Incorporated review comments

kube-tarian · Jun 5, 2024 · 27948e9 · 27948e9
1 parent ae759a0
commit 27948e9
Show file tree

Hide file tree

Showing 10 changed files with 71 additions and 173 deletions.
diff --git a/capten/agent/gin-api-server/server.go b/capten/agent/gin-api-server/server.go
@@ -6,19 +6,12 @@ import (
 	"github.com/gin-gonic/gin"
 	"github.com/intelops/go-common/logging"
 	"github.com/kube-tarian/kad/capten/agent/gin-api-server/api"
-	"github.com/kube-tarian/kad/capten/agent/internal/clusterissuer"
 	"github.com/kube-tarian/kad/capten/agent/internal/config"
 )
 
 func StartRestServer(rpcapi api.ServerInterface, cfg *config.SericeConfig, log logging.Logger) error {
-	err := clusterissuer.GenerateServerCertificates(cfg.ClusterCAIssuerName, log)
-	if err != nil {
-		log.Errorf("Failed to generate Server certificate, %v", err)
-		return err
-	}
-
 	r := gin.Default()
 	api.RegisterHandlers(r, rpcapi)
 
-	return r.RunTLS(fmt.Sprintf("%s:%d", cfg.Host, cfg.RestPort), clusterissuer.CertFileName, clusterissuer.KeyFileName)
+	return r.RunTLS(fmt.Sprintf("%s:%d", cfg.Host, cfg.RestPort), cfg.CertFileName, cfg.KeyFileName)
 }
diff --git a/capten/agent/internal/app/app.go b/capten/agent/internal/app/app.go
@@ -10,11 +10,11 @@ import (
 	"github.com/intelops/go-common/logging"
 	ginapiserver "github.com/kube-tarian/kad/capten/agent/gin-api-server"
 	agentapi "github.com/kube-tarian/kad/capten/agent/internal/api"
-	"github.com/kube-tarian/kad/capten/agent/internal/clusterissuer"
 	"github.com/kube-tarian/kad/capten/agent/internal/config"
 	"github.com/kube-tarian/kad/capten/agent/internal/job"
 	captenstore "github.com/kube-tarian/kad/capten/common-pkg/capten-store"
 	"github.com/kube-tarian/kad/capten/common-pkg/crossplane"
+	"github.com/kube-tarian/kad/capten/common-pkg/k8s"
 	"github.com/kube-tarian/kad/capten/common-pkg/pb/agentpb"
 	"github.com/kube-tarian/kad/capten/common-pkg/pb/captenpluginspb"
 	"github.com/kube-tarian/kad/capten/common-pkg/pb/clusterpluginspb"
@@ -82,7 +82,7 @@ func Start() {
 		}
 	}()
 
-	err = clusterissuer.SetupCACertIssuser(cfg.ClusterCAIssuerName, log)
+	err = k8s.SetupCACertIssuser(cfg.ClusterCAIssuerName, log)
 	if err != nil {
 		log.Fatalf("Failed to setupt CA Cert Issuer in cert-manager %v", err)
 	}

diff --git a/capten/agent/internal/clusterissuer/ca_cert_issuer.go b/capten/agent/internal/clusterissuer/ca_cert_issuer.go
diff --git a/capten/agent/internal/config/config.go b/capten/agent/internal/config/config.go
@@ -16,6 +16,8 @@ type SericeConfig struct {
 	TektonSyncJobInterval     string `envconfig:"TEKTON_SYNC_JOB_INTERVAL" default:"@every 1h"`
 	DomainName                string `envconfig:"DOMAIN_NAME" default:"example.com"`
 	ClusterCAIssuerName       string `envconfig:"AGENT_CLUSTER_CA_ISSUER_NAME" default:"agent-ca-issuer"`
+	CertFileName              string `envconfig:"CERT_FILE_NAME" default:"/tmp/certs/tls.crt"`
+	KeyFileName               string `envconfig:"KEY_FILE_NAME" default:"/tmp/certs/tls.key"`
 }
 
 func GetServiceConfig() (*SericeConfig, error) {

diff --git a/capten/common-pkg/cert/generate_certs.go b/capten/common-pkg/cert/generate_certs.go
@@ -51,7 +51,7 @@ func GenerateRootCerts() (*CertificatesData, error) {
 	}, nil
 }
 
-func generateCACert() (*Key, *Cert, error) { //(rootKey *rsa.PrivateKey, rootCertTemplate *x509.Certificate, err error) {
+func generateCACert() (*Key, *Cert, error) {
 	rootKey, err := rsa.GenerateKey(rand.Reader, caBitSize)
 	if err != nil {
 		err = errors.WithMessage(err, "failed to generate RSA key for root certificate")

diff --git a/capten/common-pkg/k8s/cert_issuer.go b/capten/common-pkg/k8s/cert_issuer.go
@@ -6,6 +6,7 @@ import (
 
 	"github.com/intelops/go-common/logging"
 	"github.com/kube-tarian/kad/capten/common-pkg/cert"
+	"github.com/kube-tarian/kad/capten/common-pkg/credential"
 	"github.com/pkg/errors"
 
 	certmanagerv1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
@@ -18,6 +19,38 @@ import (
 
 var log = logging.NewLogger()
 
+func SetupCACertIssuser(clusterIssuerName string, log logging.Logger) error {
+	k8sclient, err := NewK8SClient(log)
+	if err != nil {
+		log.Errorf("failed to initalize k8s client, %v", err)
+		return err
+	}
+
+	err = setupCertificateIssuer(k8sclient, clusterIssuerName, log)
+	if err != nil {
+		log.Errorf("Setup Certificates Issuer failed, %v", err)
+		return err
+	}
+	return nil
+}
+
+// Setup agent certificate issuer
+func setupCertificateIssuer(k8sClient *K8SClient, clusterIssuerName string, log logging.Logger) error {
+	// Create Agent Cluster Issuer
+	certsData, err := CreateOrUpdateClusterIssuer(clusterIssuerName, k8sClient, false)
+	if err != nil {
+		return fmt.Errorf("failed to create/update CA Issuer %s in cert-manager: %v", clusterIssuerName, err)
+	}
+
+	// Update Vault
+	err = credential.PutClusterCerts(context.TODO(), "kad-agent", "kad-agent", string(certsData.CaChainCertData), string(certsData.RootKey.KeyData), string(certsData.RootCert.CertData))
+	if err != nil {
+		log.Errorf("Failed to write to vault, %v", err)
+		log.Infof("Continued to start the agent as these certs from vault are not used...")
+	}
+	return nil
+}
+
 func CreateOrUpdateClusterIssuer(clusterCAIssuer string, k8sclient *K8SClient, forceUpdate bool) (*cert.CertificatesData, error) {
 	config, err := rest.InClusterConfig()
 	if err != nil {

diff --git a/charts/kad/templates/agent-certificate.yaml b/charts/kad/templates/agent-certificate.yaml
@@ -0,0 +1,18 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: {{ include "kad.fullname" . }}-agent-server-mtls
+spec:
+  commonName: {{ include "kad.fullname" . }}-agent-server-mtls
+  issuerRef:
+    kind: ClusterIssuer
+    name: {{ .Values.agent.clusterIssuerReference }}
+  privateKey:
+    algorithm: RSA
+    encoding: PKCS1
+    size: 2048
+  secretName: {{ include "kad.fullname" . }}-agent-server-mtls
+  usages:
+  - digital signature
+  - key encipherment
+  - server auth
diff --git a/charts/kad/templates/agent-deployment.yaml b/charts/kad/templates/agent-deployment.yaml
@@ -96,8 +96,17 @@ spec:
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
           volumeMounts:
-          - name: plugin-store-clone-dir
-            mountPath: {{ .Values.env.pluginsStoreProjectMount }}
+            - name: plugin-store-clone-dir
+              mountPath: {{ .Values.env.pluginsStoreProjectMount }}
+            - name: server-certificate
+              mountPath: "/tmp/certs"
+              readOnly: true
+          resources:
+            {{- toYaml .Values.resources | nindent 12 }}
+      volumes:
+        - name: server-certificate
+          secret:
+            secretName: {{ include "kad.fullname" . }}-agent-server-mtls
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}

diff --git a/charts/kad/values.yaml b/charts/kad/values.yaml
@@ -134,3 +134,6 @@ temporal:
 
 argocd:
   serviceURL: argocd-server.default.svc.cluster.local
+
+agent:
+  clusterIssuerReference: "capten-issuer"
diff --git a/dockerfiles/agent/Dockerfile b/dockerfiles/agent/Dockerfile
@@ -6,15 +6,8 @@ RUN rm -rf vendor
 RUN go mod download
 RUN CGO_ENABLED=0 go build -o ./build/agent agent/cmd/main.go
 
-RUN touch ./server.cert
-RUN touch ./server.key
-RUN chown 65532 ./server.cert
-RUN chown 65532 ./server.key
-
 FROM scratch
 COPY --from=builder ./build/agent agent
-COPY --from=builder ./server.cert server.cert
-COPY --from=builder ./server.key server.key
 COPY ./capten/database/postgres/ postgres/
 
 USER 65532:65532
-Original file line number
+Diff line change
@@ Expand Up / @@ -134,3 +134,6 @@ temporal: @@
     argocd:
       serviceURL: argocd-server.default.svc.cluster.local
+    agent:
+      clusterIssuerReference: "capten-issuer"