2020-10-27 00:03:26 +00:00
|
|
|
// Copyright 2020 the Pinniped contributors. All Rights Reserved.
|
|
|
|
// SPDX-License-Identifier: Apache-2.0
|
|
|
|
|
|
|
|
package supervisorconfig
|
|
|
|
|
|
|
|
import (
|
|
|
|
"crypto/tls"
|
|
|
|
"fmt"
|
|
|
|
"net/url"
|
|
|
|
"strings"
|
|
|
|
|
|
|
|
"k8s.io/apimachinery/pkg/labels"
|
|
|
|
corev1informers "k8s.io/client-go/informers/core/v1"
|
|
|
|
"k8s.io/klog/v2"
|
|
|
|
|
2020-10-30 20:09:14 +00:00
|
|
|
"go.pinniped.dev/generated/1.19/client/supervisor/informers/externalversions/config/v1alpha1"
|
2020-10-27 00:03:26 +00:00
|
|
|
pinnipedcontroller "go.pinniped.dev/internal/controller"
|
|
|
|
"go.pinniped.dev/internal/controllerlib"
|
|
|
|
)
|
|
|
|
|
|
|
|
type tlsCertObserverController struct {
|
2020-10-28 18:56:50 +00:00
|
|
|
issuerTLSCertSetter IssuerTLSCertSetter
|
|
|
|
defaultTLSCertificateSecretName string
|
2020-11-02 22:24:55 +00:00
|
|
|
oidcProviderInformer v1alpha1.OIDCProviderInformer
|
2020-10-28 18:56:50 +00:00
|
|
|
secretInformer corev1informers.SecretInformer
|
2020-10-27 00:03:26 +00:00
|
|
|
}
|
|
|
|
|
2020-10-27 23:33:08 +00:00
|
|
|
type IssuerTLSCertSetter interface {
|
2020-10-27 00:03:26 +00:00
|
|
|
SetIssuerHostToTLSCertMap(issuerHostToTLSCertMap map[string]*tls.Certificate)
|
2020-10-27 23:33:08 +00:00
|
|
|
SetDefaultTLSCert(certificate *tls.Certificate)
|
2020-10-27 00:03:26 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
func NewTLSCertObserverController(
|
2020-10-27 23:33:08 +00:00
|
|
|
issuerTLSCertSetter IssuerTLSCertSetter,
|
2020-10-28 18:56:50 +00:00
|
|
|
defaultTLSCertificateSecretName string,
|
2020-10-27 00:03:26 +00:00
|
|
|
secretInformer corev1informers.SecretInformer,
|
2020-11-02 22:24:55 +00:00
|
|
|
oidcProviderInformer v1alpha1.OIDCProviderInformer,
|
2020-10-27 00:03:26 +00:00
|
|
|
withInformer pinnipedcontroller.WithInformerOptionFunc,
|
|
|
|
) controllerlib.Controller {
|
|
|
|
return controllerlib.New(
|
|
|
|
controllerlib.Config{
|
|
|
|
Name: "tls-certs-observer-controller",
|
|
|
|
Syncer: &tlsCertObserverController{
|
2020-10-28 18:56:50 +00:00
|
|
|
issuerTLSCertSetter: issuerTLSCertSetter,
|
|
|
|
defaultTLSCertificateSecretName: defaultTLSCertificateSecretName,
|
2020-11-02 22:24:55 +00:00
|
|
|
oidcProviderInformer: oidcProviderInformer,
|
2020-10-28 18:56:50 +00:00
|
|
|
secretInformer: secretInformer,
|
2020-10-27 00:03:26 +00:00
|
|
|
},
|
|
|
|
},
|
|
|
|
withInformer(
|
|
|
|
secretInformer,
|
|
|
|
pinnipedcontroller.MatchAnythingFilter(),
|
|
|
|
controllerlib.InformerOption{},
|
|
|
|
),
|
|
|
|
withInformer(
|
2020-11-02 22:24:55 +00:00
|
|
|
oidcProviderInformer,
|
2020-10-27 00:03:26 +00:00
|
|
|
pinnipedcontroller.MatchAnythingFilter(),
|
|
|
|
controllerlib.InformerOption{},
|
|
|
|
),
|
|
|
|
)
|
|
|
|
}
|
|
|
|
|
|
|
|
func (c *tlsCertObserverController) Sync(ctx controllerlib.Context) error {
|
|
|
|
ns := ctx.Key.Namespace
|
2020-11-02 22:24:55 +00:00
|
|
|
allProviders, err := c.oidcProviderInformer.Lister().OIDCProviders(ns).List(labels.Everything())
|
2020-10-27 00:03:26 +00:00
|
|
|
if err != nil {
|
2020-11-02 22:24:55 +00:00
|
|
|
return fmt.Errorf("failed to list OIDCProviders: %w", err)
|
2020-10-27 00:03:26 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// Rebuild the whole map on any change to any Secret or OIDCProvider, because either can have changes that
|
|
|
|
// can cause the map to need to be updated.
|
|
|
|
issuerHostToTLSCertMap := map[string]*tls.Certificate{}
|
|
|
|
|
|
|
|
for _, provider := range allProviders {
|
2020-11-02 22:55:29 +00:00
|
|
|
secretName := ""
|
|
|
|
if provider.Spec.TLS != nil {
|
|
|
|
secretName = provider.Spec.TLS.SecretName
|
|
|
|
}
|
2020-10-27 00:03:26 +00:00
|
|
|
issuerURL, err := url.Parse(provider.Spec.Issuer)
|
|
|
|
if err != nil {
|
|
|
|
klog.InfoS("tlsCertObserverController Sync found an invalid issuer URL", "namespace", ns, "issuer", provider.Spec.Issuer)
|
|
|
|
continue
|
|
|
|
}
|
2020-10-27 23:33:08 +00:00
|
|
|
certFromSecret, err := c.certFromSecret(ns, secretName)
|
2020-10-27 00:03:26 +00:00
|
|
|
if err != nil {
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
// Lowercase the host part of the URL because hostnames should be treated as case-insensitive.
|
2020-10-27 23:33:08 +00:00
|
|
|
issuerHostToTLSCertMap[lowercaseHostWithoutPort(issuerURL)] = certFromSecret
|
2020-10-27 00:03:26 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
klog.InfoS("tlsCertObserverController Sync updated the TLS cert cache", "issuerHostCount", len(issuerHostToTLSCertMap))
|
2020-10-27 23:33:08 +00:00
|
|
|
c.issuerTLSCertSetter.SetIssuerHostToTLSCertMap(issuerHostToTLSCertMap)
|
|
|
|
|
2020-10-28 18:56:50 +00:00
|
|
|
defaultCert, err := c.certFromSecret(ns, c.defaultTLSCertificateSecretName)
|
2020-10-27 23:33:08 +00:00
|
|
|
if err != nil {
|
|
|
|
c.issuerTLSCertSetter.SetDefaultTLSCert(nil)
|
|
|
|
} else {
|
|
|
|
c.issuerTLSCertSetter.SetDefaultTLSCert(defaultCert)
|
|
|
|
}
|
2020-10-27 00:03:26 +00:00
|
|
|
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2020-10-27 23:33:08 +00:00
|
|
|
func (c *tlsCertObserverController) certFromSecret(ns string, secretName string) (*tls.Certificate, error) {
|
|
|
|
tlsSecret, err := c.secretInformer.Lister().Secrets(ns).Get(secretName)
|
|
|
|
if err != nil {
|
|
|
|
klog.InfoS("tlsCertObserverController Sync could not find TLS cert secret", "namespace", ns, "secretName", secretName)
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
certFromSecret, err := tls.X509KeyPair(tlsSecret.Data["tls.crt"], tlsSecret.Data["tls.key"])
|
|
|
|
if err != nil {
|
|
|
|
klog.InfoS("tlsCertObserverController Sync found a TLS secret with Data in an unexpected format", "namespace", ns, "secretName", secretName)
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
return &certFromSecret, nil
|
|
|
|
}
|
|
|
|
|
2020-10-27 00:03:26 +00:00
|
|
|
func lowercaseHostWithoutPort(issuerURL *url.URL) string {
|
|
|
|
lowercaseHost := strings.ToLower(issuerURL.Host)
|
|
|
|
colonSegments := strings.Split(lowercaseHost, ":")
|
|
|
|
return colonSegments[0]
|
|
|
|
}
|