ContainerImage.Pinniped/internal/controller/supervisorconfig/tls_cert_observer.go

// Copyright 2020 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0

package supervisorconfig

import (
	"crypto/tls"
	"fmt"
	"net/url"
	"strings"

	"k8s.io/apimachinery/pkg/labels"
	corev1informers "k8s.io/client-go/informers/core/v1"
	"k8s.io/klog/v2"

	"go.pinniped.dev/generated/1.19/client/informers/externalversions/config/v1alpha1"
	pinnipedcontroller "go.pinniped.dev/internal/controller"
	"go.pinniped.dev/internal/controllerlib"
)

type tlsCertObserverController struct {
	issuerHostToTLSCertMapSetter IssuerHostToTLSCertMapSetter
	oidcProviderConfigInformer   v1alpha1.OIDCProviderConfigInformer
	secretInformer               corev1informers.SecretInformer
}

type IssuerHostToTLSCertMapSetter interface {
	SetIssuerHostToTLSCertMap(issuerHostToTLSCertMap map[string]*tls.Certificate)
}

func NewTLSCertObserverController(
	issuerHostToTLSCertMapSetter IssuerHostToTLSCertMapSetter,
	secretInformer corev1informers.SecretInformer,
	oidcProviderConfigInformer v1alpha1.OIDCProviderConfigInformer,
	withInformer pinnipedcontroller.WithInformerOptionFunc,
) controllerlib.Controller {
	return controllerlib.New(
		controllerlib.Config{
			Name: "tls-certs-observer-controller",
			Syncer: &tlsCertObserverController{
				issuerHostToTLSCertMapSetter: issuerHostToTLSCertMapSetter,
				oidcProviderConfigInformer:   oidcProviderConfigInformer,
				secretInformer:               secretInformer,
			},
		},
		withInformer(
			secretInformer,
			pinnipedcontroller.MatchAnythingFilter(),
			controllerlib.InformerOption{},
		),
		withInformer(
			oidcProviderConfigInformer,
			pinnipedcontroller.MatchAnythingFilter(),
			controllerlib.InformerOption{},
		),
	)
}

func (c *tlsCertObserverController) Sync(ctx controllerlib.Context) error {
	ns := ctx.Key.Namespace
	allProviders, err := c.oidcProviderConfigInformer.Lister().OIDCProviderConfigs(ns).List(labels.Everything())
	if err != nil {
		return fmt.Errorf("failed to list OIDCProviderConfigs: %w", err)
	}

	// Rebuild the whole map on any change to any Secret or OIDCProvider, because either can have changes that
	// can cause the map to need to be updated.
	issuerHostToTLSCertMap := map[string]*tls.Certificate{}

	for _, provider := range allProviders {
		secretName := provider.Spec.SecretName
		issuerURL, err := url.Parse(provider.Spec.Issuer)
		if err != nil {
			klog.InfoS("tlsCertObserverController Sync found an invalid issuer URL", "namespace", ns, "issuer", provider.Spec.Issuer)
			continue
		}
		tlsSecret, err := c.secretInformer.Lister().Secrets(ns).Get(secretName)
		if err != nil {
			klog.InfoS("tlsCertObserverController Sync could not find TLS cert secret", "namespace", ns, "secretName", secretName)
			continue
		}
		certFromSecret, err := tls.X509KeyPair(tlsSecret.Data["tls.crt"], tlsSecret.Data["tls.key"])
		if err != nil {
			klog.InfoS("tlsCertObserverController Sync found a TLS secret with Data in an unexpected format", "namespace", ns, "secretName", secretName)
			continue
		}
		// Lowercase the host part of the URL because hostnames should be treated as case-insensitive.
		issuerHostToTLSCertMap[lowercaseHostWithoutPort(issuerURL)] = &certFromSecret
	}

	klog.InfoS("tlsCertObserverController Sync updated the TLS cert cache", "issuerHostCount", len(issuerHostToTLSCertMap))
	c.issuerHostToTLSCertMapSetter.SetIssuerHostToTLSCertMap(issuerHostToTLSCertMap)

	return nil
}

func lowercaseHostWithoutPort(issuerURL *url.URL) string {
	lowercaseHost := strings.ToLower(issuerURL.Host)
	colonSegments := strings.Split(lowercaseHost, ":")
	return colonSegments[0]
}
Supervisor listens for HTTPS on port 443 with configurable TLS certs - TLS certificates can be configured on the OIDCProviderConfig using the `secretName` field. - When listening for incoming TLS connections, choose the TLS cert based on the SNI hostname of the incoming request. - Because SNI hostname information on incoming requests does not include the port number of the request, we add a validation that OIDCProviderConfigs where the issuer hostnames (not including port number) are the same must use the same `secretName`. - Note that this approach does not yet support requests made to an IP address instead of a hostname. Also note that `localhost` is considered a hostname by SNI. - Add port 443 as a container port to the pod spec. - A new controller watches for TLS secrets and caches them in memory. That same in-memory cache is used while servicing incoming connections on the TLS port. - Make it easy to configure both port 443 and/or port 80 for various Service types using our ytt templates for the supervisor. - When deploying to kind, add another nodeport and forward it to the host on another port to expose our new HTTPS supervisor port to the host. 2020-10-27 00:03:26 +00:00			`// Copyright 2020 the Pinniped contributors. All Rights Reserved.`
			`// SPDX-License-Identifier: Apache-2.0`

			`package supervisorconfig`

			`import (`
			`"crypto/tls"`
			`"fmt"`
			`"net/url"`
			`"strings"`

			`"k8s.io/apimachinery/pkg/labels"`
			`corev1informers "k8s.io/client-go/informers/core/v1"`
			`"k8s.io/klog/v2"`

			`"go.pinniped.dev/generated/1.19/client/informers/externalversions/config/v1alpha1"`
			`pinnipedcontroller "go.pinniped.dev/internal/controller"`
			`"go.pinniped.dev/internal/controllerlib"`
			`)`

			`type tlsCertObserverController struct {`
			`issuerHostToTLSCertMapSetter IssuerHostToTLSCertMapSetter`
			`oidcProviderConfigInformer v1alpha1.OIDCProviderConfigInformer`
			`secretInformer corev1informers.SecretInformer`
			`}`

			`type IssuerHostToTLSCertMapSetter interface {`
			`SetIssuerHostToTLSCertMap(issuerHostToTLSCertMap map[string]*tls.Certificate)`
			`}`

			`func NewTLSCertObserverController(`
			`issuerHostToTLSCertMapSetter IssuerHostToTLSCertMapSetter,`
			`secretInformer corev1informers.SecretInformer,`
			`oidcProviderConfigInformer v1alpha1.OIDCProviderConfigInformer,`
			`withInformer pinnipedcontroller.WithInformerOptionFunc,`
			`) controllerlib.Controller {`
			`return controllerlib.New(`
			`controllerlib.Config{`
			`Name: "tls-certs-observer-controller",`
			`Syncer: &tlsCertObserverController{`
			`issuerHostToTLSCertMapSetter: issuerHostToTLSCertMapSetter,`
			`oidcProviderConfigInformer: oidcProviderConfigInformer,`
			`secretInformer: secretInformer,`
			`},`
			`},`
			`withInformer(`
			`secretInformer,`
			`pinnipedcontroller.MatchAnythingFilter(),`
			`controllerlib.InformerOption{},`
			`),`
			`withInformer(`
			`oidcProviderConfigInformer,`
			`pinnipedcontroller.MatchAnythingFilter(),`
			`controllerlib.InformerOption{},`
			`),`
			`)`
			`}`

			`func (c *tlsCertObserverController) Sync(ctx controllerlib.Context) error {`
			`ns := ctx.Key.Namespace`
			`allProviders, err := c.oidcProviderConfigInformer.Lister().OIDCProviderConfigs(ns).List(labels.Everything())`
			`if err != nil {`
			`return fmt.Errorf("failed to list OIDCProviderConfigs: %w", err)`
			`}`

			`// Rebuild the whole map on any change to any Secret or OIDCProvider, because either can have changes that`
			`// can cause the map to need to be updated.`
			`issuerHostToTLSCertMap := map[string]*tls.Certificate{}`

			`for _, provider := range allProviders {`
			`secretName := provider.Spec.SecretName`
			`issuerURL, err := url.Parse(provider.Spec.Issuer)`
			`if err != nil {`
			`klog.InfoS("tlsCertObserverController Sync found an invalid issuer URL", "namespace", ns, "issuer", provider.Spec.Issuer)`
			`continue`
			`}`
			`tlsSecret, err := c.secretInformer.Lister().Secrets(ns).Get(secretName)`
			`if err != nil {`
			`klog.InfoS("tlsCertObserverController Sync could not find TLS cert secret", "namespace", ns, "secretName", secretName)`
			`continue`
			`}`
			`certFromSecret, err := tls.X509KeyPair(tlsSecret.Data["tls.crt"], tlsSecret.Data["tls.key"])`
			`if err != nil {`
			`klog.InfoS("tlsCertObserverController Sync found a TLS secret with Data in an unexpected format", "namespace", ns, "secretName", secretName)`
			`continue`
			`}`
			`// Lowercase the host part of the URL because hostnames should be treated as case-insensitive.`
			`issuerHostToTLSCertMap[lowercaseHostWithoutPort(issuerURL)] = &certFromSecret`
			`}`

			`klog.InfoS("tlsCertObserverController Sync updated the TLS cert cache", "issuerHostCount", len(issuerHostToTLSCertMap))`
			`c.issuerHostToTLSCertMapSetter.SetIssuerHostToTLSCertMap(issuerHostToTLSCertMap)`

			`return nil`
			`}`

			`func lowercaseHostWithoutPort(issuerURL *url.URL) string {`
			`lowercaseHost := strings.ToLower(issuerURL.Host)`
			`colonSegments := strings.Split(lowercaseHost, ":")`
			`return colonSegments[0]`
			`}`