ARO-RP/pkg/cluster/tls.go

package cluster

// Copyright (c) Microsoft Corporation.
// Licensed under the Apache License 2.0.

import (
	"context"
	"crypto/x509"
	"encoding/pem"

	configv1 "github.com/openshift/api/config/v1"
	v1 "k8s.io/api/core/v1"
	"k8s.io/apimachinery/pkg/api/errors"
	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
	coreclient "k8s.io/client-go/kubernetes/typed/core/v1"
	"k8s.io/client-go/util/retry"

	"github.com/Azure/ARO-RP/pkg/util/deployment"
	"github.com/Azure/ARO-RP/pkg/util/dns"
	"github.com/Azure/ARO-RP/pkg/util/keyvault"
	utilpem "github.com/Azure/ARO-RP/pkg/util/pem"
)

func (i *manager) createCertificates(ctx context.Context) error {
	if i.env.DeploymentMode() == deployment.Development {
		return nil
	}

	managedDomain, err := dns.ManagedDomain(i.env, i.doc.OpenShiftCluster.Properties.ClusterProfile.Domain)
	if err != nil {
		return err
	}

	if managedDomain == "" {
		return nil
	}

	certs := []struct {
		certificateName string
		commonName      string
	}{
		{
			certificateName: i.doc.ID + "-apiserver",
			commonName:      "api." + managedDomain,
		},
		{
			certificateName: i.doc.ID + "-ingress",
			commonName:      "*.apps." + managedDomain,
		},
	}

	for _, c := range certs {
		i.log.Printf("creating certificate %s", c.certificateName)
		err = i.keyvault.CreateSignedCertificate(ctx, keyvault.IssuerDigicert, c.certificateName, c.commonName, keyvault.EkuServerAuth)
		if err != nil {
			return err
		}
	}

	for _, c := range certs {
		i.log.Printf("waiting for certificate %s", c.certificateName)
		err = i.keyvault.WaitForCertificateOperation(ctx, c.certificateName)
		if err != nil {
			return err
		}
	}

	return nil
}

func (i *manager) upgradeCertificates(ctx context.Context) error {
	if i.env.DeploymentMode() == deployment.Development {
		return nil
	}

	managedDomain, err := dns.ManagedDomain(i.env, i.doc.OpenShiftCluster.Properties.ClusterProfile.Domain)
	if err != nil {
		return err
	}

	if managedDomain == "" {
		return nil
	}

	for _, c := range []string{i.doc.ID + "-apiserver", i.doc.ID + "-ingress"} {
		i.log.Printf("upgrading certificate %s", c)
		err = i.keyvault.UpgradeCertificatePolicy(ctx, c)
		if err != nil {
			return err
		}
	}

	return nil
}

func (i *manager) ensureSecret(ctx context.Context, secrets coreclient.SecretInterface, certificateName string) error {
	bundle, err := i.keyvault.GetSecret(ctx, certificateName)
	if err != nil {
		return err
	}

	key, certs, err := utilpem.Parse([]byte(*bundle.Value))
	if err != nil {
		return err
	}

	b, err := x509.MarshalPKCS8PrivateKey(key)
	if err != nil {
		return err
	}

	var cb []byte
	for _, cert := range certs {
		cb = append(cb, pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: cert.Raw})...)
	}

	_, err = secrets.Create(&v1.Secret{
		ObjectMeta: metav1.ObjectMeta{
			Name: certificateName,
		},
		Data: map[string][]byte{
			v1.TLSCertKey:       cb,
			v1.TLSPrivateKeyKey: pem.EncodeToMemory(&pem.Block{Type: "PRIVATE KEY", Bytes: b}),
		},
		Type: v1.SecretTypeTLS,
	})
	if errors.IsAlreadyExists(err) {
		err = retry.RetryOnConflict(retry.DefaultRetry, func() error {
			s, err := secrets.Get(certificateName, metav1.GetOptions{})
			if err != nil {
				return err
			}

			s.Data = map[string][]byte{
				v1.TLSCertKey:       cb,
				v1.TLSPrivateKeyKey: pem.EncodeToMemory(&pem.Block{Type: "PRIVATE KEY", Bytes: b}),
			}
			s.Type = v1.SecretTypeTLS

			_, err = secrets.Update(s)
			return err
		})
	}
	return err
}

func (i *manager) configureAPIServerCertificate(ctx context.Context) error {
	if i.env.DeploymentMode() == deployment.Development {
		return nil
	}

	managedDomain, err := dns.ManagedDomain(i.env, i.doc.OpenShiftCluster.Properties.ClusterProfile.Domain)
	if err != nil {
		return err
	}

	if managedDomain == "" {
		return nil
	}

	err = i.ensureSecret(ctx, i.kubernetescli.CoreV1().Secrets("openshift-config"), i.doc.ID+"-apiserver")
	if err != nil {
		return err
	}

	return retry.RetryOnConflict(retry.DefaultRetry, func() error {
		apiserver, err := i.configcli.ConfigV1().APIServers().Get("cluster", metav1.GetOptions{})
		if err != nil {
			return err
		}

		apiserver.Spec.ServingCerts.NamedCertificates = []configv1.APIServerNamedServingCert{
			{
				Names: []string{
					"api." + managedDomain,
				},
				ServingCertificate: configv1.SecretNameReference{
					Name: i.doc.ID + "-apiserver",
				},
			},
		}

		_, err = i.configcli.ConfigV1().APIServers().Update(apiserver)
		return err
	})
}

func (i *manager) configureIngressCertificate(ctx context.Context) error {
	if i.env.DeploymentMode() == deployment.Development {
		return nil
	}

	managedDomain, err := dns.ManagedDomain(i.env, i.doc.OpenShiftCluster.Properties.ClusterProfile.Domain)
	if err != nil {
		return err
	}

	if managedDomain == "" {
		return nil
	}

	err = i.ensureSecret(ctx, i.kubernetescli.CoreV1().Secrets("openshift-ingress"), i.doc.ID+"-ingress")
	if err != nil {
		return err
	}

	return retry.RetryOnConflict(retry.DefaultRetry, func() error {
		ic, err := i.operatorcli.OperatorV1().IngressControllers("openshift-ingress-operator").Get("default", metav1.GetOptions{})
		if err != nil {
			return err
		}

		ic.Spec.DefaultCertificate = &v1.LocalObjectReference{
			Name: i.doc.ID + "-ingress",
		}

		_, err = i.operatorcli.OperatorV1().IngressControllers("openshift-ingress-operator").Update(ic)
		return err
	})
}
install/Installer -> cluster/manager 2020-08-24 13:32:21 +03:00			`package cluster`
implement tls signed certificates 2020-02-18 00:08:45 +03:00
			`// Copyright (c) Microsoft Corporation.`
			`// Licensed under the Apache License 2.0.`

			`import (`
			`"context"`
			`"crypto/x509"`
			`"encoding/pem"`

			`configv1 "github.com/openshift/api/config/v1"`
			`v1 "k8s.io/api/core/v1"`
			`"k8s.io/apimachinery/pkg/api/errors"`
			`metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"`
			`coreclient "k8s.io/client-go/kubernetes/typed/core/v1"`
			`"k8s.io/client-go/util/retry"`

pull out deployment.Mode 2020-09-17 21:42:37 +03:00			`"github.com/Azure/ARO-RP/pkg/util/deployment"`
remove ManagedDomain from pkg/env 2020-09-18 04:19:12 +03:00			`"github.com/Azure/ARO-RP/pkg/util/dns"`
refactor pkg/util/keyvault to be more like an azureclient wrapper 2020-03-24 00:04:30 +03:00			`"github.com/Azure/ARO-RP/pkg/util/keyvault"`
			`utilpem "github.com/Azure/ARO-RP/pkg/util/pem"`
implement tls signed certificates 2020-02-18 00:08:45 +03:00			`)`

install/Installer -> cluster/manager 2020-08-24 13:32:21 +03:00			`func (i *manager) createCertificates(ctx context.Context) error {`
pull out deployment.Mode 2020-09-17 21:42:37 +03:00			`if i.env.DeploymentMode() == deployment.Development {`
implement tls signed certificates 2020-02-18 00:08:45 +03:00			`return nil`
			`}`

remove ManagedDomain from pkg/env 2020-09-18 04:19:12 +03:00			`managedDomain, err := dns.ManagedDomain(i.env, i.doc.OpenShiftCluster.Properties.ClusterProfile.Domain)`
implement tls signed certificates 2020-02-18 00:08:45 +03:00			`if err != nil {`
			`return err`
			`}`

			`if managedDomain == "" {`
			`return nil`
			`}`

			`certs := []struct {`
			`certificateName string`
			`commonName string`
			`}{`
			`{`
			`certificateName: i.doc.ID + "-apiserver",`
			`commonName: "api." + managedDomain,`
			`},`
			`{`
			`certificateName: i.doc.ID + "-ingress",`
			`commonName: "*.apps." + managedDomain,`
			`},`
			`}`

			`for _, c := range certs {`
			`i.log.Printf("creating certificate %s", c.certificateName)`
remove basekeyvault.BaseClient from keyvault.Manager interface 2020-09-18 02:49:38 +03:00			`err = i.keyvault.CreateSignedCertificate(ctx, keyvault.IssuerDigicert, c.certificateName, c.commonName, keyvault.EkuServerAuth)`
implement tls signed certificates 2020-02-18 00:08:45 +03:00			`if err != nil {`
			`return err`
			`}`
			`}`

			`for _, c := range certs {`
			`i.log.Printf("waiting for certificate %s", c.certificateName)`
remove basekeyvault.BaseClient from keyvault.Manager interface 2020-09-18 02:49:38 +03:00			`err = i.keyvault.WaitForCertificateOperation(ctx, c.certificateName)`
implement tls signed certificates 2020-02-18 00:08:45 +03:00			`if err != nil {`
			`return err`
			`}`
			`}`

			`return nil`
			`}`

install/Installer -> cluster/manager 2020-08-24 13:32:21 +03:00			`func (i *manager) upgradeCertificates(ctx context.Context) error {`
pull out deployment.Mode 2020-09-17 21:42:37 +03:00			`if i.env.DeploymentMode() == deployment.Development {`
on upgrade, set existing cluster certificates to renew every 90 days 2020-05-27 01:15:12 +03:00			`return nil`
			`}`

remove ManagedDomain from pkg/env 2020-09-18 04:19:12 +03:00			`managedDomain, err := dns.ManagedDomain(i.env, i.doc.OpenShiftCluster.Properties.ClusterProfile.Domain)`
on upgrade, set existing cluster certificates to renew every 90 days 2020-05-27 01:15:12 +03:00			`if err != nil {`
			`return err`
			`}`

			`if managedDomain == "" {`
			`return nil`
			`}`

			`for _, c := range []string{i.doc.ID + "-apiserver", i.doc.ID + "-ingress"} {`
			`i.log.Printf("upgrading certificate %s", c)`
remove basekeyvault.BaseClient from keyvault.Manager interface 2020-09-18 02:49:38 +03:00			`err = i.keyvault.UpgradeCertificatePolicy(ctx, c)`
on upgrade, set existing cluster certificates to renew every 90 days 2020-05-27 01:15:12 +03:00			`if err != nil {`
			`return err`
			`}`
			`}`

			`return nil`
			`}`

install/Installer -> cluster/manager 2020-08-24 13:32:21 +03:00			`func (i *manager) ensureSecret(ctx context.Context, secrets coreclient.SecretInterface, certificateName string) error {`
remove basekeyvault.BaseClient from keyvault.Manager interface 2020-09-18 02:49:38 +03:00			`bundle, err := i.keyvault.GetSecret(ctx, certificateName)`
refactor pkg/util/keyvault to be more like an azureclient wrapper 2020-03-24 00:04:30 +03:00			`if err != nil {`
			`return err`
			`}`

			`key, certs, err := utilpem.Parse([]byte(*bundle.Value))`
implement tls signed certificates 2020-02-18 00:08:45 +03:00			`if err != nil {`
			`return err`
			`}`

			`b, err := x509.MarshalPKCS8PrivateKey(key)`
			`if err != nil {`
			`return err`
			`}`

			`var cb []byte`
			`for _, cert := range certs {`
			`cb = append(cb, pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: cert.Raw})...)`
			`}`

			`_, err = secrets.Create(&v1.Secret{`
			`ObjectMeta: metav1.ObjectMeta{`
			`Name: certificateName,`
			`},`
			`Data: map[string][]byte{`
			`v1.TLSCertKey: cb,`
			`v1.TLSPrivateKeyKey: pem.EncodeToMemory(&pem.Block{Type: "PRIVATE KEY", Bytes: b}),`
			`},`
			`Type: v1.SecretTypeTLS,`
			`})`
			`if errors.IsAlreadyExists(err) {`
			`err = retry.RetryOnConflict(retry.DefaultRetry, func() error {`
			`s, err := secrets.Get(certificateName, metav1.GetOptions{})`
			`if err != nil {`
			`return err`
			`}`

			`s.Data = map[string][]byte{`
			`v1.TLSCertKey: cb,`
			`v1.TLSPrivateKeyKey: pem.EncodeToMemory(&pem.Block{Type: "PRIVATE KEY", Bytes: b}),`
			`}`
			`s.Type = v1.SecretTypeTLS`

			`_, err = secrets.Update(s)`
			`return err`
			`})`
			`}`
			`return err`
			`}`

install/Installer -> cluster/manager 2020-08-24 13:32:21 +03:00			`func (i *manager) configureAPIServerCertificate(ctx context.Context) error {`
pull out deployment.Mode 2020-09-17 21:42:37 +03:00			`if i.env.DeploymentMode() == deployment.Development {`
implement tls signed certificates 2020-02-18 00:08:45 +03:00			`return nil`
			`}`

remove ManagedDomain from pkg/env 2020-09-18 04:19:12 +03:00			`managedDomain, err := dns.ManagedDomain(i.env, i.doc.OpenShiftCluster.Properties.ClusterProfile.Domain)`
implement tls signed certificates 2020-02-18 00:08:45 +03:00			`if err != nil {`
			`return err`
			`}`

			`if managedDomain == "" {`
			`return nil`
			`}`

Move k8s clis to Installer to allow unit tests 2020-02-20 00:10:25 +03:00			`err = i.ensureSecret(ctx, i.kubernetescli.CoreV1().Secrets("openshift-config"), i.doc.ID+"-apiserver")`
implement tls signed certificates 2020-02-18 00:08:45 +03:00			`if err != nil {`
			`return err`
			`}`

Wait for step conditions in Install 2020-03-03 18:00:22 +03:00			`return retry.RetryOnConflict(retry.DefaultRetry, func() error {`
Move k8s clis to Installer to allow unit tests 2020-02-20 00:10:25 +03:00			`apiserver, err := i.configcli.ConfigV1().APIServers().Get("cluster", metav1.GetOptions{})`
implement tls signed certificates 2020-02-18 00:08:45 +03:00			`if err != nil {`
			`return err`
			`}`

			`apiserver.Spec.ServingCerts.NamedCertificates = []configv1.APIServerNamedServingCert{`
			`{`
			`Names: []string{`
			`"api." + managedDomain,`
			`},`
			`ServingCertificate: configv1.SecretNameReference{`
			`Name: i.doc.ID + "-apiserver",`
			`},`
			`},`
			`}`

Move k8s clis to Installer to allow unit tests 2020-02-20 00:10:25 +03:00			`_, err = i.configcli.ConfigV1().APIServers().Update(apiserver)`
implement tls signed certificates 2020-02-18 00:08:45 +03:00			`return err`
			`})`
			`}`

install/Installer -> cluster/manager 2020-08-24 13:32:21 +03:00			`func (i *manager) configureIngressCertificate(ctx context.Context) error {`
pull out deployment.Mode 2020-09-17 21:42:37 +03:00			`if i.env.DeploymentMode() == deployment.Development {`
implement tls signed certificates 2020-02-18 00:08:45 +03:00			`return nil`
			`}`

remove ManagedDomain from pkg/env 2020-09-18 04:19:12 +03:00			`managedDomain, err := dns.ManagedDomain(i.env, i.doc.OpenShiftCluster.Properties.ClusterProfile.Domain)`
implement tls signed certificates 2020-02-18 00:08:45 +03:00			`if err != nil {`
			`return err`
			`}`

			`if managedDomain == "" {`
			`return nil`
			`}`

Move k8s clis to Installer to allow unit tests 2020-02-20 00:10:25 +03:00			`err = i.ensureSecret(ctx, i.kubernetescli.CoreV1().Secrets("openshift-ingress"), i.doc.ID+"-ingress")`
implement tls signed certificates 2020-02-18 00:08:45 +03:00			`if err != nil {`
			`return err`
			`}`

Wait for step conditions in Install 2020-03-03 18:00:22 +03:00			`return retry.RetryOnConflict(retry.DefaultRetry, func() error {`
Move k8s clis to Installer to allow unit tests 2020-02-20 00:10:25 +03:00			`ic, err := i.operatorcli.OperatorV1().IngressControllers("openshift-ingress-operator").Get("default", metav1.GetOptions{})`
implement tls signed certificates 2020-02-18 00:08:45 +03:00			`if err != nil {`
			`return err`
			`}`

			`ic.Spec.DefaultCertificate = &v1.LocalObjectReference{`
			`Name: i.doc.ID + "-ingress",`
			`}`

Move k8s clis to Installer to allow unit tests 2020-02-20 00:10:25 +03:00			`_, err = i.operatorcli.OperatorV1().IngressControllers("openshift-ingress-operator").Update(ic)`
implement tls signed certificates 2020-02-18 00:08:45 +03:00			`return err`
			`})`
			`}`