && hasCASecretAndConfigMap {
+
+	switch {
+	case hasAppSecret && hasCASecretAndConfigMap:
 		return appSecret, caConfigMap, caSecret, nil
-	} else if hasAppSecret && !hasCASecretAndConfigMap {
+
+	case hasAppSecret && !hasCASecretAndConfigMap:
 		return nil, nil, nil, ErrCANotFound
-	} else if !hasAppSecret && hasCASecretAndConfigMap {
+
+	case !hasAppSecret && hasCASecretAndConfigMap:
+		// Note: if a custom CA is passed in my the user it takes preference over an already
+		// generated CA secret and CA configmap that might exist in the cluster
 		caKey, err := parsePEMEncodedPrivateKey(caSecret.Data[TLSPrivateCAKeyKey])
 		if err != nil {
 			return nil, nil, nil, err
@@ -187,8 +229,9 @@ func (scg *SDKCertGenerator) GenerateCert(cr runtime.Object, service *v1.Service
 			return nil, nil, nil, err
 		}
 		return appSecret, caConfigMap, caSecret, nil
-	} else {
-		// case: both CA and Application TLS assets don't exist.
+
+	case !hasAppSecret && !hasCASecretAndConfigMap:
+		// If no custom CAKey and CACert are provided we have to generate them
 		caKey, err := newPrivateKey()
 		if err != nil {
 			return nil, nil, nil, err
@@ -197,6 +240,7 @@ func (scg *SDKCertGenerator) GenerateCert(cr runtime.Object, service *v1.Service
 		if err != nil {
 			return nil, nil, nil, err
 		}
+
 		caSecret, caConfigMap := toCASecretAndConfigmap(caKey, caCert, caSecretAndConfigMapName)
 		caSecret, err = scg.KubeClient.CoreV1().Secrets(ns).Create(caSecret)
 		if err != nil {
@@ -219,6 +263,8 @@ func (scg *SDKCertGenerator) GenerateCert(cr runtime.Object, service *v1.Service
 			return nil, nil, nil, err
 		}
 		return appSecret, caConfigMap, caSecret, nil
+	default:
+		return nil, nil, nil, ErrInternal
 	}
 }
 
@@ -252,7 +298,11 @@ func getAppSecretInCluster(kubeClient kubernetes.Interface, name, namespace stri
 }
 
 // getCASecretAndConfigMapInCluster gets CA secret and configmap of the given name and namespace.
-// it only returns both if they are found and nil if both are not found. In the case if only one of them is found, then we error out because we expect either both CA secret and configmap exit or not.
+// it only returns both if they are found and nil if both are not found. In the case if only one of them is found,
+// then we error out because we expect either both CA secret and configmap exit or not.
+//
+// NOTE: both the CA secret and configmap have the same name with template `<cr-kind>-<cr-name>-ca` which is what the
+// input parameter `name` refers to.
 func getCASecretAndConfigMapInCluster(kubeClient kubernetes.Interface, name, namespace string) (*v1.Secret, *v1.ConfigMap, error) {
 	hasConfigMap := true
 	cm, err := kubeClient.CoreV1().ConfigMaps(namespace).Get(name, metav1.GetOptions{})

test/e2e/tls_util_test.go

@@ -17,6 +17,7 @@ package e2e
 import (
 	"io/ioutil"
 	"reflect"
+	"strings"
 	"testing"
 
 	"github.com/operator-framework/operator-sdk/pkg/tlsutil"
@@ -121,7 +122,10 @@ func TestBothAppAndCATLSAssetsExist(t *testing.T) {
 	}
 }
 
-// TestOnlyAppSecretExist tests a case where the application TLS asset exists but its correspoding CA asset doesn't. In this case, CertGenerator can't genereate a new CA because it won't verify the existing application TLS cert. Therefore, CertGenerator can't proceed and returns an error to the caller.
+// TestOnlyAppSecretExist tests a case where the application TLS asset exists but its
+// correspoding CA asset doesn't. In this case, CertGenerator can't genereate a new CA because
+// it won't verify the existing application TLS cert. Therefore, CertGenerator can't proceed
+// and returns an error to the caller.
 func TestOnlyAppSecretExist(t *testing.T) {
 	f := framework.Global
 	ctx := f.NewTestCtx(t)
@@ -146,7 +150,7 @@ func TestOnlyAppSecretExist(t *testing.T) {
 	}
 }
 
-// TestOnlyCAExist ensures that at the case where only the CA exists in the cluster;
+// TestOnlyCAExist tests the case where only the CA exists in the cluster;
 // GenerateCert can retrieve the CA and uses it to create a new application secret.
 func TestOnlyCAExist(t *testing.T) {
 	f := framework.Global
@@ -197,6 +201,44 @@ func TestNoneOfCaAndAppSecretExist(t *testing.T) {
 	verifyCASecret(t, caSecret, namespace)
 }
 
+// TestCustomCA ensures that if a user provides a custom Key and Cert and the CA and Application TLS assets
+// do not exist, the GenerateCert method can use the custom CA to generate the TLS assest.
+func TestCustomCA(t *testing.T) {
+	f := framework.Global
+	ctx := f.NewTestCtx(t)
+	defer ctx.Cleanup(t)
+	namespace, err := ctx.GetNamespace()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	cg := tlsutil.NewSDKCertGenerator(f.KubeClient)
+
+	customConfig := &tlsutil.CertConfig{
+		CertName: certName,
+		CAKey:    "testdata/ca.key",
+		CACert:   "testdata/ca.crt",
+	}
+	appSecret, _, _, err := cg.GenerateCert(newDummyCR(namespace), newAppSvc(namespace), customConfig)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	verifyAppSecret(t, appSecret, namespace)
+
+	// ensure caConfigMap does not exist in k8s cluster.
+	_, err = framework.Global.KubeClient.CoreV1().Secrets(namespace).Get(caConfigMapAndSecretName, metav1.GetOptions{})
+	if !strings.Contains(err.Error(), "not found") {
+		t.Fatal(err)
+	}
+
+	// ensure caConfigMap does not exist in k8s cluster.
+	_, err = framework.Global.KubeClient.CoreV1().Secrets(namespace).Get(caConfigMapAndSecretName, metav1.GetOptions{})
+	if !strings.Contains(err.Error(), "not found") {
+		t.Fatal(err)
+	}
+}
+
 func verifyCASecret(t *testing.T, caSecret *v1.Secret, namespace string) {
 	// check if caConfigMap has the correct fields.
 	if caConfigMapAndSecretName != caSecret.Name {