kyverno/client/certificates.go

package client

import (
	"errors"
	"fmt"
	"time"

	tls "github.com/nirmata/kyverno/pkg/tls"
	certificates "k8s.io/api/certificates/v1beta1"
	v1 "k8s.io/api/core/v1"
	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)

// Issues TLS certificate for webhook server using given PEM private key
// Returns signed and approved TLS certificate in PEM format
func (c *Client) GenerateTlsPemPair(props tls.TlsCertificateProps) (*tls.TlsPemPair, error) {
	privateKey, err := tls.TlsGeneratePrivateKey()
	if err != nil {
		return nil, err
	}

	certRequest, err := tls.TlsCertificateGenerateRequest(privateKey, props)
	if err != nil {
		return nil, errors.New(fmt.Sprintf("Unable to create certificate request: %v", err))
	}

	certRequest, err = c.submitAndApproveCertificateRequest(certRequest)
	if err != nil {
		return nil, errors.New(fmt.Sprintf("Unable to submit and approve certificate request: %v", err))
	}

	tlsCert, err := c.fetchCertificateFromRequest(certRequest, 10)
	if err != nil {
		return nil, errors.New(fmt.Sprintf("Unable to fetch certificate from request: %v", err))
	}

	return &tls.TlsPemPair{
		Certificate: tlsCert,
		PrivateKey:  tls.TlsPrivateKeyToPem(privateKey),
	}, nil
}

// Submits and approves certificate request, returns request which need to be fetched
func (c *Client) submitAndApproveCertificateRequest(req *certificates.CertificateSigningRequest) (*certificates.CertificateSigningRequest, error) {
	certClient, err := c.GetCSRInterface()
	if err != nil {
		return nil, err
	}
	csrList, err := c.ListResource(CSR, "")
	if err != nil {
		return nil, errors.New(fmt.Sprintf("Unable to list existing certificate requests: %v", err))
	}

	for _, csr := range csrList.Items {
		if csr.GetName() == req.ObjectMeta.Name {
			err := c.DeleteResouce(CSR, "", csr.GetName())
			if err != nil {
				return nil, errors.New(fmt.Sprintf("Unable to delete existing certificate request: %v", err))
			}
			c.logger.Printf("Old certificate request is deleted")
			break
		}
	}

	unstrRes, err := c.CreateResource(CSR, "", req)
	if err != nil {
		return nil, err
	}
	c.logger.Printf("Certificate request %s is created", unstrRes.GetName())

	res, err := convertToCSR(unstrRes)
	if err != nil {
		return nil, err
	}
	res.Status.Conditions = append(res.Status.Conditions, certificates.CertificateSigningRequestCondition{
		Type:    certificates.CertificateApproved,
		Reason:  "NKP-Approve",
		Message: "This CSR was approved by Nirmata kube-policy controller",
	})
	res, err = certClient.UpdateApproval(res)
	if err != nil {
		return nil, errors.New(fmt.Sprintf("Unable to approve certificate request: %v", err))
	}
	c.logger.Printf("Certificate request %s is approved", res.ObjectMeta.Name)

	return res, nil
}

// Fetches certificate from given request. Tries to obtain certificate for maxWaitSeconds
func (c *Client) fetchCertificateFromRequest(req *certificates.CertificateSigningRequest, maxWaitSeconds uint8) ([]byte, error) {
	// TODO: react of SIGINT and SIGTERM
	timeStart := time.Now()
	for time.Now().Sub(timeStart) < time.Duration(maxWaitSeconds)*time.Second {
		unstrR, err := c.GetResource(CSR, "", req.ObjectMeta.Name)
		if err != nil {
			return nil, err
		}
		r, err := convertToCSR(unstrR)
		if err != nil {
			return nil, err
		}

		if r.Status.Certificate != nil {
			return r.Status.Certificate, nil
		}

		for _, condition := range r.Status.Conditions {
			if condition.Type == certificates.CertificateDenied {
				return nil, errors.New(condition.String())
			}
		}
	}
	return nil, errors.New(fmt.Sprintf("Cerificate fetch timeout is reached: %d seconds", maxWaitSeconds))
}

const privateKeyField string = "privateKey"
const certificateField string = "certificate"

// Reads the pair of TLS certificate and key from the specified secret.
func (c *Client) ReadTlsPair(props tls.TlsCertificateProps) *tls.TlsPemPair {
	name := generateSecretName(props)
	unstrSecret, err := c.GetResource(Secret, props.Namespace, name)
	if err != nil {
		c.logger.Printf("Unable to get secret %s/%s: %s", props.Namespace, name, err)
		return nil
	}
	secret, err := convertToSecret(unstrSecret)
	if err != nil {
		return nil
	}
	pemPair := tls.TlsPemPair{
		Certificate: secret.Data[certificateField],
		PrivateKey:  secret.Data[privateKeyField],
	}
	if len(pemPair.Certificate) == 0 {
		c.logger.Printf("TLS Certificate not found in secret %s/%s", props.Namespace, name)
		return nil
	}
	if len(pemPair.PrivateKey) == 0 {
		c.logger.Printf("TLS PrivateKey not found in secret %s/%s", props.Namespace, name)
		return nil
	}
	return &pemPair
}

// Writes the pair of TLS certificate and key to the specified secret.
// Updates existing secret or creates new one.
func (c *Client) WriteTlsPair(props tls.TlsCertificateProps, pemPair *tls.TlsPemPair) error {
	name := generateSecretName(props)
	unstrSecret, err := c.GetResource(Secret, props.Namespace, name)
	if err == nil {
		secret, err := convertToSecret(unstrSecret)
		if err != nil {
			return nil
		}

		if secret.Data == nil {
			secret.Data = make(map[string][]byte)
		}
		secret.Data[certificateField] = pemPair.Certificate
		secret.Data[privateKeyField] = pemPair.PrivateKey
		_, err = c.UpdateResource(Secret, props.Namespace, secret)
		if err == nil {
			c.logger.Printf("Secret %s is updated", name)
		}

	} else {

		secret := &v1.Secret{
			TypeMeta: metav1.TypeMeta{
				Kind:       "Secret",
				APIVersion: "v1",
			},
			ObjectMeta: metav1.ObjectMeta{
				Name:      name,
				Namespace: props.Namespace,
			},
			Data: map[string][]byte{
				certificateField: pemPair.Certificate,
				privateKeyField:  pemPair.PrivateKey,
			},
		}

		_, err := c.CreateResource(Secret, props.Namespace, secret)
		if err == nil {
			c.logger.Printf("Secret %s is created", name)
		}
	}
	return err
}

func generateSecretName(props tls.TlsCertificateProps) string {
	return tls.GenerateInClusterServiceName(props) + ".kube-policy-tls-pair"
}
replace kubeclient & add dynamic client 2019-05-15 07:30:22 -07:00			`package client`
NK-31: Implemented creation TLS certificate Implemented storing the certificates in secret within the cluster. Implemented the cheking certificate's expiration date. Implemented initialization of server with certs data instead of files. 2019-03-15 19:03:55 +02:00
			`import (`
			`"errors"`
			`"fmt"`
			`"time"`

rename pkg to kyverno 2019-05-21 11:00:09 -07:00			`tls "github.com/nirmata/kyverno/pkg/tls"`
NK-31: Implemented creation TLS certificate Implemented storing the certificates in secret within the cluster. Implemented the cheking certificate's expiration date. Implemented initialization of server with certs data instead of files. 2019-03-15 19:03:55 +02:00			`certificates "k8s.io/api/certificates/v1beta1"`
			`v1 "k8s.io/api/core/v1"`
			`metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"`
			`)`

			`// Issues TLS certificate for webhook server using given PEM private key`
			`// Returns signed and approved TLS certificate in PEM format`
rebase with develop 2019-05-15 11:24:27 -07:00			`func (c Client) GenerateTlsPemPair(props tls.TlsCertificateProps) (tls.TlsPemPair, error) {`
Implemented Validation Pattern base. Updated Webhooks registration logic. Updated project for using TLS package 2019-05-14 18:10:25 +03:00			`privateKey, err := tls.TlsGeneratePrivateKey()`
NK-31: Implemented creation TLS certificate Implemented storing the certificates in secret within the cluster. Implemented the cheking certificate's expiration date. Implemented initialization of server with certs data instead of files. 2019-03-15 19:03:55 +02:00			`if err != nil {`
			`return nil, err`
			`}`

Implemented Validation Pattern base. Updated Webhooks registration logic. Updated project for using TLS package 2019-05-14 18:10:25 +03:00			`certRequest, err := tls.TlsCertificateGenerateRequest(privateKey, props)`
NK-31: Implemented creation TLS certificate Implemented storing the certificates in secret within the cluster. Implemented the cheking certificate's expiration date. Implemented initialization of server with certs data instead of files. 2019-03-15 19:03:55 +02:00			`if err != nil {`
			`return nil, errors.New(fmt.Sprintf("Unable to create certificate request: %v", err))`
			`}`

replace kubeclient & add dynamic client 2019-05-15 07:30:22 -07:00			`certRequest, err = c.submitAndApproveCertificateRequest(certRequest)`
NK-31: Implemented creation TLS certificate Implemented storing the certificates in secret within the cluster. Implemented the cheking certificate's expiration date. Implemented initialization of server with certs data instead of files. 2019-03-15 19:03:55 +02:00			`if err != nil {`
			`return nil, errors.New(fmt.Sprintf("Unable to submit and approve certificate request: %v", err))`
			`}`

replace kubeclient & add dynamic client 2019-05-15 07:30:22 -07:00			`tlsCert, err := c.fetchCertificateFromRequest(certRequest, 10)`
NK-31: Implemented creation TLS certificate Implemented storing the certificates in secret within the cluster. Implemented the cheking certificate's expiration date. Implemented initialization of server with certs data instead of files. 2019-03-15 19:03:55 +02:00			`if err != nil {`
			`return nil, errors.New(fmt.Sprintf("Unable to fetch certificate from request: %v", err))`
			`}`

Implemented Validation Pattern base. Updated Webhooks registration logic. Updated project for using TLS package 2019-05-14 18:10:25 +03:00			`return &tls.TlsPemPair{`
NK-31: Implemented creation TLS certificate Implemented storing the certificates in secret within the cluster. Implemented the cheking certificate's expiration date. Implemented initialization of server with certs data instead of files. 2019-03-15 19:03:55 +02:00			`Certificate: tlsCert,`
Implemented Validation Pattern base. Updated Webhooks registration logic. Updated project for using TLS package 2019-05-14 18:10:25 +03:00			`PrivateKey: tls.TlsPrivateKeyToPem(privateKey),`
NK-31: Implemented creation TLS certificate Implemented storing the certificates in secret within the cluster. Implemented the cheking certificate's expiration date. Implemented initialization of server with certs data instead of files. 2019-03-15 19:03:55 +02:00			`}, nil`
			`}`

			`// Submits and approves certificate request, returns request which need to be fetched`
replace kubeclient & add dynamic client 2019-05-15 07:30:22 -07:00			`func (c Client) submitAndApproveCertificateRequest(req certificates.CertificateSigningRequest) (*certificates.CertificateSigningRequest, error) {`
			`certClient, err := c.GetCSRInterface()`
			`if err != nil {`
			`return nil, err`
			`}`
PR code review changes 2019-05-21 09:27:04 -07:00			`csrList, err := c.ListResource(CSR, "")`
NK-31: Implemented creation TLS certificate Implemented storing the certificates in secret within the cluster. Implemented the cheking certificate's expiration date. Implemented initialization of server with certs data instead of files. 2019-03-15 19:03:55 +02:00			`if err != nil {`
			`return nil, errors.New(fmt.Sprintf("Unable to list existing certificate requests: %v", err))`
			`}`

			`for _, csr := range csrList.Items {`
replace kubeclient & add dynamic client 2019-05-15 07:30:22 -07:00			`if csr.GetName() == req.ObjectMeta.Name {`
PR code review changes 2019-05-21 09:27:04 -07:00			`err := c.DeleteResouce(CSR, "", csr.GetName())`
NK-31: Implemented creation TLS certificate Implemented storing the certificates in secret within the cluster. Implemented the cheking certificate's expiration date. Implemented initialization of server with certs data instead of files. 2019-03-15 19:03:55 +02:00			`if err != nil {`
			`return nil, errors.New(fmt.Sprintf("Unable to delete existing certificate request: %v", err))`
			`}`
replace kubeclient & add dynamic client 2019-05-15 07:30:22 -07:00			`c.logger.Printf("Old certificate request is deleted")`
NK-31: Implemented creation TLS certificate Implemented storing the certificates in secret within the cluster. Implemented the cheking certificate's expiration date. Implemented initialization of server with certs data instead of files. 2019-03-15 19:03:55 +02:00			`break`
			`}`
			`}`

PR code review changes 2019-05-21 09:27:04 -07:00			`unstrRes, err := c.CreateResource(CSR, "", req)`
NK-31: Implemented creation TLS certificate Implemented storing the certificates in secret within the cluster. Implemented the cheking certificate's expiration date. Implemented initialization of server with certs data instead of files. 2019-03-15 19:03:55 +02:00			`if err != nil {`
			`return nil, err`
			`}`
replace kubeclient & add dynamic client 2019-05-15 07:30:22 -07:00			`c.logger.Printf("Certificate request %s is created", unstrRes.GetName())`
NK-31: Implemented creation TLS certificate Implemented storing the certificates in secret within the cluster. Implemented the cheking certificate's expiration date. Implemented initialization of server with certs data instead of files. 2019-03-15 19:03:55 +02:00
replace kubeclient & add dynamic client 2019-05-15 07:30:22 -07:00			`res, err := convertToCSR(unstrRes)`
			`if err != nil {`
			`return nil, err`
			`}`
NK-31: Implemented creation TLS certificate Implemented storing the certificates in secret within the cluster. Implemented the cheking certificate's expiration date. Implemented initialization of server with certs data instead of files. 2019-03-15 19:03:55 +02:00			`res.Status.Conditions = append(res.Status.Conditions, certificates.CertificateSigningRequestCondition{`
			`Type: certificates.CertificateApproved,`
			`Reason: "NKP-Approve",`
			`Message: "This CSR was approved by Nirmata kube-policy controller",`
			`})`
			`res, err = certClient.UpdateApproval(res)`
			`if err != nil {`
			`return nil, errors.New(fmt.Sprintf("Unable to approve certificate request: %v", err))`
			`}`
replace kubeclient & add dynamic client 2019-05-15 07:30:22 -07:00			`c.logger.Printf("Certificate request %s is approved", res.ObjectMeta.Name)`
NK-31: Implemented creation TLS certificate Implemented storing the certificates in secret within the cluster. Implemented the cheking certificate's expiration date. Implemented initialization of server with certs data instead of files. 2019-03-15 19:03:55 +02:00
			`return res, nil`
			`}`

			`// Fetches certificate from given request. Tries to obtain certificate for maxWaitSeconds`
replace kubeclient & add dynamic client 2019-05-15 07:30:22 -07:00			`func (c Client) fetchCertificateFromRequest(req certificates.CertificateSigningRequest, maxWaitSeconds uint8) ([]byte, error) {`
NK-31: Implemented creation TLS certificate Implemented storing the certificates in secret within the cluster. Implemented the cheking certificate's expiration date. Implemented initialization of server with certs data instead of files. 2019-03-15 19:03:55 +02:00			`// TODO: react of SIGINT and SIGTERM`
			`timeStart := time.Now()`
			`for time.Now().Sub(timeStart) < time.Duration(maxWaitSeconds)*time.Second {`
PR code review changes 2019-05-21 09:27:04 -07:00			`unstrR, err := c.GetResource(CSR, "", req.ObjectMeta.Name)`
replace kubeclient & add dynamic client 2019-05-15 07:30:22 -07:00			`if err != nil {`
			`return nil, err`
			`}`
			`r, err := convertToCSR(unstrR)`
NK-31: Implemented creation TLS certificate Implemented storing the certificates in secret within the cluster. Implemented the cheking certificate's expiration date. Implemented initialization of server with certs data instead of files. 2019-03-15 19:03:55 +02:00			`if err != nil {`
			`return nil, err`
			`}`

			`if r.Status.Certificate != nil {`
			`return r.Status.Certificate, nil`
			`}`

			`for _, condition := range r.Status.Conditions {`
			`if condition.Type == certificates.CertificateDenied {`
			`return nil, errors.New(condition.String())`
			`}`
			`}`
			`}`
			`return nil, errors.New(fmt.Sprintf("Cerificate fetch timeout is reached: %d seconds", maxWaitSeconds))`
			`}`

			`const privateKeyField string = "privateKey"`
			`const certificateField string = "certificate"`

			`// Reads the pair of TLS certificate and key from the specified secret.`
rebase with develop 2019-05-15 11:24:27 -07:00			`func (c Client) ReadTlsPair(props tls.TlsCertificateProps) tls.TlsPemPair {`
NK-31: Implemented creation TLS certificate Implemented storing the certificates in secret within the cluster. Implemented the cheking certificate's expiration date. Implemented initialization of server with certs data instead of files. 2019-03-15 19:03:55 +02:00			`name := generateSecretName(props)`
PR code review changes 2019-05-21 09:27:04 -07:00			`unstrSecret, err := c.GetResource(Secret, props.Namespace, name)`
replace kubeclient & add dynamic client 2019-05-15 07:30:22 -07:00			`if err != nil {`
			`c.logger.Printf("Unable to get secret %s/%s: %s", props.Namespace, name, err)`
			`return nil`
			`}`
			`secret, err := convertToSecret(unstrSecret)`
NK-31: Implemented creation TLS certificate Implemented storing the certificates in secret within the cluster. Implemented the cheking certificate's expiration date. Implemented initialization of server with certs data instead of files. 2019-03-15 19:03:55 +02:00			`if err != nil {`
			`return nil`
			`}`
Implemented Validation Pattern base. Updated Webhooks registration logic. Updated project for using TLS package 2019-05-14 18:10:25 +03:00			`pemPair := tls.TlsPemPair{`
NK-31: Implemented creation TLS certificate Implemented storing the certificates in secret within the cluster. Implemented the cheking certificate's expiration date. Implemented initialization of server with certs data instead of files. 2019-03-15 19:03:55 +02:00			`Certificate: secret.Data[certificateField],`
			`PrivateKey: secret.Data[privateKeyField],`
			`}`
			`if len(pemPair.Certificate) == 0 {`
replace kubeclient & add dynamic client 2019-05-15 07:30:22 -07:00			`c.logger.Printf("TLS Certificate not found in secret %s/%s", props.Namespace, name)`
NK-31: Implemented creation TLS certificate Implemented storing the certificates in secret within the cluster. Implemented the cheking certificate's expiration date. Implemented initialization of server with certs data instead of files. 2019-03-15 19:03:55 +02:00			`return nil`
			`}`
			`if len(pemPair.PrivateKey) == 0 {`
replace kubeclient & add dynamic client 2019-05-15 07:30:22 -07:00			`c.logger.Printf("TLS PrivateKey not found in secret %s/%s", props.Namespace, name)`
NK-31: Implemented creation TLS certificate Implemented storing the certificates in secret within the cluster. Implemented the cheking certificate's expiration date. Implemented initialization of server with certs data instead of files. 2019-03-15 19:03:55 +02:00			`return nil`
			`}`
			`return &pemPair`
			`}`

			`// Writes the pair of TLS certificate and key to the specified secret.`
			`// Updates existing secret or creates new one.`
rebase with develop 2019-05-15 11:24:27 -07:00			`func (c Client) WriteTlsPair(props tls.TlsCertificateProps, pemPair tls.TlsPemPair) error {`
NK-31: Implemented creation TLS certificate Implemented storing the certificates in secret within the cluster. Implemented the cheking certificate's expiration date. Implemented initialization of server with certs data instead of files. 2019-03-15 19:03:55 +02:00			`name := generateSecretName(props)`
PR code review changes 2019-05-21 09:27:04 -07:00			`unstrSecret, err := c.GetResource(Secret, props.Namespace, name)`
			`if err == nil {`
replace kubeclient & add dynamic client 2019-05-15 07:30:22 -07:00			`secret, err := convertToSecret(unstrSecret)`
			`if err != nil {`
			`return nil`
			`}`

NK-31: Implemented creation TLS certificate Implemented storing the certificates in secret within the cluster. Implemented the cheking certificate's expiration date. Implemented initialization of server with certs data instead of files. 2019-03-15 19:03:55 +02:00			`if secret.Data == nil {`
			`secret.Data = make(map[string][]byte)`
			`}`
			`secret.Data[certificateField] = pemPair.Certificate`
			`secret.Data[privateKeyField] = pemPair.PrivateKey`
PR code review changes 2019-05-21 09:27:04 -07:00			`_, err = c.UpdateResource(Secret, props.Namespace, secret)`
NK-31: Implemented creation TLS certificate Implemented storing the certificates in secret within the cluster. Implemented the cheking certificate's expiration date. Implemented initialization of server with certs data instead of files. 2019-03-15 19:03:55 +02:00			`if err == nil {`
replace kubeclient & add dynamic client 2019-05-15 07:30:22 -07:00			`c.logger.Printf("Secret %s is updated", name)`
NK-31: Implemented creation TLS certificate Implemented storing the certificates in secret within the cluster. Implemented the cheking certificate's expiration date. Implemented initialization of server with certs data instead of files. 2019-03-15 19:03:55 +02:00			`}`

PR code review changes 2019-05-21 09:27:04 -07:00			`} else {`
replace kubeclient & add dynamic client 2019-05-15 07:30:22 -07:00
			`secret := &v1.Secret{`
NK-31: Implemented creation TLS certificate Implemented storing the certificates in secret within the cluster. Implemented the cheking certificate's expiration date. Implemented initialization of server with certs data instead of files. 2019-03-15 19:03:55 +02:00			`TypeMeta: metav1.TypeMeta{`
			`Kind: "Secret",`
			`APIVersion: "v1",`
			`},`
			`ObjectMeta: metav1.ObjectMeta{`
			`Name: name,`
			`Namespace: props.Namespace,`
			`},`
			`Data: map[string][]byte{`
			`certificateField: pemPair.Certificate,`
			`privateKeyField: pemPair.PrivateKey,`
			`},`
			`}`

PR code review changes 2019-05-21 09:27:04 -07:00			`_, err := c.CreateResource(Secret, props.Namespace, secret)`
NK-31: Implemented creation TLS certificate Implemented storing the certificates in secret within the cluster. Implemented the cheking certificate's expiration date. Implemented initialization of server with certs data instead of files. 2019-03-15 19:03:55 +02:00			`if err == nil {`
replace kubeclient & add dynamic client 2019-05-15 07:30:22 -07:00			`c.logger.Printf("Secret %s is created", name)`
NK-31: Implemented creation TLS certificate Implemented storing the certificates in secret within the cluster. Implemented the cheking certificate's expiration date. Implemented initialization of server with certs data instead of files. 2019-03-15 19:03:55 +02:00			`}`
			`}`
			`return err`
			`}`

Implemented Validation Pattern base. Updated Webhooks registration logic. Updated project for using TLS package 2019-05-14 18:10:25 +03:00			`func generateSecretName(props tls.TlsCertificateProps) string {`
			`return tls.GenerateInClusterServiceName(props) + ".kube-policy-tls-pair"`
NK-31: Implemented creation TLS certificate Implemented storing the certificates in secret within the cluster. Implemented the cheking certificate's expiration date. Implemented initialization of server with certs data instead of files. 2019-03-15 19:03:55 +02:00			`}`