ContainerImage.Pinniped/internal/controller/apicerts/certs_manager.go

// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0

package apicerts

import (
	"crypto/x509/pkix"
	"fmt"
	"time"

	corev1 "k8s.io/api/core/v1"
	k8serrors "k8s.io/apimachinery/pkg/api/errors"
	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
	corev1informers "k8s.io/client-go/informers/core/v1"
	"k8s.io/client-go/kubernetes"
	"k8s.io/klog/v2"

	"go.pinniped.dev/internal/certauthority"
	pinnipedcontroller "go.pinniped.dev/internal/controller"
	"go.pinniped.dev/internal/controllerlib"
)

const (
	CACertificateSecretKey           = "caCertificate"
	CACertificatePrivateKeySecretKey = "caCertificatePrivateKey"
	tlsPrivateKeySecretKey           = "tlsPrivateKey"
	TLSCertificateChainSecretKey     = "tlsCertificateChain"
)

type certsManagerController struct {
	namespace               string
	certsSecretResourceName string
	certsSecretLabels       map[string]string
	k8sClient               kubernetes.Interface
	secretInformer          corev1informers.SecretInformer

	// certDuration is the lifetime of both the serving certificate and its CA
	// certificate that this controller will use when issuing the certificates.
	certDuration time.Duration

	generatedCACommonName                 string
	serviceNameForGeneratedCertCommonName string
}

func NewCertsManagerController(
	namespace string,
	certsSecretResourceName string,
	certsSecretLabels map[string]string,
	k8sClient kubernetes.Interface,
	secretInformer corev1informers.SecretInformer,
	withInformer pinnipedcontroller.WithInformerOptionFunc,
	withInitialEvent pinnipedcontroller.WithInitialEventOptionFunc,
	certDuration time.Duration,
	generatedCACommonName string,
	serviceNameForGeneratedCertCommonName string,
) controllerlib.Controller {
	return controllerlib.New(
		controllerlib.Config{
			Name: "certs-manager-controller",
			Syncer: &certsManagerController{
				namespace:                             namespace,
				certsSecretResourceName:               certsSecretResourceName,
				certsSecretLabels:                     certsSecretLabels,
				k8sClient:                             k8sClient,
				secretInformer:                        secretInformer,
				certDuration:                          certDuration,
				generatedCACommonName:                 generatedCACommonName,
				serviceNameForGeneratedCertCommonName: serviceNameForGeneratedCertCommonName,
			},
		},
		withInformer(
			secretInformer,
			pinnipedcontroller.NameAndNamespaceExactMatchFilterFactory(certsSecretResourceName, namespace),
			controllerlib.InformerOption{},
		),
		// Be sure to run once even if the Secret that the informer is watching doesn't exist.
		withInitialEvent(controllerlib.Key{
			Namespace: namespace,
			Name:      certsSecretResourceName,
		}),
	)
}

func (c *certsManagerController) Sync(ctx controllerlib.Context) error {
	// Try to get the secret from the informer cache.
	_, err := c.secretInformer.Lister().Secrets(c.namespace).Get(c.certsSecretResourceName)
	notFound := k8serrors.IsNotFound(err)
	if err != nil && !notFound {
		return fmt.Errorf("failed to get %s/%s secret: %w", c.namespace, c.certsSecretResourceName, err)
	}
	if !notFound {
		// The secret already exists, so nothing to do.
		return nil
	}

	// Create a CA.
	ca, err := certauthority.New(pkix.Name{CommonName: c.generatedCACommonName}, c.certDuration)
	if err != nil {
		return fmt.Errorf("could not initialize CA: %w", err)
	}

	caPrivateKeyPEM, err := ca.PrivateKeyToPEM()
	if err != nil {
		return fmt.Errorf("could not get CA private key: %w", err)
	}

	secret := corev1.Secret{
		TypeMeta: metav1.TypeMeta{},
		ObjectMeta: metav1.ObjectMeta{
			Name:      c.certsSecretResourceName,
			Namespace: c.namespace,
			Labels:    c.certsSecretLabels,
		},
		StringData: map[string]string{
			CACertificateSecretKey:           string(ca.Bundle()),
			CACertificatePrivateKeySecretKey: string(caPrivateKeyPEM),
		},
	}

	// Using the CA from above, create a TLS server cert if we have service name.
	if len(c.serviceNameForGeneratedCertCommonName) != 0 {
		serviceEndpoint := c.serviceNameForGeneratedCertCommonName + "." + c.namespace + ".svc"
		tlsCert, err := ca.Issue(
			pkix.Name{CommonName: serviceEndpoint},
			[]string{serviceEndpoint},
			nil,
			c.certDuration,
		)
		if err != nil {
			return fmt.Errorf("could not issue serving certificate: %w", err)
		}

		// Write the CA's public key bundle and the serving certs to a secret.
		tlsCertChainPEM, tlsPrivateKeyPEM, err := certauthority.ToPEM(tlsCert)
		if err != nil {
			return fmt.Errorf("could not PEM encode serving certificate: %w", err)
		}

		secret.StringData[tlsPrivateKeySecretKey] = string(tlsPrivateKeyPEM)
		secret.StringData[TLSCertificateChainSecretKey] = string(tlsCertChainPEM)
	}

	_, err = c.k8sClient.CoreV1().Secrets(c.namespace).Create(ctx.Context, &secret, metav1.CreateOptions{})
	if err != nil {
		return fmt.Errorf("could not create secret: %w", err)
	}

	klog.Info("certsManagerController Sync successfully created secret")
	return nil
}