pkg/tlsutil: implement the case ca and key are in cache

fanminshi · fanminshi · commit e5235b179a7f · 2018-08-20T16:22:30.000-07:00
diff --git a/pkg/tlsutil/tls.go b/pkg/tlsutil/tls.go
@@ -15,7 +15,15 @@
 package tlsutil
 
 import (
+	"crypto/rsa"
+	"crypto/x509"
+	"errors"
+	"strings"
+	"sync"
+
 	"k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/api/meta"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 )
 
@@ -111,3 +119,135 @@ type CertGenerator interface {
 	//   ca.key: ..
 	GenerateCert(cr runtime.Object, service *v1.Service, config *CertConfig) (*v1.Secret, *v1.ConfigMap, *v1.Secret, error)
 }
+
+const (
+	// TLSPrivateCAKeyKey is the key for the private CA key field.
+	TLSPrivateCAKeyKey = "ca.key"
+	// TLSCertKey is the key for tls CA certificates.
+	TLSCACertKey = "ca.crt"
+)
+
+type SDKCertGenerator struct {
+	// appKeyAndCertMap holds the application key and cert for a given cr + config.CertName.
+	appKeyAndCertMap sync.Map
+	// caKeyAndCertMap holds the CA key and cert for a given cr.
+	caKeyAndCertMap sync.Map
+}
+
+type keyAndCert struct {
+	key  *rsa.PrivateKey
+	cert *x509.Certificate
+}
+
+func (scg *SDKCertGenerator) GenerateCert(cr runtime.Object, service *v1.Service, config *CertConfig) (*v1.Secret, *v1.ConfigMap, *v1.Secret, error) {
+	if err := verifyConfig(config); err != nil {
+		return nil, nil, nil, err
+	}
+
+	n, k, ns, err := toKindNameNamespace(cr)
+	if err != nil {
+		return nil, nil, nil, err
+	}
+
+	asn := toAppSecretName(k, n, config.CertName)
+	cascn := toCASecretAndConfigMapName(k, n)
+	appkcv, hasAppKeyAndCert := scg.appKeyAndCertMap.Load(asn + "-" + ns)
+	cakcv, hasCAKeyAndCert := scg.caKeyAndCertMap.Load(cascn + "-" + ns)
+	// TODO: handle passed in CA
+	if hasAppKeyAndCert && hasCAKeyAndCert {
+		s := toTLSSecret(appkcv.(*keyAndCert), asn, ns)
+		cacm, cas := toCASecretAndConfigmap(cakcv.(*keyAndCert), cascn, ns)
+		return s, cacm, cas, nil
+	} else if hasAppKeyAndCert && !hasCAKeyAndCert {
+		// TODO
+	} else if !hasAppKeyAndCert && hasCAKeyAndCert {
+		// TODO
+	} else {
+		// TODO
+	}
+	return nil, nil, nil, nil
+}
+
+func verifyConfig(config *CertConfig) error {
+	if config == nil {
+		return errors.New("nil CertConfig not allowed")
+	}
+	if config.CertName == "" {
+		return errors.New("empty CertConfig.CertName not allowed")
+	}
+	return nil
+}
+
+func toAppSecretName(kind, name, certName string) string {
+	return strings.ToLower(kind) + "-" + name + "-" + certName
+}
+
+func toCASecretAndConfigMapName(kind, name string) string {
+	return strings.ToLower(kind) + "-" + name + "-ca"
+}
+
+func toKindNameNamespace(cr runtime.Object) (string, string, string, error) {
+	a := meta.NewAccessor()
+	k, err := a.Kind(cr)
+	if err != nil {
+		return "", "", "", err
+	}
+	n, err := a.Name(cr)
+	if err != nil {
+		return "", "", "", err
+	}
+	ns, err := a.Namespace(cr)
+	if err != nil {
+		return "", "", "", err
+	}
+	return k, n, ns, nil
+}
+
+// toTLSSecret returns a client/server "kubernetes.io/tls" secret.
+// TODO: add owner ref.
+func toTLSSecret(kc *keyAndCert, name, namespace string) *v1.Secret {
+	return &v1.Secret{
+		TypeMeta: metav1.TypeMeta{
+			Kind:       "Secret",
+			APIVersion: "v1",
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      name,
+			Namespace: namespace,
+		},
+		Data: map[string][]byte{
+			v1.TLSPrivateKeyKey: encodePrivateKeyPEM(kc.key),
+			v1.TLSCertKey:       encodeCertificatePEM(kc.cert),
+		},
+		Type: v1.SecretTypeTLS,
+	}
+}
+
+// TODO: add owner ref.
+func toCASecretAndConfigmap(cakc *keyAndCert, name, namespace string) (*v1.ConfigMap, *v1.Secret) {
+	return &v1.ConfigMap{
+			TypeMeta: metav1.TypeMeta{
+				Kind:       "ConfigMap",
+				APIVersion: "v1",
+			},
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      name,
+				Namespace: namespace,
+			},
+			Data: map[string]string{
+				TLSCACertKey: string(encodeCertificatePEM(cakc.cert)),
+			},
+		}, &v1.Secret{
+			TypeMeta: metav1.TypeMeta{
+				Kind:       "Secret",
+				APIVersion: "v1",
+			},
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      name,
+				Namespace: namespace,
+			},
+			Data: map[string][]byte{
+				TLSPrivateCAKeyKey: encodePrivateKeyPEM(cakc.key),
+			},
+		}
+}
