Skip to content

Commit

Permalink
POC of dynamic authority
Browse files Browse the repository at this point in the history
Signed-off-by: Erik Godding Boye <[email protected]>
  • Loading branch information
erikgb committed Nov 15, 2024
1 parent 41dc93d commit e67c46a
Show file tree
Hide file tree
Showing 9 changed files with 41 additions and 132 deletions.
10 changes: 9 additions & 1 deletion cmd/trust-manager/app/app.go
Original file line number Diff line number Diff line change
Expand Up @@ -17,10 +17,12 @@ limitations under the License.
package app

import (
"crypto/tls"
"errors"
"fmt"
"net/http"

"github.com/erikgb/dynamic-authority/pkg/authority"
"github.com/spf13/cobra"
corev1 "k8s.io/api/core/v1"
"k8s.io/apimachinery/pkg/labels"
Expand Down Expand Up @@ -70,6 +72,8 @@ func NewCommand() *cobra.Command {

ctrl.SetLogger(mlog)

certOperator := authority.ServingCertificateOperator{Options: opts.DynamicServing}

eventBroadcaster := record.NewBroadcaster()
eventBroadcaster.StartLogging(func(format string, args ...any) { mlog.V(3).Info(fmt.Sprintf(format, args...)) })
eventBroadcaster.StartRecordingToSink(&clientv1.EventSinkImpl{Interface: cl.CoreV1().Events("")})
Expand All @@ -87,7 +91,7 @@ func NewCommand() *cobra.Command {
WebhookServer: ctrlwebhook.NewServer(ctrlwebhook.Options{
Port: opts.Webhook.Port,
Host: opts.Webhook.Host,
CertDir: opts.Webhook.CertDir,
TLSOpts: []func(*tls.Config){certOperator.ServingCertificate()},
}),
Metrics: server.Options{
BindAddress: fmt.Sprintf("0.0.0.0:%d", opts.MetricsPort),
Expand Down Expand Up @@ -119,6 +123,10 @@ func NewCommand() *cobra.Command {
return fmt.Errorf("failed to create manager: %w", err)
}

if err := certOperator.SetupWithManager(mgr); err != nil {
return fmt.Errorf("failed to setup cert operator: %w", err)
}

targetCache, err := cache.New(mgr.GetConfig(), cache.Options{
HTTPClient: mgr.GetHTTPClient(),
Scheme: mgr.GetScheme(),
Expand Down
16 changes: 16 additions & 0 deletions cmd/trust-manager/app/options/options.go
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@ import (
"os"
"time"

"github.com/erikgb/dynamic-authority/pkg/authority"
"github.com/go-logr/logr"
"github.com/spf13/cobra"
"github.com/spf13/pflag"
Expand Down Expand Up @@ -70,6 +71,8 @@ type Options struct {

// Leader election lease renew duration
RenewDeadline time.Duration

DynamicServing authority.Options
}

type logOptions struct {
Expand Down Expand Up @@ -164,6 +167,7 @@ func (o *Options) addFlags(cmd *cobra.Command) {
o.addBundleFlags(nfs.FlagSet("Bundle"))
o.addLoggingFlags(nfs.FlagSet("Logging"))
o.addWebhookFlags(nfs.FlagSet("Webhook"))
o.addDynamicServingFlags(nfs.FlagSet("Dynamic Serving"))
o.kubeConfigFlags = genericclioptions.NewConfigFlags(true)
o.kubeConfigFlags.AddFlags(nfs.FlagSet("Kubernetes"))

Expand Down Expand Up @@ -248,3 +252,15 @@ func (o *Options) addWebhookFlags(fs *pflag.FlagSet) {
"Certificate and private key must be named 'tls.crt' and 'tls.key' "+
"respectively.")
}

func (o *Options) addDynamicServingFlags(fs *pflag.FlagSet) {
fs.StringVar(&o.DynamicServing.Namespace,
"dynamic-serving-ca-secret-namespace", "",
"Namespace of the secret used to store the CA that signs serving certificates")
fs.StringVar(&o.DynamicServing.CASecret,
"dynamic-serving-ca-secret-name", "",
"Name of the secret used to store the CA that signs serving certificates")
fs.StringSliceVar(&o.DynamicServing.DNSNames,
"dynamic-serving-ca-secret-name", nil,
"DNS names that should be present on certificates generated by the dynamic serving CA")
}
94 changes: 0 additions & 94 deletions deploy/charts/trust-manager/templates/certificate.yaml

This file was deleted.

6 changes: 6 additions & 0 deletions deploy/charts/trust-manager/templates/clusterrole.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,12 @@ metadata:
{{- include "trust-manager.labels" . | nindent 4 }}
name: {{ include "trust-manager.name" . }}
rules:
- apiGroups:
- "admissionregistration.k8s.io"
resources:
- "validatingwebhookconfigurations"
verbs: ["get", "list", "watch", "patch"]

- apiGroups:
- "trust.cert-manager.io"
resources:
Expand Down
13 changes: 5 additions & 8 deletions deploy/charts/trust-manager/templates/deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -87,7 +87,11 @@ spec:
# webhook
- "--webhook-host={{.Values.app.webhook.host}}"
- "--webhook-port={{.Values.app.webhook.port}}"
- "--webhook-certificate-dir=/tls"
- "--dynamic-serving-ca-secret-namespace={{ include "trust-manager.namespace" . }}"
- "--dynamic-serving-ca-secret-name={{ include "trust-manager.name" . }}-dynamic-ca"
- "--dynamic-serving-dns-names={{ include "trust-manager.name" . }}"
- "--dynamic-serving-dns-names={{ include "trust-manager.name" . }}.$(POD_NAMESPACE)"
- "--dynamic-serving-dns-names={{ include "trust-manager.name" . }}.$(POD_NAMESPACE).svc"
{{- if .Values.defaultPackage.enabled }}
- "--default-package-location=/packages/cert-manager-package-debian.json"
{{- end }}
Expand All @@ -98,9 +102,6 @@ spec:
- "--filter-expired-certificates=true"
{{- end }}
volumeMounts:
- mountPath: /tls
name: tls
readOnly: true
- mountPath: /packages
name: packages
readOnly: true
Expand Down Expand Up @@ -140,10 +141,6 @@ spec:
- name: packages
emptyDir:
sizeLimit: 50M
- name: tls
secret:
defaultMode: 420
secretName: {{ include "trust-manager.name" . }}-tls
{{- if .Values.app.webhook.hostNetwork }}
hostNetwork: true
dnsPolicy: ClusterFirstWithHostNet
Expand Down
6 changes: 2 additions & 4 deletions deploy/charts/trust-manager/templates/webhook.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -81,12 +81,10 @@ kind: ValidatingWebhookConfiguration
metadata:
name: {{ include "trust-manager.name" . }}
labels:
cert-manager.io/inject-dynamic-ca-from-secret-namespace: "{{ include "trust-manager.namespace" . }}"
cert-manager.io/inject-dynamic-ca-from-secret-name: "{{ include "trust-manager.name" . }}-dynamic-ca"
app: {{ include "trust-manager.name" . }}
{{- include "trust-manager.labels" . | nindent 4 }}
{{ if not .Values.app.webhook.tls.helmCert.enabled }}
annotations:
cert-manager.io/inject-ca-from: "{{ include "trust-manager.namespace" . }}/{{ include "trust-manager.name" . }}"
{{ end }}

webhooks:
- name: trust.cert-manager.io
Expand Down
1 change: 1 addition & 0 deletions go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ module github.com/cert-manager/trust-manager
go 1.22.0

require (
github.com/erikgb/dynamic-authority v0.0.0-20241105063705-d20d55e85d05
github.com/go-logr/logr v1.4.2
github.com/onsi/ginkgo/v2 v2.21.0
github.com/onsi/gomega v1.35.1
Expand Down
2 changes: 2 additions & 0 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,8 @@ github.com/emicklei/go-restful/v3 v3.12.1 h1:PJMDIM/ak7btuL8Ex0iYET9hxM3CI2sjZtz
github.com/emicklei/go-restful/v3 v3.12.1/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc=
github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
github.com/erikgb/dynamic-authority v0.0.0-20241105063705-d20d55e85d05 h1:KZR8PfgX2SkZh7NxL8UGbe5VT6hP2jwrfAgUpIlNa68=
github.com/erikgb/dynamic-authority v0.0.0-20241105063705-d20d55e85d05/go.mod h1:rsJ6ZXqGxojBpTDo9YEaI2lJDpesjH05kuMlR9Qdxzk=
github.com/evanphx/json-patch v5.6.0+incompatible h1:jBYDEEiFBPxA0v50tFdvOzQQTCvpL6mnFh5mB2/l16U=
github.com/evanphx/json-patch v5.6.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
github.com/evanphx/json-patch/v5 v5.9.0 h1:kcBlZQbplgElYIlo/n1hJbls2z/1awpXxpRi0/FOJfg=
Expand Down
25 changes: 0 additions & 25 deletions make/test-smoke.mk
Original file line number Diff line number Diff line change
Expand Up @@ -12,30 +12,6 @@
# See the License for the specific language governing permissions and
# limitations under the License.

.PHONY: smoke-setup-cert-manager
smoke-setup-cert-manager: | kind-cluster $(NEEDS_HELM) $(NEEDS_KUBECTL)
$(HELM) upgrade \
--install \
--create-namespace \
--wait \
--version $(quay.io/jetstack/cert-manager-controller.TAG) \
--namespace cert-manager \
--repo https://charts.jetstack.io \
--set installCRDs=true \
--set image.repository=$(quay.io/jetstack/cert-manager-controller.REPO) \
--set image.tag=$(quay.io/jetstack/cert-manager-controller.TAG) \
--set image.pullPolicy=Never \
--set cainjector.image.repository=$(quay.io/jetstack/cert-manager-cainjector.REPO) \
--set cainjector.image.tag=$(quay.io/jetstack/cert-manager-cainjector.TAG) \
--set cainjector.image.pullPolicy=Never \
--set webhook.image.repository=$(quay.io/jetstack/cert-manager-webhook.REPO) \
--set webhook.image.tag=$(quay.io/jetstack/cert-manager-webhook.TAG) \
--set webhook.image.pullPolicy=Never \
--set startupapicheck.image.repository=$(quay.io/jetstack/cert-manager-startupapicheck.REPO) \
--set startupapicheck.image.tag=$(quay.io/jetstack/cert-manager-startupapicheck.TAG) \
--set startupapicheck.image.pullPolicy=Never \
cert-manager cert-manager >/dev/null

# The "install" target can be run on its own with any currently active cluster,
# we can't use any other cluster then a target containing "test-smoke" is run.
# When a "test-smoke" target is run, the currently active cluster must be the kind
Expand All @@ -48,7 +24,6 @@ test-smoke-deps: INSTALL_OPTIONS :=
test-smoke-deps: INSTALL_OPTIONS += --set image.repository=$(oci_manager_image_name_development)
test-smoke-deps: INSTALL_OPTIONS += --set defaultPackageImage.repository=$(oci_package_debian_image_name_development)
test-smoke-deps: INSTALL_OPTIONS += --set secretTargets.enabled=true --set secretTargets.authorizedSecretsAll=true
test-smoke-deps: smoke-setup-cert-manager
test-smoke-deps: install

.PHONY: test-smoke
Expand Down

0 comments on commit e67c46a

Please sign in to comment.