Skip to content

pkg/util: add interface for tls util #374

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Aug 13, 2018
Merged

pkg/util: add interface for tls util #374

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
113 changes: 113 additions & 0 deletions pkg/tlsutil/tls.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,113 @@
// Copyright 2018 The Operator-SDK Authors
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

package tlsutil

import (
"k8s.io/api/core/v1"
"k8s.io/apimachinery/pkg/runtime"
)

// CertType defines the type of the cert.
type CertType int

const (
// ClientCert defines a client cert.
ClientCert CertType = iota
// ServingCert defines a serving cert.
ServingCert
// ClientAndServingCert defines both client and serving cert.
ClientAndServingCert
)

// CertConfig configures how to generate the Cert.
type CertConfig struct {
// CertName is the name of the cert.
CertName string
// Optional CertType. Serving, client or both; defaults to both.
CertType CertType
// Optional CommonName is the common name of the cert; defaults to "".
CommonName string
// Optional Organization is Organization of the cert; defaults to "".
Organization []string
// Optional CA Key, if user wants to provide custom CA key via a file path.
CAKey string
// Optional CA Certificate, if user wants to provide custom CA cert via file path.
CACert string
// TODO: consider to add passed in SAN fields.
}

// CertGenerator is an operator specific TLS tool that generates TLS assets for the deploying a user's application.
type CertGenerator interface {
// GenerateCert generates a secret containing TLS encryption key and cert, a Secret
// containing the CA key, and a ConfigMap containing the CA Certificate given the Custom
// Resource(CR) "cr", the Kubernetes Service "Service", and the CertConfig "config".
//
// GenerateCert creates and manages TLS key and cert and CA with the following:
// CA creation and management:
// - If CA is not given:
// - A unique CA is generated for the CR.
// - CA's key is packaged into a Secret as shown below.
// - CA's cert is packaged in a ConfigMap as shown below.
// - The CA Secret and ConfigMap are created on the k8s cluster in the CR's namespace before
// returned to the user. The CertGenerator manages the CA Secret and ConfigMap to ensure it's
// unqiue per CR.
// - If CA is given:
// - CA's key is packaged into a Secret as shown below.
// - CA's cert is packaged in a ConfigMap as shown below.
// - The CA Secret and ConfigMap are returned but not created in the K8s cluster in the CR's
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this might be a silly question, but did we consider that these returns are nil?

I think that it would be less confusing for a user if they just didn't get those return values?

Also with 4 return values should we consider a wrapper struct?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this might be a silly question, but did we consider that these returns are nil?
I have not considered return it as nil because I think it is still quite useful to return the CA Secret and ConfigMap. For instance, I might want to mount the CA Cert ConfigMap to a pod so that we can use that to verify the cert that was generated from this CA. If we just simply return nil, the user has to somehow transfer the passed in cert to the designated pod.

Also with 4 return values should we consider a wrapper struct?
I think the 4 values returned is fine for now; it is still quite clear on what's is returning. If we decided to add more return values, we might want to have a wrapper struct.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I might want to mount the CA Cert ConfigMap to a pod so that we can use that to verify the cert that was generated from this CA

Sorry, I am little confused, if the ConfigMap is not created in the cluster because the CA was a custom CA, then this would fail right?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@shawn-hurley If the CA is a custom CA passed in via CertConfig then GenerateCert() will only package the CA cert up as a Configmap and return that object, but not actually create it on the cluster. So it wouldn't really fail in that case.

In the custom CA case it's up to the users whether or not they should create the CA Configmap and Secret returned by GenerateCert() since the operator does not mange the lifecycle of the CA.

// namespace. The CertGenerator doesn't manage the CA because the user controls the lifecycle
// of the CA.
//
// TLS Key and Cert Creation and Management:
// - A unique TLS cert and key pair is generated per CR + CertConfig.CertName.
// - The CA is used to generate and sign the TLS cert.
// - The signing process uses the passed in "service" to set the Subject Alternative Names(SAN)
// for the certificate. We assume that the deployed applications are typically communicated
// with via a Kubernetes Service. The SAN is set to the FQDN of the service
// `<service-name>.<service-namespace>.svc.cluster.local`.
// - Once TLS key and cert are created, they are packaged into a secret as shown below.
// - Finally, the secret are created on the k8s cluster in the CR's namespace before returned to
// the user. The CertGenerator manages this secret to ensure that it is unique per CR +
// CertConfig.CertName.
//
// TLS encryption key and cert Secret format:
// kind: Secret
// apiVersion: v1
// metadata:
// name: <cr-kind>-<cr-name>-<CertConfig.CertName>
// namespace: <cr-namespace>
// data:
// tls.crt: ...
// tls.key: ...
//
// CA Certificate ConfigMap format:
// kind: ConfigMap
// apiVersion: v1
// metadata:
// name: <cr-kind>-<cr-name>-ca
// namespace: <cr-namespace>
// data:
// ca.crt: ...
//
// CA Key Secret format:
// kind: Secret
// apiVersion: v1
// metadata:
// name: <cr-kind>-<cr-name>-ca
// namespace: <cr-namespace>
// data:
// ca.key: ..
GenerateCert(cr runtime.Object, service *v1.Service, config *CertConfig) (*v1.Secret, *v1.ConfigMap, *v1.Secret, error)
}