2020-08-19 20:15:45 +00:00
|
|
|
/*
|
|
|
|
Copyright 2020 VMware, Inc.
|
|
|
|
SPDX-License-Identifier: Apache-2.0
|
|
|
|
*/
|
|
|
|
|
|
|
|
package apicerts
|
|
|
|
|
|
|
|
import (
|
|
|
|
"crypto/x509"
|
|
|
|
"encoding/pem"
|
|
|
|
"fmt"
|
|
|
|
"time"
|
|
|
|
|
|
|
|
corev1 "k8s.io/api/core/v1"
|
|
|
|
k8serrors "k8s.io/apimachinery/pkg/api/errors"
|
|
|
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
|
|
|
corev1informers "k8s.io/client-go/informers/core/v1"
|
|
|
|
"k8s.io/client-go/kubernetes"
|
|
|
|
"k8s.io/klog/v2"
|
|
|
|
|
2020-08-20 17:54:15 +00:00
|
|
|
"github.com/suzerain-io/pinniped/internal/constable"
|
|
|
|
pinnipedcontroller "github.com/suzerain-io/pinniped/internal/controller"
|
2020-08-28 15:59:09 +00:00
|
|
|
"github.com/suzerain-io/pinniped/internal/controllerlib"
|
2020-08-19 20:15:45 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
type certsExpirerController struct {
|
|
|
|
namespace string
|
|
|
|
k8sClient kubernetes.Interface
|
|
|
|
secretInformer corev1informers.SecretInformer
|
|
|
|
|
2020-08-20 19:17:18 +00:00
|
|
|
// renewBefore is the amount of time after the cert's issuance where
|
|
|
|
// this controller will start to try to rotate it.
|
|
|
|
renewBefore time.Duration
|
2020-08-19 20:15:45 +00:00
|
|
|
}
|
|
|
|
|
2020-08-28 15:59:09 +00:00
|
|
|
// NewCertsExpirerController returns a controllerlib.Controller that will delete a
|
2020-08-20 19:17:18 +00:00
|
|
|
// certificate secret once it gets within some threshold of its expiration time. The
|
|
|
|
// deletion forces rotation of the secret with the help of other controllers.
|
2020-08-19 20:15:45 +00:00
|
|
|
func NewCertsExpirerController(
|
|
|
|
namespace string,
|
|
|
|
k8sClient kubernetes.Interface,
|
|
|
|
secretInformer corev1informers.SecretInformer,
|
2020-08-20 17:54:15 +00:00
|
|
|
withInformer pinnipedcontroller.WithInformerOptionFunc,
|
2020-08-20 19:17:18 +00:00
|
|
|
renewBefore time.Duration,
|
2020-08-28 15:59:09 +00:00
|
|
|
) controllerlib.Controller {
|
|
|
|
return controllerlib.New(
|
|
|
|
controllerlib.Config{
|
2020-08-19 20:15:45 +00:00
|
|
|
Name: "certs-expirer-controller",
|
|
|
|
Syncer: &certsExpirerController{
|
|
|
|
namespace: namespace,
|
|
|
|
k8sClient: k8sClient,
|
|
|
|
secretInformer: secretInformer,
|
2020-08-20 19:17:18 +00:00
|
|
|
renewBefore: renewBefore,
|
2020-08-19 20:15:45 +00:00
|
|
|
},
|
|
|
|
},
|
|
|
|
withInformer(
|
|
|
|
secretInformer,
|
2020-08-20 17:54:15 +00:00
|
|
|
pinnipedcontroller.NameAndNamespaceExactMatchFilterFactory(certsSecretName, namespace),
|
2020-08-28 15:59:09 +00:00
|
|
|
controllerlib.InformerOption{},
|
2020-08-19 20:15:45 +00:00
|
|
|
),
|
|
|
|
)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Sync implements controller.Syncer.Sync.
|
2020-08-28 15:59:09 +00:00
|
|
|
func (c *certsExpirerController) Sync(ctx controllerlib.Context) error {
|
2020-08-19 20:15:45 +00:00
|
|
|
secret, err := c.secretInformer.Lister().Secrets(c.namespace).Get(certsSecretName)
|
|
|
|
notFound := k8serrors.IsNotFound(err)
|
|
|
|
if err != nil && !notFound {
|
|
|
|
return fmt.Errorf("failed to get %s/%s secret: %w", c.namespace, certsSecretName, err)
|
|
|
|
}
|
|
|
|
if notFound {
|
|
|
|
klog.Info("certsExpirerController Sync() found that the secret does not exist yet or was deleted")
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2020-08-20 19:17:18 +00:00
|
|
|
notBefore, notAfter, err := getCertBounds(secret)
|
2020-08-19 20:15:45 +00:00
|
|
|
if err != nil {
|
2020-08-20 19:17:18 +00:00
|
|
|
// If we can't read the cert, then really all we can do is log something,
|
|
|
|
// since if we returned an error then the controller lib would just call us
|
|
|
|
// again and again, which would probably yield the same results.
|
2020-08-19 20:15:45 +00:00
|
|
|
klog.Warningf("certsExpirerController Sync() found that the secret is malformed: %s", err.Error())
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2020-08-20 19:17:18 +00:00
|
|
|
certAge := time.Since(notBefore)
|
|
|
|
renewDelta := certAge - c.renewBefore
|
|
|
|
klog.Infof("certsExpirerController Sync() found a renew delta of %s", renewDelta)
|
|
|
|
if renewDelta >= 0 || time.Now().After(notAfter) {
|
2020-08-19 20:15:45 +00:00
|
|
|
err := c.k8sClient.
|
|
|
|
CoreV1().
|
|
|
|
Secrets(c.namespace).
|
|
|
|
Delete(ctx.Context, certsSecretName, metav1.DeleteOptions{})
|
|
|
|
if err != nil {
|
|
|
|
// Do return an error here so that the controller library will reschedule
|
|
|
|
// us to try deleting this cert again.
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2020-08-20 19:17:18 +00:00
|
|
|
// getCertBounds returns the NotBefore and NotAfter fields of the TLS
|
|
|
|
// certificate in the provided secret, or an error. Not that it expects the
|
|
|
|
// provided secret to contain the well-known data keys from this package (see
|
|
|
|
// certs_manager.go).
|
|
|
|
func getCertBounds(secret *corev1.Secret) (time.Time, time.Time, error) {
|
|
|
|
certPEM := secret.Data[tlsCertificateChainSecretKey]
|
|
|
|
if certPEM == nil {
|
|
|
|
return time.Time{}, time.Time{}, constable.Error("failed to find certificate")
|
2020-08-19 20:15:45 +00:00
|
|
|
}
|
|
|
|
|
2020-08-20 19:17:18 +00:00
|
|
|
certBlock, _ := pem.Decode(certPEM)
|
|
|
|
if certBlock == nil {
|
|
|
|
return time.Time{}, time.Time{}, constable.Error("failed to decode certificate PEM")
|
2020-08-19 20:15:45 +00:00
|
|
|
}
|
|
|
|
|
2020-08-20 19:17:18 +00:00
|
|
|
cert, err := x509.ParseCertificate(certBlock.Bytes)
|
2020-08-19 20:15:45 +00:00
|
|
|
if err != nil {
|
2020-08-20 19:17:18 +00:00
|
|
|
return time.Time{}, time.Time{}, fmt.Errorf("failed to parse certificate: %w", err)
|
2020-08-19 20:15:45 +00:00
|
|
|
}
|
|
|
|
|
2020-08-20 19:17:18 +00:00
|
|
|
return cert.NotBefore, cert.NotAfter, nil
|
2020-08-19 20:15:45 +00:00
|
|
|
}
|