github.imxd.top/operator-framework/operator-sdk@v0.8.2/pkg/tls/tls.go (about)

     1  // Copyright 2018 The Operator-SDK Authors
     2  //
     3  // Licensed under the Apache License, Version 2.0 (the "License");
     4  // you may not use this file except in compliance with the License.
     5  // You may obtain a copy of the License at
     6  //
     7  //     http://www.apache.org/licenses/LICENSE-2.0
     8  //
     9  // Unless required by applicable law or agreed to in writing, software
    10  // distributed under the License is distributed on an "AS IS" BASIS,
    11  // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    12  // See the License for the specific language governing permissions and
    13  // limitations under the License.
    14  
    15  package tlsutil
    16  
    17  import (
    18  	"crypto/rsa"
    19  	"crypto/x509"
    20  	"errors"
    21  	"fmt"
    22  	"io/ioutil"
    23  	"strings"
    24  
    25  	"k8s.io/api/core/v1"
    26  	apiErrors "k8s.io/apimachinery/pkg/api/errors"
    27  	"k8s.io/apimachinery/pkg/api/meta"
    28  	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
    29  	"k8s.io/apimachinery/pkg/runtime"
    30  	"k8s.io/client-go/kubernetes"
    31  )
    32  
    33  // CertType defines the type of the cert.
    34  type CertType int
    35  
    36  const (
    37  	// ClientAndServingCert defines both client and serving cert.
    38  	ClientAndServingCert CertType = iota
    39  	// ServingCert defines a serving cert.
    40  	ServingCert
    41  	// ClientCert defines a client cert.
    42  	ClientCert
    43  )
    44  
    45  // CertConfig configures how to generate the Cert.
    46  type CertConfig struct {
    47  	// CertName is the name of the cert.
    48  	CertName string
    49  	// Optional CertType. Serving, client or both; defaults to both.
    50  	CertType CertType
    51  	// Optional CommonName is the common name of the cert; defaults to "".
    52  	CommonName string
    53  	// Optional Organization is Organization of the cert; defaults to "".
    54  	Organization []string
    55  	// Optional CA Key, if user wants to provide custom CA key via a file path.
    56  	CAKey string
    57  	// Optional CA Certificate, if user wants to provide custom CA cert via file path.
    58  	CACert string
    59  	// TODO: consider to add passed in SAN fields.
    60  }
    61  
    62  // CertGenerator is an operator specific TLS tool that generates TLS assets for the deploying a user's application.
    63  type CertGenerator interface {
    64  	// GenerateCert generates a secret containing TLS encryption key and cert, a Secret
    65  	// containing the CA key, and a ConfigMap containing the CA Certificate given the Custom
    66  	// Resource(CR) "cr", the Kubernetes Service "Service", and the CertConfig "config".
    67  	//
    68  	// GenerateCert creates and manages TLS key and cert and CA with the following:
    69  	// CA creation and management:
    70  	// - If CA is not given:
    71  	//  - A unique CA is generated for the CR.
    72  	//  - CA's key is packaged into a Secret as shown below.
    73  	//  - CA's cert is packaged in a ConfigMap as shown below.
    74  	//  - The CA Secret and ConfigMap are created on the k8s cluster in the CR's namespace before
    75  	//    returned to the user. The CertGenerator manages the CA Secret and ConfigMap to ensure it's
    76  	//    unqiue per CR.
    77  	// - If CA is given:
    78  	//  - CA's key is packaged into a Secret as shown below.
    79  	//  - CA's cert is packaged in a ConfigMap as shown below.
    80  	//  - The CA Secret and ConfigMap are returned but not created in the K8s cluster in the CR's
    81  	//    namespace. The CertGenerator doesn't manage the CA because the user controls the lifecycle
    82  	//    of the CA.
    83  	//
    84  	// TLS Key and Cert Creation and Management:
    85  	// - A unique TLS cert and key pair is generated per CR + CertConfig.CertName.
    86  	// - The CA is used to generate and sign the TLS cert.
    87  	// - The signing process uses the passed in "service" to set the Subject Alternative Names(SAN)
    88  	//   for the certificate. We assume that the deployed applications are typically communicated
    89  	//   with via a Kubernetes Service. The SAN is set to the FQDN of the service
    90  	//   `<service-name>.<service-namespace>.svc.cluster.local`.
    91  	// - Once TLS key and cert are created, they are packaged into a secret as shown below.
    92  	// - Finally, the secret are created on the k8s cluster in the CR's namespace before returned to
    93  	//   the user. The CertGenerator manages this secret to ensure that it is unique per CR +
    94  	//   CertConfig.CertName.
    95  	//
    96  	// TLS encryption key and cert Secret format:
    97  	// kind: Secret
    98  	// apiVersion: v1
    99  	// metadata:
   100  	//  name: <cr-kind>-<cr-name>-<CertConfig.CertName>
   101  	//  namespace: <cr-namespace>
   102  	// data:
   103  	//  tls.crt: ...
   104  	//  tls.key: ...
   105  	//
   106  	// CA Certificate ConfigMap format:
   107  	// kind: ConfigMap
   108  	//   apiVersion: v1
   109  	//   metadata:
   110  	//     name: <cr-kind>-<cr-name>-ca
   111  	//     namespace: <cr-namespace>
   112  	//   data:
   113  	//     ca.crt: ...
   114  	//
   115  	// CA Key Secret format:
   116  	//  kind: Secret
   117  	//  apiVersion: v1
   118  	//  metadata:
   119  	//   name: <cr-kind>-<cr-name>-ca
   120  	//   namespace: <cr-namespace>
   121  	//  data:
   122  	//   ca.key: ..
   123  	GenerateCert(cr runtime.Object, service *v1.Service, config *CertConfig) (*v1.Secret, *v1.ConfigMap, *v1.Secret, error)
   124  }
   125  
   126  const (
   127  	// TLSPrivateCAKeyKey is the key for the private CA key field.
   128  	TLSPrivateCAKeyKey = "ca.key"
   129  	// TLSCertKey is the key for tls CA certificates.
   130  	TLSCACertKey = "ca.crt"
   131  )
   132  
   133  // NewSDKCertGenerator constructs a new CertGenerator given the kubeClient.
   134  func NewSDKCertGenerator(kubeClient kubernetes.Interface) CertGenerator {
   135  	return &SDKCertGenerator{KubeClient: kubeClient}
   136  }
   137  
   138  type SDKCertGenerator struct {
   139  	KubeClient kubernetes.Interface
   140  }
   141  
   142  // GenerateCert returns a secret containing the TLS encryption key and cert,
   143  // a ConfigMap containing the CA Certificate and a Secret containing the CA key or it
   144  // returns a error incase something goes wrong.
   145  func (scg *SDKCertGenerator) GenerateCert(cr runtime.Object, service *v1.Service, config *CertConfig) (*v1.Secret, *v1.ConfigMap, *v1.Secret, error) {
   146  	if err := verifyConfig(config); err != nil {
   147  		return nil, nil, nil, err
   148  	}
   149  
   150  	k, n, ns, err := toKindNameNamespace(cr)
   151  	if err != nil {
   152  		return nil, nil, nil, err
   153  	}
   154  	appSecretName := ToAppSecretName(k, n, config.CertName)
   155  	appSecret, err := getAppSecretInCluster(scg.KubeClient, appSecretName, ns)
   156  	if err != nil {
   157  		return nil, nil, nil, err
   158  	}
   159  	caSecretAndConfigMapName := ToCASecretAndConfigMapName(k, n)
   160  
   161  	var (
   162  		caSecret    *v1.Secret
   163  		caConfigMap *v1.ConfigMap
   164  	)
   165  
   166  	caSecret, caConfigMap, err = getCASecretAndConfigMapInCluster(scg.KubeClient, caSecretAndConfigMapName, ns)
   167  	if err != nil {
   168  		return nil, nil, nil, err
   169  	}
   170  
   171  	if config.CAKey != "" && config.CACert != "" {
   172  		// custom CA provided by the user.
   173  		customCAKeyData, err := ioutil.ReadFile(config.CAKey)
   174  		if err != nil {
   175  			return nil, nil, nil, fmt.Errorf("error reading CA Key from the given file name: %v", err)
   176  		}
   177  
   178  		customCACertData, err := ioutil.ReadFile(config.CACert)
   179  		if err != nil {
   180  			return nil, nil, nil, fmt.Errorf("error reading CA Cert from the given file name: %v", err)
   181  		}
   182  
   183  		customCAKey, err := parsePEMEncodedPrivateKey(customCAKeyData)
   184  		if err != nil {
   185  			return nil, nil, nil, fmt.Errorf("error parsing CA Key from the given file name: %v", err)
   186  		}
   187  
   188  		customCACert, err := parsePEMEncodedCert(customCACertData)
   189  		if err != nil {
   190  			return nil, nil, nil, fmt.Errorf("error parsing CA Cert from the given file name: %v", err)
   191  		}
   192  		caSecret, caConfigMap = toCASecretAndConfigmap(customCAKey, customCACert, caSecretAndConfigMapName)
   193  	} else if config.CAKey != "" || config.CACert != "" {
   194  		// if only one of the custom CA Key or Cert is provided
   195  		return nil, nil, nil, ErrCAKeyAndCACertReq
   196  	}
   197  
   198  	hasAppSecret := appSecret != nil
   199  	hasCASecretAndConfigMap := caSecret != nil && caConfigMap != nil
   200  
   201  	switch {
   202  	case hasAppSecret && hasCASecretAndConfigMap:
   203  		return appSecret, caConfigMap, caSecret, nil
   204  
   205  	case hasAppSecret && !hasCASecretAndConfigMap:
   206  		return nil, nil, nil, ErrCANotFound
   207  
   208  	case !hasAppSecret && hasCASecretAndConfigMap:
   209  		// Note: if a custom CA is passed in my the user it takes preference over an already
   210  		// generated CA secret and CA configmap that might exist in the cluster
   211  		caKey, err := parsePEMEncodedPrivateKey(caSecret.Data[TLSPrivateCAKeyKey])
   212  		if err != nil {
   213  			return nil, nil, nil, err
   214  		}
   215  		caCert, err := parsePEMEncodedCert([]byte(caConfigMap.Data[TLSCACertKey]))
   216  		if err != nil {
   217  			return nil, nil, nil, err
   218  		}
   219  		key, err := newPrivateKey()
   220  		if err != nil {
   221  			return nil, nil, nil, err
   222  		}
   223  		cert, err := newSignedCertificate(config, service, key, caCert, caKey)
   224  		if err != nil {
   225  			return nil, nil, nil, err
   226  		}
   227  		appSecret, err := scg.KubeClient.CoreV1().Secrets(ns).Create(toTLSSecret(key, cert, appSecretName))
   228  		if err != nil {
   229  			return nil, nil, nil, err
   230  		}
   231  		return appSecret, caConfigMap, caSecret, nil
   232  
   233  	case !hasAppSecret && !hasCASecretAndConfigMap:
   234  		// If no custom CAKey and CACert are provided we have to generate them
   235  		caKey, err := newPrivateKey()
   236  		if err != nil {
   237  			return nil, nil, nil, err
   238  		}
   239  		caCert, err := newSelfSignedCACertificate(caKey)
   240  		if err != nil {
   241  			return nil, nil, nil, err
   242  		}
   243  
   244  		caSecret, caConfigMap := toCASecretAndConfigmap(caKey, caCert, caSecretAndConfigMapName)
   245  		caSecret, err = scg.KubeClient.CoreV1().Secrets(ns).Create(caSecret)
   246  		if err != nil {
   247  			return nil, nil, nil, err
   248  		}
   249  		caConfigMap, err = scg.KubeClient.CoreV1().ConfigMaps(ns).Create(caConfigMap)
   250  		if err != nil {
   251  			return nil, nil, nil, err
   252  		}
   253  		key, err := newPrivateKey()
   254  		if err != nil {
   255  			return nil, nil, nil, err
   256  		}
   257  		cert, err := newSignedCertificate(config, service, key, caCert, caKey)
   258  		if err != nil {
   259  			return nil, nil, nil, err
   260  		}
   261  		appSecret, err := scg.KubeClient.CoreV1().Secrets(ns).Create(toTLSSecret(key, cert, appSecretName))
   262  		if err != nil {
   263  			return nil, nil, nil, err
   264  		}
   265  		return appSecret, caConfigMap, caSecret, nil
   266  	default:
   267  		return nil, nil, nil, ErrInternal
   268  	}
   269  }
   270  
   271  func verifyConfig(config *CertConfig) error {
   272  	if config == nil {
   273  		return errors.New("nil CertConfig not allowed")
   274  	}
   275  	if config.CertName == "" {
   276  		return errors.New("empty CertConfig.CertName not allowed")
   277  	}
   278  	return nil
   279  }
   280  
   281  func ToAppSecretName(kind, name, certName string) string {
   282  	return strings.ToLower(kind) + "-" + name + "-" + certName
   283  }
   284  
   285  func ToCASecretAndConfigMapName(kind, name string) string {
   286  	return strings.ToLower(kind) + "-" + name + "-ca"
   287  }
   288  
   289  func getAppSecretInCluster(kubeClient kubernetes.Interface, name, namespace string) (*v1.Secret, error) {
   290  	se, err := kubeClient.CoreV1().Secrets(namespace).Get(name, metav1.GetOptions{})
   291  	if err != nil && !apiErrors.IsNotFound(err) {
   292  		return nil, err
   293  	}
   294  	if apiErrors.IsNotFound(err) {
   295  		return nil, nil
   296  	}
   297  	return se, nil
   298  }
   299  
   300  // getCASecretAndConfigMapInCluster gets CA secret and configmap of the given name and namespace.
   301  // it only returns both if they are found and nil if both are not found. In the case if only one of them is found,
   302  // then we error out because we expect either both CA secret and configmap exit or not.
   303  //
   304  // NOTE: both the CA secret and configmap have the same name with template `<cr-kind>-<cr-name>-ca` which is what the
   305  // input parameter `name` refers to.
   306  func getCASecretAndConfigMapInCluster(kubeClient kubernetes.Interface, name, namespace string) (*v1.Secret, *v1.ConfigMap, error) {
   307  	hasConfigMap := true
   308  	cm, err := kubeClient.CoreV1().ConfigMaps(namespace).Get(name, metav1.GetOptions{})
   309  	if err != nil && !apiErrors.IsNotFound(err) {
   310  		return nil, nil, err
   311  	}
   312  	if apiErrors.IsNotFound(err) {
   313  		hasConfigMap = false
   314  	}
   315  
   316  	hasSecret := true
   317  	se, err := kubeClient.CoreV1().Secrets(namespace).Get(name, metav1.GetOptions{})
   318  	if err != nil && !apiErrors.IsNotFound(err) {
   319  		return nil, nil, err
   320  	}
   321  	if apiErrors.IsNotFound(err) {
   322  		hasSecret = false
   323  	}
   324  
   325  	if hasConfigMap != hasSecret {
   326  		// TODO: this case can happen if creating CA configmap succeeds and creating CA secret failed. We need to handle this case properly.
   327  		return nil, nil, fmt.Errorf("expect either both ca configmap and secret both exist or not exist, but got hasCAConfigmap==%v and hasCASecret==%v", hasConfigMap, hasSecret)
   328  	}
   329  	if hasConfigMap == false {
   330  		return nil, nil, nil
   331  	}
   332  	return se, cm, nil
   333  }
   334  
   335  func toKindNameNamespace(cr runtime.Object) (string, string, string, error) {
   336  	a := meta.NewAccessor()
   337  	k, err := a.Kind(cr)
   338  	if err != nil {
   339  		return "", "", "", err
   340  	}
   341  	n, err := a.Name(cr)
   342  	if err != nil {
   343  		return "", "", "", err
   344  	}
   345  	ns, err := a.Namespace(cr)
   346  	if err != nil {
   347  		return "", "", "", err
   348  	}
   349  	return k, n, ns, nil
   350  }
   351  
   352  // toTLSSecret returns a client/server "kubernetes.io/tls" secret.
   353  // TODO: add owner ref.
   354  func toTLSSecret(key *rsa.PrivateKey, cert *x509.Certificate, name string) *v1.Secret {
   355  	return &v1.Secret{
   356  		ObjectMeta: metav1.ObjectMeta{
   357  			Name: name,
   358  		},
   359  		Data: map[string][]byte{
   360  			v1.TLSPrivateKeyKey: encodePrivateKeyPEM(key),
   361  			v1.TLSCertKey:       encodeCertificatePEM(cert),
   362  		},
   363  		Type: v1.SecretTypeTLS,
   364  	}
   365  }
   366  
   367  // TODO: add owner ref.
   368  func toCASecretAndConfigmap(key *rsa.PrivateKey, cert *x509.Certificate, name string) (*v1.Secret, *v1.ConfigMap) {
   369  	return &v1.Secret{
   370  			ObjectMeta: metav1.ObjectMeta{
   371  				Name: name,
   372  			},
   373  			Data: map[string][]byte{
   374  				TLSPrivateCAKeyKey: encodePrivateKeyPEM(key),
   375  			},
   376  		}, &v1.ConfigMap{
   377  			ObjectMeta: metav1.ObjectMeta{
   378  				Name: name,
   379  			},
   380  			Data: map[string]string{
   381  				TLSCACertKey: string(encodeCertificatePEM(cert)),
   382  			},
   383  		}
   384  }