certgen: add cert-manager certificate compatibility

This change adds new options to certgen that will allow it to overwrite existing Kubernetes Secrets, and to generate Secrets in a format that is compatible with cert-manager (we call this "compact" format). The `--overwrite` flag can be used to let certgen update existing secrets, and this will enable both the transition to the new format and certificate rotation on a per-release granularity. The `--secrets-format` flag switches the Secrets output format from the current format to the compatible "compact" format. Once this is enabled in the deployment YAML, operators will easily be able to substitute cert-manager certificates for certgen certificates. Finally, the bootstrap command is updated to ensure that the specified certificate files are actually present. This prevents Envoy starting up and rejecting the static configuration, which is unrecoverable. This fixes projectcontour#2494. Signed-off-by: James Peach <[email protected]>
jpeach · May 26, 2020 · fabdad1 · fabdad1
1 parent 10d62c7
commit fabdad1
Show file tree

Hide file tree

Showing 7 changed files with 308 additions and 178 deletions.
diff --git a/cmd/contour/bootstrap.go b/cmd/contour/bootstrap.go
@@ -1,4 +1,4 @@
-// Copyright © 2019 VMware
+// Copyright © 2020 VMware
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
@@ -21,7 +21,7 @@ import (
 // registerBootstrap registers the bootstrap subcommand and flags
 // with the Application provided.
 func registerBootstrap(app *kingpin.Application) (*kingpin.CmdClause, *envoy.BootstrapConfig) {
-	var config envoy.BootstrapConfig
+	config := envoy.BootstrapConfig{}
 
 	bootstrap := app.Command("bootstrap", "Generate bootstrap configuration.")
 	bootstrap.Arg("path", "Configuration file ('-' for standard output).").Required().StringVar(&config.Path)
@@ -34,5 +34,6 @@ func registerBootstrap(app *kingpin.Application) (*kingpin.CmdClause, *envoy.Boo
 	bootstrap.Flag("envoy-cert-file", "gRPC Client cert filename for Envoy to load.").Envar("ENVOY_CERT_FILE").StringVar(&config.GrpcClientCert)
 	bootstrap.Flag("envoy-key-file", "gRPC Client key filename for Envoy to load.").Envar("ENVOY_KEY_FILE").StringVar(&config.GrpcClientKey)
 	bootstrap.Flag("namespace", "The namespace the Envoy container will run in.").Envar("CONTOUR_NAMESPACE").Default("projectcontour").StringVar(&config.Namespace)
+
 	return bootstrap, &config
 }
diff --git a/cmd/contour/certgen.go b/cmd/contour/certgen.go
@@ -1,4 +1,4 @@
-// Copyright © 2019 VMware
+// Copyright © 2020 VMware
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
@@ -22,6 +22,7 @@ import (
 	"github.com/projectcontour/contour/internal/certgen"
 	"github.com/projectcontour/contour/internal/k8s"
 	kingpin "gopkg.in/alecthomas/kingpin.v2"
+	corev1 "k8s.io/api/core/v1"
 	"k8s.io/client-go/kubernetes"
 )
 
@@ -30,15 +31,19 @@ import (
 func registerCertGen(app *kingpin.Application) (*kingpin.CmdClause, *certgenConfig) {
 	var certgenConfig certgenConfig
 	certgenApp := app.Command("certgen", "Generate new TLS certs for bootstrapping gRPC over TLS.")
+
 	certgenApp.Flag("kube", "Apply the generated certs directly to the current Kubernetes cluster.").BoolVar(&certgenConfig.OutputKube)
 	certgenApp.Flag("yaml", "Render the generated certs as Kubernetes Secrets in YAML form to the current directory.").BoolVar(&certgenConfig.OutputYAML)
 	certgenApp.Flag("pem", "Render the generated certs as individual PEM files to the current directory.").BoolVar(&certgenConfig.OutputPEM)
 	certgenApp.Flag("incluster", "Use in cluster configuration.").BoolVar(&certgenConfig.InCluster)
 	certgenApp.Flag("kubeconfig", "Path to kubeconfig (if not in running inside a cluster).").Default(filepath.Join(os.Getenv("HOME"), ".kube", "config")).StringVar(&certgenConfig.KubeConfig)
 	certgenApp.Flag("namespace", "Kubernetes namespace, used for Kube objects.").Default("projectcontour").Envar("CONTOUR_NAMESPACE").StringVar(&certgenConfig.Namespace)
-	certgenApp.Arg("outputdir", "Directory to write output files into.").Default("certs").StringVar(&certgenConfig.OutputDir)
 	// NOTE: --certificate-lifetime can be used to accept Duration string once certificate rotation is supported.
 	certgenApp.Flag("certificate-lifetime", "Generated certificate lifetime (in days).").Default("365").UintVar(&certgenConfig.Lifetime)
+	certgenApp.Flag("overwrite", "Overwrite existing files or Secrets.").BoolVar(&certgenConfig.Overwrite)
+	certgenApp.Flag("secrets-format", "Specify how to format the generated Kubernetes Secrets.").Default("legacy").StringVar(&certgenConfig.Format)
+
+	certgenApp.Arg("outputdir", "Directory to write output files into (default \"certs\").").Default("certs").StringVar(&certgenConfig.OutputDir)
 
 	return certgenApp, &certgenConfig
 }
@@ -69,11 +74,16 @@ type certgenConfig struct {
 
 	// Lifetime is the number of days for which certificates will be valid.
 	Lifetime uint
+
+	// Overwrite allows certgen to overwrite any existing files or Kubernetes Secrets.
+	Overwrite bool
+
+	// Format specifies how to format the Kubernetes Secrets (must be "legacy" or "compat").
+	Format string
 }
 
 // GenerateCerts performs the actual cert generation steps and then returns the certs for the output function.
 func GenerateCerts(certConfig *certgenConfig) (map[string][]byte, error) {
-
 	now := time.Now()
 	expiry := now.Add(24 * time.Duration(certConfig.Lifetime) * time.Hour)
 	caCertPEM, caKeyPEM, err := certgen.NewCA("Project Contour", expiry)
@@ -90,6 +100,7 @@ func GenerateCerts(certConfig *certgenConfig) (map[string][]byte, error) {
 	if err != nil {
 		return nil, err
 	}
+
 	envoyCert, envoyKey, err := certgen.NewCert(caCertPEM,
 		caKeyPEM,
 		expiry,
@@ -99,35 +110,50 @@ func GenerateCerts(certConfig *certgenConfig) (map[string][]byte, error) {
 	if err != nil {
 		return nil, err
 	}
+
 	newCerts := make(map[string][]byte)
-	newCerts["cacert.pem"] = caCertPEM
-	newCerts["contourcert.pem"] = contourCert
-	newCerts["contourkey.pem"] = contourKey
-	newCerts["envoycert.pem"] = envoyCert
-	newCerts["envoykey.pem"] = envoyKey
+	newCerts[certgen.CACertificateKey] = caCertPEM
+	newCerts[certgen.ContourCertificateKey] = contourCert
+	newCerts[certgen.ContourPrivateKeyKey] = contourKey
+	newCerts[certgen.EnvoyCertificateKey] = envoyCert
+	newCerts[certgen.EnvoyPrivateKeyKey] = envoyKey
 
 	return newCerts, nil
 
 }
 
 // OutputCerts outputs the certs in certs as directed by config.
-func OutputCerts(config *certgenConfig,
-	kubeclient *kubernetes.Clientset,
-	certs map[string][]byte) {
+func OutputCerts(config *certgenConfig, kubeclient *kubernetes.Clientset, certs map[string][]byte) {
+	secrets := []*corev1.Secret{}
+	force := certgen.NoOverwrite
+	if config.Overwrite {
+		force = certgen.Overwrite
+	}
+
+	if config.OutputYAML || config.OutputKube {
+		switch config.Format {
+		case "legacy":
+			secrets = certgen.AsLegacySecrets(config.Namespace, certs)
+		case "compact":
+			secrets = certgen.AsSecrets(config.Namespace, certs)
+		default:
+			check(fmt.Errorf("unsupported Secrets format %q", config.Format))
+		}
+	}
 
 	if config.OutputPEM {
-		fmt.Printf("Outputting certs to PEM files in %s/\n", config.OutputDir)
-		check(certgen.WriteCertsPEM(config.OutputDir, certs))
+		fmt.Printf("Writing certificates to PEM files in %s/\n", config.OutputDir)
+		check(certgen.WriteCertsPEM(config.OutputDir, certs, force))
 	}
 
 	if config.OutputYAML {
-		fmt.Printf("Outputting certs to YAML files in %s/\n", config.OutputDir)
-		check(certgen.WriteSecretsYAML(config.OutputDir, config.Namespace, certs))
+		fmt.Printf("Writing %q format Secrets to YAML files in %s/\n", config.Format, config.OutputDir)
+		check(certgen.WriteSecretsYAML(config.OutputDir, secrets, force))
 	}
 
 	if config.OutputKube {
-		fmt.Printf("Outputting certs to Kubernetes in namespace %s/\n", config.Namespace)
-		check(certgen.WriteSecretsKube(kubeclient, config.Namespace, certs))
+		fmt.Printf("Writing %q format Secrets to namespace %q\n", config.Format, config.Namespace)
+		check(certgen.WriteSecretsKube(kubeclient, secrets, force))
 	}
 }
 

diff --git a/cmd/contour/certgen_test.go b/cmd/contour/certgen_test.go
@@ -0,0 +1,98 @@
+// Copyright © 2020 VMware
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package main
+
+import (
+	"crypto/x509"
+	"encoding/pem"
+	"fmt"
+	"sort"
+	"testing"
+
+	"github.com/projectcontour/contour/internal/assert"
+	"github.com/projectcontour/contour/internal/certgen"
+	"github.com/projectcontour/contour/internal/dag"
+	corev1 "k8s.io/api/core/v1"
+)
+
+func TestGeneratedSecretsValid(t *testing.T) {
+	conf := certgenConfig{
+		KubeConfig: "",
+		InCluster:  false,
+		Namespace:  t.Name(),
+		OutputDir:  "",
+		OutputKube: false,
+		OutputYAML: false,
+		OutputPEM:  false,
+		Lifetime:   0,
+		Overwrite:  false,
+	}
+
+	certmap, err := GenerateCerts(&conf)
+	if err != nil {
+		t.Fatalf("failed to generate certificates: %s", err)
+	}
+
+	secrets := certgen.AsSecrets(conf.Namespace, certmap)
+	if len(secrets) != 2 {
+		t.Errorf("expected 2 secrets, got %d", len(secrets))
+	}
+
+	wantedNames := map[string][]string{
+		"envoycert": {
+			"envoy",
+			fmt.Sprintf("envoy.%s", conf.Namespace),
+			fmt.Sprintf("envoy.%s.svc", conf.Namespace),
+			fmt.Sprintf("envoy.%s.svc.cluster.local", conf.Namespace),
+		},
+		"contourcert": {
+			"contour",
+			fmt.Sprintf("contour.%s", conf.Namespace),
+			fmt.Sprintf("contour.%s.svc", conf.Namespace),
+			fmt.Sprintf("contour.%s.svc.cluster.local", conf.Namespace),
+		},
+	}
+
+	for _, s := range secrets {
+		if _, ok := wantedNames[s.Name]; !ok {
+			t.Errorf("unexpected Secret name %q", s.Name)
+			continue
+		}
+
+		// Check the keys we want are present.
+		for _, key := range []string{
+			dag.CACertificateKey,
+			corev1.TLSCertKey,
+			corev1.TLSPrivateKeyKey,
+		} {
+			if _, ok := s.Data[key]; !ok {
+				t.Errorf("missing data key %q", key)
+			}
+		}
+
+		pemBlock, _ := pem.Decode(s.Data[corev1.TLSCertKey])
+		assert.Equal(t, pemBlock.Type, "CERTIFICATE")
+
+		cert, err := x509.ParseCertificate(pemBlock.Bytes)
+		if err != nil {
+			t.Errorf("failed to parse X509 certificate: %s", err)
+		}
+
+		// Check that each certificate contains SAN entries for the right DNS names.
+		sort.Strings(cert.DNSNames)
+		sort.Strings(wantedNames[s.Name])
+		assert.Equal(t, cert.DNSNames, wantedNames[s.Name])
+
+	}
+}