Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add the initial scaffold of certificate management #59

Merged
merged 1 commit into from
Jan 30, 2025
Merged

Add the initial scaffold of certificate management #59

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 8 additions & 0 deletions pkg/certificate/auto/doc.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
package auto

/*
AutoProvider generates self-signed certificates.

It isn't recommended for production use. It's only designed for
test purpose only.
*/
6 changes: 6 additions & 0 deletions pkg/certificate/cert-manager/doc.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
package cert_manager

/*
CertManagerProvider enables users to integrate their existing
cert-manager deployments with etcd-operator.
*/
112 changes: 112 additions & 0 deletions pkg/certificate/interface.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,112 @@
package certificate

import (
"context"
"fmt"
"net"
"time"
)

type ProviderType string

const (
Auto ProviderType = "auto"
CertManager ProviderType = "cert-manager"
// add more ...
)

func NewProvider(pt ProviderType) (Provider, error) {
switch pt {
case Auto:
return nil, nil // change me later
case CertManager:
return nil, nil // change me later
}

return nil, fmt.Errorf("unknown provider type: %s", pt)
}

// AltNames contains the domain names and IP addresses that will be added
// to the x509 certificate SubAltNames fields. The values will be passed
// directly to the x509.Certificate object.
type AltNames struct {
DNSNames []string
IPs []net.IP
}

// Config contains the basic fields required for creating a certificate
type Config struct {
CommonName string
Organization []string
AltNames AltNames
ValidityDuration time.Duration
CABundle []byte

// ExtraConfig contains provider specific configurations.
ExtraConfig map[string]any
}

type Provider interface {
// EnsureCertificateSecret ensures the specified certificate is
// available as a Secret in Kubernetes. If the Secret does not
// exist, it will be created.
//
// Parameters:
// - ctx: Context for cancellation and deadlines.
// - secretName: Name of the Secret to ensure.
// - namespace: Namespace where the Secret should reside.
// - cfg: Configuration for the certificate.
//
// Returns:
// - nil if the operation succeeds, or an error otherwise.
EnsureCertificateSecret(ctx context.Context, secretName string, namespace string, cfg *Config) error

// ValidateCertificateSecret validates the certificate stored
// in the specified Secret. This checks if the certificate is
// valid (e.g., not expired, matches configuration).
//
// Parameters:
// - ctx: Context for cancellation and deadlines.
// - secretName: Name of the Secret to validate.
// - namespace: Namespace where the Secret resides.
// - cfg: Configuration to validate against.
//
// Returns:
// - true if the Secret is valid, false otherwise, along with
// an error if validation fails.
ValidateCertificateSecret(ctx context.Context, secretName string, namespace string, cfg *Config) (bool, error)

// DeleteCertificateSecret explicitly deletes the Secret containing
// the certificate. This should only be used if the certificate
// is no longer needed.
//
// Parameters:
// - ctx: Context for cancellation and deadlines.
// - secretName: Name of the Secret to delete.
// - namespace: Namespace where the Secret resides.
//
// Returns:
// - nil if the operation succeeds, or an error otherwise.
DeleteCertificateSecret(ctx context.Context, secretName string, namespace string) error

// RevokeCertificate revokes a certificate if supported by the provider.
//
// Parameters:
// - ctx: Context for cancellation and deadlines.
// - secretName: Name of the Secret containing the certificate to revoke.
// - namespace: Namespace where the Secret resides.
//
// Returns:
// - nil if the revocation succeeds, or an error otherwise.
RevokeCertificate(ctx context.Context, secretName string, namespace string) error

// GetCertificateConfig returns the certificate configuration from the provider.
//
// Parameters:
// - secretName: Name of the Secret containing the certificate.
// - namespace: Namespace where the Secret resides.
//
// Returns:
// - Config if the Secret exists and is valid, or an error otherwise.
GetCertificateConfig(ctx context.Context, secretName string, namespace string) (*Config, error)
}