pkg/util: add interface for tls util

fanminshi · fanminshi · commit eb32a91f17e7 · 2018-08-02T13:48:15.000-07:00
diff --git a/pkg/util/tlsutil/tls.go b/pkg/util/tlsutil/tls.go
@@ -0,0 +1,91 @@
+// Copyright 2018 The Operator-SDK Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package tlsutil
+
+import (
+	"k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+)
+
+// CertType defines the type of the cert.
+type CertType int
+
+const (
+	// ClientCert defines a client cert.
+	ClientCert CertType = iota
+	// ServingCert defines a serving cert.
+	ServingCert
+	// ClientAndServingCert defines both client and serving cert.
+	ClientAndServingCert
+)
+
+// CertConfig configures how to generate the Cert.
+type CertConfig struct {
+	// CertName is the name of the cert.
+	CertName string
+	// Optional CertType. Serving, client or both; defaults to both.
+	CertType CertType
+	// Optional CommonName is the common name of the cert; defaults to "".
+	CommonName string
+	// Optional Organization is Organization of the cert; defaults to "".
+	Organization []string
+	// Optional CAKey, if user wants to provide custom CA key path.
+	CAKey string
+	// Optional CA Certificate, if user wants to provide custom CA cert path.
+	CACert string
+}
+
+// CertGenerator is an operator specific TLS tool that generates TLS assets for the deploying application.
+type CertGenerator interface {
+	// GenerateCert generates a secret containing TLS encryption Key and Certificate for the given
+	// service. the service is one of communication endpoints between two parties.
+	// The generated cert certifies that endpoint.
+	// When generating the secret if CAKey and CACert from the CertConfig are not given, a unique
+	// self signed CA for the Custom Resource is generated to sign the Certificate.
+	// In addition to generate CA and the application TLS Secret, those are also created as
+	// the Kubernetes objects with CA format shown in output of the CACert() and with the format
+	// of the secret as the following:
+	//
+	// kind: Secret
+	// apiVersion: v1
+	// metadata:
+	//  name: <cr-kind>-<cr-name>-<CertConfig.CertName>
+	//  namespace: <cr-namespace>
+	// data:
+	//  tls.crt: ...
+	//  tls.key: ...
+	GenerateCert(cr runtime.Object, service *v1.Service, config *CertConfig) (*v1.Secret, error)
+	// CACert returns the CA cert as in a ConfigMap and the CA encryption key as in a Secret
+	// for the given Custom resource (CR); the CA is unique per CR. For example, calling
+	// CACert twice returns the same ConfigMap and Secret.
+	// The formats for the ConfigMap and Secret are the following:
+	//
+	// kind: ConfigMap
+	//   apiVersion: v1
+	//   metadata:
+	//     name: <cr-kind>-<cr-name>-ca
+	//     namespace: <cr-namespace>
+	//   data:
+	//     ca.crt: ...
+	//
+	//  kind: Secret
+	//  apiVersion: v1
+	//  metadata:
+	//   name: <cr-kind>-<cr-name>-ca
+	//   namespace: <cr-namespace>
+	//  data:
+	//   ca.key: ..
+	CACert(cr runtime.Object) (*v1.ConfigMap, *v1.Secret, error)
+}
