Add AutoProvider certificate manager
#227
Conversation
k8s-ci-robot
added
do-not-merge/work-in-progress
size/M
size/L
and removed
size/M
labels
ArkaSaha30
force-pushed
the
auto-cert-provider
branch
3 times, most recently
from
f819caf to
82651bc
Compare
ArkaSaha30
changed the title
AutoProvider interface functionsAutoProvider interface functions
|
@abdurrehman107 @ballista01 @ivanvc @hakman PTAL. Reviewing this PR is also an opportunity to get familiar with the certificate design & implementation. Reference: https://docs.google.com/document/d/1k8os77Hqxe36nUaZ31YqBGBuXcgdozVPppJYOfwUDFA/edit?tab=t.0 |
|
cc @frederiko |
ArkaSaha30
force-pushed
the
auto-cert-provider
branch
from
276d55e to
9886706
Compare
ArkaSaha30
changed the title
AutoProvider interface functionsAutoProvider certificate manager
pkg/certificate/auto/provider.go
Outdated
| return nil, fmt.Errorf("failed to get certificate: %w", err) | ||
| } | ||
|
|
||
| return &interfaces.Config{}, nil |
There was a problem hiding this comment.
We should get the info from the certificate included in the secret.
There was a problem hiding this comment.
Hi @ahrtr , I explored getting the original config from the secret itself but it will be a complicated one since we are manipulating the config and passing it to transport.SelfCert() which in turn creats the certificate.
Another workaround is to retrieve the certificateConfig from the etcdCluster object via the certificateSecret.ownerRef.Name, but it will cause a circular dependency
What can be the suggested solution here?
cc @ivanvc
There was a problem hiding this comment.
but it will be a complicated one
Where is the complication? I don't see a PoC so far, nor a reasonable explanation.
The easiest solution is to just save the config passed to EnsureCertificateSecret, and return it in GetCertificateConfig. The problem is that it isn't the final real configuration that we used to create the certificate.
There was a problem hiding this comment.
Sure, I have updated the GetCertificateConfig to return the saved user-defined config
ivanvc
left a comment
ivanvc
left a comment
There was a problem hiding this comment.
Thanks for the pull request, Arka. I left some observations, comments, and suggestions.
ArkaSaha30
force-pushed
the
auto-cert-provider
branch
4 times, most recently
from
9d90c9e to
e2c11fd
Compare
|
/test pull-etcd-operator-test-e2e |
|
@ArkaSaha30, where do we stand in this pull request? Is this ready for another review? |
ArkaSaha30
force-pushed
the
auto-cert-provider
branch
3 times, most recently
from
6027cab to
ccf14e3
Compare
neolit123
left a comment
neolit123
left a comment
There was a problem hiding this comment.
thanks for the updates
generally LGTM, just a few minor comments from me
| autoConfig := ec.Spec.TLS.ProviderCfg.AutoCfg | ||
| duration, err := time.ParseDuration(autoConfig.ValidityDuration) | ||
| if err != nil { | ||
| log.Printf("Failed to parse ValidityDuration: %s", err) |
There was a problem hiding this comment.
I am currently handling the scenario in auto/provider.go - https://github.com/ArkaSaha30/etcd-operator/blob/auto-cert-provider/pkg/certificate/auto/provider.go#L217-L220
Currently, it will log the error but fall back to the default duration of 1yr and let the user bring up the etcdCluster.
Please let me know if this is not the desired behaviour, and I will update it to throw an error.
There was a problem hiding this comment.
I think we should return an error here, we only use the default value if not provided. Pls raise a separate ticket to track this.
|
|
||
| var userAutoConfig *interfaces.Config | ||
|
|
||
| func (ac *Provider) EnsureCertificateSecret(ctx context.Context, secretName, namespace string, |
There was a problem hiding this comment.
Whenever the "name, namespace" pattern is used, an object key can be used. This ensures consistency. See github.com/kubernetes-sigs/controller-runtime/blob/main/pkg/client/example_test.go for example.
| func (ac *Provider) EnsureCertificateSecret(ctx context.Context, secretName, namespace string, | |
| func (ac *Provider) EnsureCertificateSecret(ctx context.Context, secretKey ctrlruntimeclient.ObjectKey |
There was a problem hiding this comment.
Since this is an interface change, I will change and refactor it for both certManager and auto certificate provider in a separate follow-up PR
There was a problem hiding this comment.
Good point, Pls raise a separate ticket to track this change
| return interfaces.ErrTLSCert | ||
| } | ||
|
|
||
| decodeCertificatePem, _ := pem.Decode(certificateData) |
There was a problem hiding this comment.
We are already checking the error in the next line.
pem.Decode returns (p *Block, rest []byte) - pointer to decoded PEM block and the remaining bytes after the block.
if decodeCertificatePem == nil checks if the decoding failed and returns error ErrDecodeCert
|
|
||
| // parsePrivateKey parses the private key from the PEM-encoded data. | ||
| func parsePrivateKey(privateKeyData []byte) (crypto.PrivateKey, error) { | ||
| block, _ := pem.Decode(privateKeyData) |
There was a problem hiding this comment.
Same pem.Decode error handling style: #227 (comment)
|
@ArkaSaha30 pls feedback after you resolve all the review comments, thx |
Sure @ahrtr , I'll address all the review comments this week. |
ArkaSaha30
force-pushed
the
auto-cert-provider
branch
2 times, most recently
from
d8aab27 to
6513f37
Compare
This commit will add the initial scaffolding for AutoProvider. Signed-off-by: ArkaSaha30 <[email protected]>
ArkaSaha30
force-pushed
the
auto-cert-provider
branch
from
6513f37 to
078dc2b
Compare
Signed-off-by: ArkaSaha30 <[email protected]>
ArkaSaha30
force-pushed
the
auto-cert-provider
branch
from
078dc2b to
9b5ddc1
Compare
Signed-off-by: ArkaSaha30 <[email protected]>
Signed-off-by: ArkaSaha30 <[email protected]>
ArkaSaha30
force-pushed
the
auto-cert-provider
branch
from
d37558f to
ed00a51
Compare
ahrtr
left a comment
ahrtr
left a comment
There was a problem hiding this comment.
LGTM with two followups.
Thanks @ArkaSaha30 for the great work!
|
|
||
| var userAutoConfig *interfaces.Config | ||
|
|
||
| func (ac *Provider) EnsureCertificateSecret(ctx context.Context, secretName, namespace string, |
There was a problem hiding this comment.
Good point, Pls raise a separate ticket to track this change
| autoConfig := ec.Spec.TLS.ProviderCfg.AutoCfg | ||
| duration, err := time.ParseDuration(autoConfig.ValidityDuration) | ||
| if err != nil { | ||
| log.Printf("Failed to parse ValidityDuration: %s", err) |
There was a problem hiding this comment.
I think we should return an error here, we only use the default value if not provided. Pls raise a separate ticket to track this.
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: ahrtr, ArkaSaha30 The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
| } | ||
| } | ||
|
|
||
| var userAutoConfig *interfaces.Config |
There was a problem hiding this comment.
Why define a global variable? Please add it as a field in Provider struct (line 34 above).
There was a problem hiding this comment.
pls also resolve this in a followup PR, thx
| if parseCert.NotAfter.Before(time.Now()) { | ||
| return interfaces.ErrCertExpired | ||
| } |
There was a problem hiding this comment.
Would it be a good idea also to check parseCert.NotBefore?
There was a problem hiding this comment.
Yes! Adding it in the refactor issue: #251
6 participants
This PR will add
AutoProvidercertificate manager as a part of generating default self-signed certificates: