ContainerImage.Pinniped/internal/controller/apicerts/certs_manager.go

/*
Copyright 2020 VMware, Inc.
SPDX-License-Identifier: Apache-2.0
*/

package apicerts

import (
	"crypto/x509/pkix"
	"fmt"
	"time"

	corev1 "k8s.io/api/core/v1"
	k8serrors "k8s.io/apimachinery/pkg/api/errors"
	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
	corev1informers "k8s.io/client-go/informers/core/v1"
	"k8s.io/client-go/kubernetes"
	"k8s.io/klog/v2"
	aggregatorclient "k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset"

	"github.com/suzerain-io/controller-go"
	"github.com/suzerain-io/pinniped/internal/certauthority"
	pinnipedcontroller "github.com/suzerain-io/pinniped/internal/controller"
)

const (
	//nolint: gosec
	certsSecretName              = "api-serving-cert"
	caCertificateSecretKey       = "caCertificate"
	tlsPrivateKeySecretKey       = "tlsPrivateKey"
	tlsCertificateChainSecretKey = "tlsCertificateChain"
)

type certsManagerController struct {
	namespace        string
	k8sClient        kubernetes.Interface
	aggregatorClient aggregatorclient.Interface
	secretInformer   corev1informers.SecretInformer

	// certDuration is the lifetime of both the serving certificate and its CA
	// certificate that this controller will use when issuing the certificates.
	certDuration time.Duration
}

func NewCertsManagerController(
	namespace string,
	k8sClient kubernetes.Interface,
	aggregatorClient aggregatorclient.Interface,
	secretInformer corev1informers.SecretInformer,
	withInformer pinnipedcontroller.WithInformerOptionFunc,
	withInitialEvent pinnipedcontroller.WithInitialEventOptionFunc,
	certDuration time.Duration,
) controller.Controller {
	return controller.New(
		controller.Config{
			Name: "certs-manager-controller",
			Syncer: &certsManagerController{
				namespace:        namespace,
				k8sClient:        k8sClient,
				aggregatorClient: aggregatorClient,
				secretInformer:   secretInformer,
				certDuration:     certDuration,
			},
		},
		withInformer(
			secretInformer,
			pinnipedcontroller.NameAndNamespaceExactMatchFilterFactory(certsSecretName, namespace),
			controller.InformerOption{},
		),
		// Be sure to run once even if the Secret that the informer is watching doesn't exist.
		withInitialEvent(controller.Key{
			Namespace: namespace,
			Name:      certsSecretName,
		}),
	)
}

func (c *certsManagerController) Sync(ctx controller.Context) error {
	// Try to get the secret from the informer cache.
	_, err := c.secretInformer.Lister().Secrets(c.namespace).Get(certsSecretName)
	notFound := k8serrors.IsNotFound(err)
	if err != nil && !notFound {
		return fmt.Errorf("failed to get %s/%s secret: %w", c.namespace, certsSecretName, err)
	}
	if !notFound {
		// The secret already exists, so nothing to do.
		return nil
	}

	// Create a CA.
	aggregatedAPIServerCA, err := certauthority.New(pkix.Name{CommonName: "Pinniped CA"}, c.certDuration)
	if err != nil {
		return fmt.Errorf("could not initialize CA: %w", err)
	}

	// This string must match the name of the Service declared in the deployment yaml.
	const serviceName = "pinniped-api"

	// Using the CA from above, create a TLS server cert for the aggregated API server to use.
	serviceEndpoint := serviceName + "." + c.namespace + ".svc"
	aggregatedAPIServerTLSCert, err := aggregatedAPIServerCA.Issue(
		pkix.Name{CommonName: serviceEndpoint},
		[]string{serviceEndpoint},
		c.certDuration,
	)
	if err != nil {
		return fmt.Errorf("could not issue serving certificate: %w", err)
	}

	// Write the CA's public key bundle and the serving certs to a secret.
	tlsCertChainPEM, tlsPrivateKeyPEM, err := certauthority.ToPEM(aggregatedAPIServerTLSCert)
	if err != nil {
		return fmt.Errorf("could not PEM encode serving certificate: %w", err)
	}
	secret := corev1.Secret{
		TypeMeta: metav1.TypeMeta{},
		ObjectMeta: metav1.ObjectMeta{
			Name:      certsSecretName,
			Namespace: c.namespace,
		},
		StringData: map[string]string{
			caCertificateSecretKey:       string(aggregatedAPIServerCA.Bundle()),
			tlsPrivateKeySecretKey:       string(tlsPrivateKeyPEM),
			tlsCertificateChainSecretKey: string(tlsCertChainPEM),
		},
	}
	_, err = c.k8sClient.CoreV1().Secrets(c.namespace).Create(ctx.Context, &secret, metav1.CreateOptions{})
	if err != nil {
		return fmt.Errorf("could not create secret: %w", err)
	}

	// Update the APIService to give it the new CA bundle.
	if err := UpdateAPIService(ctx.Context, c.aggregatorClient, aggregatedAPIServerCA.Bundle()); err != nil {
		return fmt.Errorf("could not update the API service: %w", err)
	}

	klog.Info("certsManagerController Sync successfully created secret and updated API service")
	return nil
}
First draft of moving API server TLS cert generation to controllers - Refactors the existing cert generation code into controllers which read and write a Secret containing the certs - Does not add any new functionality yet, e.g. no new handling for cert expiration, and no leader election to allow for multiple servers running simultaneously - This commit also doesn't add new tests for the cert generation code, but it should be more unit testable now as controllers 2020-08-09 17:04:05 +00:00			`/*`
			`Copyright 2020 VMware, Inc.`
			`SPDX-License-Identifier: Apache-2.0`
			`*/`

			`package apicerts`

			`import (`
			`"crypto/x509/pkix"`
			`"fmt"`
			`"time"`

			`corev1 "k8s.io/api/core/v1"`
			`k8serrors "k8s.io/apimachinery/pkg/api/errors"`
			`metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"`
			`corev1informers "k8s.io/client-go/informers/core/v1"`
			`"k8s.io/client-go/kubernetes"`
			`"k8s.io/klog/v2"`
			`aggregatorclient "k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset"`

			`"github.com/suzerain-io/controller-go"`
Rename project 2020-08-20 17:54:15 +00:00			`"github.com/suzerain-io/pinniped/internal/certauthority"`
			`pinnipedcontroller "github.com/suzerain-io/pinniped/internal/controller"`
First draft of moving API server TLS cert generation to controllers - Refactors the existing cert generation code into controllers which read and write a Secret containing the certs - Does not add any new functionality yet, e.g. no new handling for cert expiration, and no leader election to allow for multiple servers running simultaneously - This commit also doesn't add new tests for the cert generation code, but it should be more unit testable now as controllers 2020-08-09 17:04:05 +00:00			`)`

			`const (`
			`//nolint: gosec`
			`certsSecretName = "api-serving-cert"`
			`caCertificateSecretKey = "caCertificate"`
			`tlsPrivateKeySecretKey = "tlsPrivateKey"`
			`tlsCertificateChainSecretKey = "tlsCertificateChain"`
			`)`

			`type certsManagerController struct {`
			`namespace string`
			`k8sClient kubernetes.Interface`
Add tests for the new cert controllers and some other small refactorings - Add a unit test for each cert controller - Make DynamicTLSServingCertProvider an interface and use a mutex internally - Create a shared ToPEM function instead of having two very similar functions - Move the ObservableWithInformerOption test helper to testutils - Rename some variables and imports 2020-08-11 01:53:53 +00:00			`aggregatorClient aggregatorclient.Interface`
First draft of moving API server TLS cert generation to controllers - Refactors the existing cert generation code into controllers which read and write a Secret containing the certs - Does not add any new functionality yet, e.g. no new handling for cert expiration, and no leader election to allow for multiple servers running simultaneously - This commit also doesn't add new tests for the cert generation code, but it should be more unit testable now as controllers 2020-08-09 17:04:05 +00:00			`secretInformer corev1informers.SecretInformer`
Use duration and renewBefore to control API cert rotation These configuration knobs are much more human-understandable than the previous percentage-based threshold flag. We now allow users to set the lifetime of the serving cert via a ConfigMap. Previously this was hardcoded to 1 year. Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-08-20 19:17:18 +00:00
Use same lifetime for serving cert and CA cert So that operators won't look at the lifetime of the CA cert and be like, "wtf, why does the serving cert have the lifetime that I specified, but its CA cert is valid for 100 years". Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-08-27 19:59:47 +00:00			`// certDuration is the lifetime of both the serving certificate and its CA`
			`// certificate that this controller will use when issuing the certificates.`
Use duration and renewBefore to control API cert rotation These configuration knobs are much more human-understandable than the previous percentage-based threshold flag. We now allow users to set the lifetime of the serving cert via a ConfigMap. Previously this was hardcoded to 1 year. Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-08-20 19:17:18 +00:00			`certDuration time.Duration`
First draft of moving API server TLS cert generation to controllers - Refactors the existing cert generation code into controllers which read and write a Secret containing the certs - Does not add any new functionality yet, e.g. no new handling for cert expiration, and no leader election to allow for multiple servers running simultaneously - This commit also doesn't add new tests for the cert generation code, but it should be more unit testable now as controllers 2020-08-09 17:04:05 +00:00			`}`

			`func NewCertsManagerController(`
			`namespace string,`
			`k8sClient kubernetes.Interface,`
Add tests for the new cert controllers and some other small refactorings - Add a unit test for each cert controller - Make DynamicTLSServingCertProvider an interface and use a mutex internally - Create a shared ToPEM function instead of having two very similar functions - Move the ObservableWithInformerOption test helper to testutils - Rename some variables and imports 2020-08-11 01:53:53 +00:00			`aggregatorClient aggregatorclient.Interface,`
First draft of moving API server TLS cert generation to controllers - Refactors the existing cert generation code into controllers which read and write a Secret containing the certs - Does not add any new functionality yet, e.g. no new handling for cert expiration, and no leader election to allow for multiple servers running simultaneously - This commit also doesn't add new tests for the cert generation code, but it should be more unit testable now as controllers 2020-08-09 17:04:05 +00:00			`secretInformer corev1informers.SecretInformer,`
Rename project 2020-08-20 17:54:15 +00:00			`withInformer pinnipedcontroller.WithInformerOptionFunc,`
			`withInitialEvent pinnipedcontroller.WithInitialEventOptionFunc,`
Use duration and renewBefore to control API cert rotation These configuration knobs are much more human-understandable than the previous percentage-based threshold flag. We now allow users to set the lifetime of the serving cert via a ConfigMap. Previously this was hardcoded to 1 year. Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-08-20 19:17:18 +00:00			`certDuration time.Duration,`
First draft of moving API server TLS cert generation to controllers - Refactors the existing cert generation code into controllers which read and write a Secret containing the certs - Does not add any new functionality yet, e.g. no new handling for cert expiration, and no leader election to allow for multiple servers running simultaneously - This commit also doesn't add new tests for the cert generation code, but it should be more unit testable now as controllers 2020-08-09 17:04:05 +00:00			`) controller.Controller {`
			`return controller.New(`
			`controller.Config{`
			`Name: "certs-manager-controller",`
			`Syncer: &certsManagerController{`
			`namespace: namespace,`
			`k8sClient: k8sClient,`
Add tests for the new cert controllers and some other small refactorings - Add a unit test for each cert controller - Make DynamicTLSServingCertProvider an interface and use a mutex internally - Create a shared ToPEM function instead of having two very similar functions - Move the ObservableWithInformerOption test helper to testutils - Rename some variables and imports 2020-08-11 01:53:53 +00:00			`aggregatorClient: aggregatorClient,`
First draft of moving API server TLS cert generation to controllers - Refactors the existing cert generation code into controllers which read and write a Secret containing the certs - Does not add any new functionality yet, e.g. no new handling for cert expiration, and no leader election to allow for multiple servers running simultaneously - This commit also doesn't add new tests for the cert generation code, but it should be more unit testable now as controllers 2020-08-09 17:04:05 +00:00			`secretInformer: secretInformer,`
Use duration and renewBefore to control API cert rotation These configuration knobs are much more human-understandable than the previous percentage-based threshold flag. We now allow users to set the lifetime of the serving cert via a ConfigMap. Previously this was hardcoded to 1 year. Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-08-20 19:17:18 +00:00			`certDuration: certDuration,`
First draft of moving API server TLS cert generation to controllers - Refactors the existing cert generation code into controllers which read and write a Secret containing the certs - Does not add any new functionality yet, e.g. no new handling for cert expiration, and no leader election to allow for multiple servers running simultaneously - This commit also doesn't add new tests for the cert generation code, but it should be more unit testable now as controllers 2020-08-09 17:04:05 +00:00			`},`
			`},`
			`withInformer(`
			`secretInformer,`
Rename project 2020-08-20 17:54:15 +00:00			`pinnipedcontroller.NameAndNamespaceExactMatchFilterFactory(certsSecretName, namespace),`
First draft of moving API server TLS cert generation to controllers - Refactors the existing cert generation code into controllers which read and write a Secret containing the certs - Does not add any new functionality yet, e.g. no new handling for cert expiration, and no leader election to allow for multiple servers running simultaneously - This commit also doesn't add new tests for the cert generation code, but it should be more unit testable now as controllers 2020-08-09 17:04:05 +00:00			`controller.InformerOption{},`
			`),`
			`// Be sure to run once even if the Secret that the informer is watching doesn't exist.`
Add integration and more unit tests - Add integration test for serving cert auto-generation and rotation - Add unit test for `WithInitialEvent` of the cert manager controller - Move UpdateAPIService() into the `apicerts` package, since that is the only user of the function. 2020-08-11 17:14:57 +00:00			`withInitialEvent(controller.Key{`
First draft of moving API server TLS cert generation to controllers - Refactors the existing cert generation code into controllers which read and write a Secret containing the certs - Does not add any new functionality yet, e.g. no new handling for cert expiration, and no leader election to allow for multiple servers running simultaneously - This commit also doesn't add new tests for the cert generation code, but it should be more unit testable now as controllers 2020-08-09 17:04:05 +00:00			`Namespace: namespace,`
			`Name: certsSecretName,`
			`}),`
			`)`
			`}`

			`func (c *certsManagerController) Sync(ctx controller.Context) error {`
			`// Try to get the secret from the informer cache.`
			`_, err := c.secretInformer.Lister().Secrets(c.namespace).Get(certsSecretName)`
			`notFound := k8serrors.IsNotFound(err)`
			`if err != nil && !notFound {`
			`return fmt.Errorf("failed to get %s/%s secret: %w", c.namespace, certsSecretName, err)`
			`}`
			`if !notFound {`
			`// The secret already exists, so nothing to do.`
			`return nil`
			`}`

			`// Create a CA.`
Use same lifetime for serving cert and CA cert So that operators won't look at the lifetime of the CA cert and be like, "wtf, why does the serving cert have the lifetime that I specified, but its CA cert is valid for 100 years". Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-08-27 19:59:47 +00:00			`aggregatedAPIServerCA, err := certauthority.New(pkix.Name{CommonName: "Pinniped CA"}, c.certDuration)`
First draft of moving API server TLS cert generation to controllers - Refactors the existing cert generation code into controllers which read and write a Secret containing the certs - Does not add any new functionality yet, e.g. no new handling for cert expiration, and no leader election to allow for multiple servers running simultaneously - This commit also doesn't add new tests for the cert generation code, but it should be more unit testable now as controllers 2020-08-09 17:04:05 +00:00			`if err != nil {`
			`return fmt.Errorf("could not initialize CA: %w", err)`
			`}`

			`// This string must match the name of the Service declared in the deployment yaml.`
Rename project 2020-08-20 17:54:15 +00:00			`const serviceName = "pinniped-api"`
First draft of moving API server TLS cert generation to controllers - Refactors the existing cert generation code into controllers which read and write a Secret containing the certs - Does not add any new functionality yet, e.g. no new handling for cert expiration, and no leader election to allow for multiple servers running simultaneously - This commit also doesn't add new tests for the cert generation code, but it should be more unit testable now as controllers 2020-08-09 17:04:05 +00:00
			`// Using the CA from above, create a TLS server cert for the aggregated API server to use.`
Make sure we have an explicit DNS SAN on our API serving certificate. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-08-12 16:01:06 +00:00			`serviceEndpoint := serviceName + "." + c.namespace + ".svc"`
First draft of moving API server TLS cert generation to controllers - Refactors the existing cert generation code into controllers which read and write a Secret containing the certs - Does not add any new functionality yet, e.g. no new handling for cert expiration, and no leader election to allow for multiple servers running simultaneously - This commit also doesn't add new tests for the cert generation code, but it should be more unit testable now as controllers 2020-08-09 17:04:05 +00:00			`aggregatedAPIServerTLSCert, err := aggregatedAPIServerCA.Issue(`
Make sure we have an explicit DNS SAN on our API serving certificate. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-08-12 16:01:06 +00:00			`pkix.Name{CommonName: serviceEndpoint},`
			`[]string{serviceEndpoint},`
Use duration and renewBefore to control API cert rotation These configuration knobs are much more human-understandable than the previous percentage-based threshold flag. We now allow users to set the lifetime of the serving cert via a ConfigMap. Previously this was hardcoded to 1 year. Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-08-20 19:17:18 +00:00			`c.certDuration,`
First draft of moving API server TLS cert generation to controllers - Refactors the existing cert generation code into controllers which read and write a Secret containing the certs - Does not add any new functionality yet, e.g. no new handling for cert expiration, and no leader election to allow for multiple servers running simultaneously - This commit also doesn't add new tests for the cert generation code, but it should be more unit testable now as controllers 2020-08-09 17:04:05 +00:00			`)`
			`if err != nil {`
			`return fmt.Errorf("could not issue serving certificate: %w", err)`
			`}`

			`// Write the CA's public key bundle and the serving certs to a secret.`
Fix a mistake from the previous commit - Got the order of multiple return values backwards, which was caught by the integration tests 2020-08-11 02:34:45 +00:00			`tlsCertChainPEM, tlsPrivateKeyPEM, err := certauthority.ToPEM(aggregatedAPIServerTLSCert)`
First draft of moving API server TLS cert generation to controllers - Refactors the existing cert generation code into controllers which read and write a Secret containing the certs - Does not add any new functionality yet, e.g. no new handling for cert expiration, and no leader election to allow for multiple servers running simultaneously - This commit also doesn't add new tests for the cert generation code, but it should be more unit testable now as controllers 2020-08-09 17:04:05 +00:00			`if err != nil {`
			`return fmt.Errorf("could not PEM encode serving certificate: %w", err)`
			`}`
			`secret := corev1.Secret{`
			`TypeMeta: metav1.TypeMeta{},`
			`ObjectMeta: metav1.ObjectMeta{`
			`Name: certsSecretName,`
			`Namespace: c.namespace,`
			`},`
			`StringData: map[string]string{`
			`caCertificateSecretKey: string(aggregatedAPIServerCA.Bundle()),`
			`tlsPrivateKeySecretKey: string(tlsPrivateKeyPEM),`
			`tlsCertificateChainSecretKey: string(tlsCertChainPEM),`
			`},`
			`}`
			`_, err = c.k8sClient.CoreV1().Secrets(c.namespace).Create(ctx.Context, &secret, metav1.CreateOptions{})`
			`if err != nil {`
			`return fmt.Errorf("could not create secret: %w", err)`
			`}`

			`// Update the APIService to give it the new CA bundle.`
Add integration and more unit tests - Add integration test for serving cert auto-generation and rotation - Add unit test for `WithInitialEvent` of the cert manager controller - Move UpdateAPIService() into the `apicerts` package, since that is the only user of the function. 2020-08-11 17:14:57 +00:00			`if err := UpdateAPIService(ctx.Context, c.aggregatorClient, aggregatedAPIServerCA.Bundle()); err != nil {`
First draft of moving API server TLS cert generation to controllers - Refactors the existing cert generation code into controllers which read and write a Secret containing the certs - Does not add any new functionality yet, e.g. no new handling for cert expiration, and no leader election to allow for multiple servers running simultaneously - This commit also doesn't add new tests for the cert generation code, but it should be more unit testable now as controllers 2020-08-09 17:04:05 +00:00			`return fmt.Errorf("could not update the API service: %w", err)`
			`}`

			`klog.Info("certsManagerController Sync successfully created secret and updated API service")`
			`return nil`
			`}`