From ca1423400963878e1446550ef74401447b343de1 Mon Sep 17 00:00:00 2001 From: Benjamin Wang Date: Tue, 28 Jan 2025 16:32:32 +0000 Subject: [PATCH] Add the initial scaffold of certificate management Signed-off-by: Benjamin Wang --- pkg/certificate/auto/doc.go | 8 ++ pkg/certificate/cert-manager/doc.go | 6 ++ pkg/certificate/interface.go | 112 ++++++++++++++++++++++++++++ 3 files changed, 126 insertions(+) create mode 100644 pkg/certificate/auto/doc.go create mode 100644 pkg/certificate/cert-manager/doc.go create mode 100644 pkg/certificate/interface.go diff --git a/pkg/certificate/auto/doc.go b/pkg/certificate/auto/doc.go new file mode 100644 index 0000000..961bb66 --- /dev/null +++ b/pkg/certificate/auto/doc.go @@ -0,0 +1,8 @@ +package auto + +/* +AutoProvider generates self-signed certificates. + +It isn't recommended for production use. It's only designed for +test purpose only. +*/ diff --git a/pkg/certificate/cert-manager/doc.go b/pkg/certificate/cert-manager/doc.go new file mode 100644 index 0000000..6deff6e --- /dev/null +++ b/pkg/certificate/cert-manager/doc.go @@ -0,0 +1,6 @@ +package cert_manager + +/* +CertManagerProvider enables users to integrate their existing +cert-manager deployments with etcd-operator. +*/ diff --git a/pkg/certificate/interface.go b/pkg/certificate/interface.go new file mode 100644 index 0000000..5215bd6 --- /dev/null +++ b/pkg/certificate/interface.go @@ -0,0 +1,112 @@ +package certificate + +import ( + "context" + "fmt" + "net" + "time" +) + +type ProviderType string + +const ( + Auto ProviderType = "auto" + CertManager ProviderType = "cert-manager" + // add more ... +) + +func NewProvider(pt ProviderType) (Provider, error) { + switch pt { + case Auto: + return nil, nil // change me later + case CertManager: + return nil, nil // change me later + } + + return nil, fmt.Errorf("unknown provider type: %s", pt) +} + +// AltNames contains the domain names and IP addresses that will be added +// to the x509 certificate SubAltNames fields. The values will be passed +// directly to the x509.Certificate object. +type AltNames struct { + DNSNames []string + IPs []net.IP +} + +// Config contains the basic fields required for creating a certificate +type Config struct { + CommonName string + Organization []string + AltNames AltNames + ValidityDuration time.Duration + CABundle []byte + + // ExtraConfig contains provider specific configurations. + ExtraConfig map[string]any +} + +type Provider interface { + // EnsureCertificateSecret ensures the specified certificate is + // available as a Secret in Kubernetes. If the Secret does not + // exist, it will be created. + // + // Parameters: + // - ctx: Context for cancellation and deadlines. + // - secretName: Name of the Secret to ensure. + // - namespace: Namespace where the Secret should reside. + // - cfg: Configuration for the certificate. + // + // Returns: + // - nil if the operation succeeds, or an error otherwise. + EnsureCertificateSecret(ctx context.Context, secretName string, namespace string, cfg *Config) error + + // ValidateCertificateSecret validates the certificate stored + // in the specified Secret. This checks if the certificate is + // valid (e.g., not expired, matches configuration). + // + // Parameters: + // - ctx: Context for cancellation and deadlines. + // - secretName: Name of the Secret to validate. + // - namespace: Namespace where the Secret resides. + // - cfg: Configuration to validate against. + // + // Returns: + // - true if the Secret is valid, false otherwise, along with + // an error if validation fails. + ValidateCertificateSecret(ctx context.Context, secretName string, namespace string, cfg *Config) (bool, error) + + // DeleteCertificateSecret explicitly deletes the Secret containing + // the certificate. This should only be used if the certificate + // is no longer needed. + // + // Parameters: + // - ctx: Context for cancellation and deadlines. + // - secretName: Name of the Secret to delete. + // - namespace: Namespace where the Secret resides. + // + // Returns: + // - nil if the operation succeeds, or an error otherwise. + DeleteCertificateSecret(ctx context.Context, secretName string, namespace string) error + + // RevokeCertificate revokes a certificate if supported by the provider. + // + // Parameters: + // - ctx: Context for cancellation and deadlines. + // - secretName: Name of the Secret containing the certificate to revoke. + // - namespace: Namespace where the Secret resides. + // + // Returns: + // - nil if the revocation succeeds, or an error otherwise. + RevokeCertificate(ctx context.Context, secretName string, namespace string) error + + // GetCertificateConfig returns the certificate configuration from the provider. + // + // Parameters: + // - secretName: Name of the Secret containing the certificate. + // - namespace: Namespace where the Secret resides. + // + // Returns: + // - Config if the Secret exists and is valid, or an error otherwise. + GetCertificateConfig(ctx context.Context, secretName string, namespace string) (*Config, error) +}