Refactor SSL Certificates

Author: MadalinaPatrichi

pkg/oci/client/load_balancer.go

@@ -35,7 +35,7 @@ type LoadBalancerInterface interface {
 	DeleteLoadBalancer(ctx context.Context, id string) (string, error)
 
 	GetCertificateByName(ctx context.Context, lbID, name string) (*loadbalancer.Certificate, error)
-	CreateCertificate(ctx context.Context, lbID, certificate, key string) (string, error)
+	CreateCertificate(ctx context.Context, lbID string, cert loadbalancer.CertificateDetails) (string, error)
 
 	CreateBackendSet(ctx context.Context, lbID, name string, details loadbalancer.BackendSetDetails) (string, error)
 	UpdateBackendSet(ctx context.Context, lbID, name string, details loadbalancer.BackendSetDetails) (string, error)
@@ -150,18 +150,19 @@ func (c *client) GetCertificateByName(ctx context.Context, lbID, name string) (*
 	return nil, errors.WithStack(errNotFound)
 }
 
-func (c *client) CreateCertificate(ctx context.Context, lbID, certificate, key string) (string, error) {
+func (c *client) CreateCertificate(ctx context.Context, lbID string, cert loadbalancer.CertificateDetails) (string, error) {
 	if !c.rateLimiter.Writer.TryAccept() {
 		return "", RateLimitError(true, "CreateCertificate")
 	}
 
-	// TODO(apryde): We currently don't have a mechanism for supplying
-	// CreateCertificateDetails.CaCertificate.
 	resp, err := c.loadbalancer.CreateCertificate(ctx, loadbalancer.CreateCertificateRequest{
 		LoadBalancerId: &lbID,
 		CreateCertificateDetails: loadbalancer.CreateCertificateDetails{
-			PublicCertificate: &certificate,
-			PrivateKey:        &key,
+			CertificateName:   cert.CertificateName,
+			CaCertificate:     cert.CaCertificate,
+			PublicCertificate: cert.PublicCertificate,
+			PrivateKey:        cert.PrivateKey,
+			Passphrase:        cert.Passphrase,
 		},
 	})
 	incRequestCounter(err, createVerb, certificateResource)

pkg/oci/load_balancer.go

@@ -196,78 +196,49 @@ func getSubnetsForNodes(ctx context.Context, nodes []*v1.Node, client client.Int
 
 // readSSLSecret returns the certificate and private key from a Kubernetes TLS
 // private key Secret.
-func (cp *CloudProvider) readSSLSecret(secretType string, svc *v1.Service) (*certificateData, error) {
-	secretString, ok := svc.Annotations[secretType]
-	if !ok && secretType == ServiceAnnotationLoadBalancerTLSSecret {
-		return nil, errors.Errorf("no %q annotation found", secretType)
-	}
-	if !ok {
-		return &certificateData{CACert: "", PublicCert: "", PrivateKey: "",
-			Passphrase: ""}, nil
-	}
-
-	ns, name := parseSecretString(secretString)
-	if ns == "" {
-		ns = svc.Namespace
-	}
+func (cp *CloudProvider) readSSLSecret(ns, name string) (*certificateData, error) {
 	secret, err := cp.kubeclient.CoreV1().Secrets(ns).Get(name, metav1.GetOptions{})
 	if err != nil {
 		return nil, err
 	}
-
+	var ok bool
 	var cacert, cert, key, pass []byte
-	var cacertstr, passstr string
-	if cacert, ok = secret.Data[SSLCAFileName]; !ok {
-		cacertstr = ""
-	} else {
-		cacertstr = string(cacert)
-	}
+	cacert, _ = secret.Data[SSLCAFileName]
 	if cert, ok = secret.Data[SSLCertificateFileName]; !ok {
 		return nil, errors.Errorf("%s not found in secret %s/%s", SSLCertificateFileName, ns, name)
 	}
 	if key, ok = secret.Data[SSLPrivateKeyFileName]; !ok {
 		return nil, errors.Errorf("%s not found in secret %s/%s", SSLPrivateKeyFileName, ns, name)
 	}
-	if pass, ok = secret.Data[SSLPassphrase]; !ok {
-		passstr = ""
-	} else {
-		passstr = string(pass)
-	}
-	return &certificateData{CACert: cacertstr, PublicCert: string(cert), PrivateKey: string(key),
-		Passphrase: passstr}, nil
+	pass, _ = secret.Data[SSLPassphrase]
+	return &certificateData{CACert: cacert, PublicCert: cert, PrivateKey: key, Passphrase: pass}, nil
 }
 
 // ensureSSLCertificate creates a OCI SSL certificate to the given load
 // balancer, if it doesn't already exist.
-func (cp *CloudProvider) ensureSSLCertificate(ctx context.Context, lb *loadbalancer.LoadBalancer, sslConfig *SSLConfig, svc *v1.Service) error {
-	name := sslConfig.Name
-	logger := cp.logger.With("loadBalancerID", *lb.Id, "certificateName", name)
-	_, err := cp.client.LoadBalancer().GetCertificateByName(ctx, *lb.Id, name)
-	if err == nil {
-		logger.Debug("Certificate already exists on load balancer. Nothing to do.")
-		return nil
-	}
-	if !client.IsNotFound(err) {
-		return err
-	}
-
-	// Although we iterate here only one certificate is supported at the moment.
-	certs := make(map[string]loadbalancer.CertificateDetails)
-	err = buildCertificates(sslConfig, svc, certs)
+func (cp *CloudProvider) ensureSSLCertificates(ctx context.Context, lb *loadbalancer.LoadBalancer, spec *LBSpec) error {
+	logger := cp.logger.With("loadBalancerID", *lb.Id)
+	// Get all required certificates
+	certs, err := spec.Certificates()
 	if err != nil {
 		return err
 	}
+
+	var ok bool
 	for _, cert := range certs {
-		wrID, err := cp.client.LoadBalancer().CreateCertificate(ctx, *lb.Id, *cert.PublicCertificate, *cert.PrivateKey)
-		if err != nil {
-			return err
-		}
-		_, err = cp.client.LoadBalancer().AwaitWorkRequest(ctx, wrID)
-		if err != nil {
-			return err
-		}
+		if _, ok = lb.Certificates[*cert.CertificateName]; !ok {
+			logger = cp.logger.With("certificateName", *cert.CertificateName)
+			wrID, err := cp.client.LoadBalancer().CreateCertificate(ctx, *lb.Id, cert)
+			if err != nil {
+				return err
+			}
+			_, err = cp.client.LoadBalancer().AwaitWorkRequest(ctx, wrID)
+			if err != nil {
+				return err
+			}
 
-		logger.Info("Certificate created")
+			logger.Info("Certificate created")
+		}
 	}
 	return nil
 }
@@ -289,12 +260,7 @@ func (cp *CloudProvider) createLoadBalancer(ctx context.Context, spec *LBSpec) (
 	}
 
 	// Then we create the load balancer and wait for it to be online.
-	certs := make(map[string]loadbalancer.CertificateDetails)
-	err = buildCertificates(spec.ListenerSSLConfig, spec.service, certs)
-	if err != nil {
-		return nil, errors.Wrap(err, "get certificates")
-	}
-	err = buildCertificates(spec.BackendSetSSLConfig, spec.service, certs)
+	certs, err := spec.Certificates()
 	if err != nil {
 		return nil, errors.Wrap(err, "get certificates")
 	}
@@ -351,17 +317,18 @@ func (cp *CloudProvider) EnsureLoadBalancer(ctx context.Context, clusterName str
 	}
 	exists := !client.IsNotFound(err)
 
-	var sslListener, sslBackendSet *SSLConfig
+	var sslConfig *SSLConfig
 	if requiresCertificate(service) {
 		ports, err := getSSLEnabledPorts(service)
 		if err != nil {
 			return nil, err
 		}
-		sslListener = NewSSLConfig(lbName, ServiceAnnotationLoadBalancerTLSSecret, ports, cp)
-		sslBackendSet = NewSSLConfig(lbName, ServiceAnnotationLoadBalancerBackendSetSecret, ports, cp)
+		secretListenerString, _ := service.Annotations[ServiceAnnotationLoadBalancerTLSSecret]
+		secretBackendSetString, _ := service.Annotations[ServiceAnnotationLoadBalancerBackendSetSecret]
+		sslConfig = NewSSLConfig(secretListenerString, secretBackendSetString, ports, cp)
 	}
 	subnets := []string{cp.config.LoadBalancer.Subnet1, cp.config.LoadBalancer.Subnet2}
-	spec, err := NewLBSpec(service, nodes, subnets, sslListener, sslBackendSet, cp.securityListManagerFactory)
+	spec, err := NewLBSpec(service, nodes, subnets, sslConfig, cp.securityListManagerFactory)
 	if err != nil {
 		logger.With(zap.Error(err)).Error("Failed to derive LBSpec")
 		return nil, err
@@ -380,11 +347,8 @@ func (cp *CloudProvider) EnsureLoadBalancer(ctx context.Context, clusterName str
 
 	// If the load balancer needs an SSL cert ensure it is present.
 	if requiresCertificate(service) {
-		if err := cp.ensureSSLCertificate(ctx, lb, spec.ListenerSSLConfig, spec.service); err != nil {
-			return nil, errors.Wrap(err, "ensuring ssl certificate for listeners")
-		}
-		if err := cp.ensureSSLCertificate(ctx, lb, spec.BackendSetSSLConfig, spec.service); err != nil {
-			return nil, errors.Wrap(err, "ensuring ssl certificate for backend sets")
+		if err := cp.ensureSSLCertificates(ctx, lb, spec); err != nil {
+			return nil, errors.Wrap(err, "ensuring ssl certificates")
 		}
 	}
 

pkg/oci/load_balancer_spec.go

@@ -33,29 +33,28 @@ import (
 // certificateData is a structure containing the data about a K8S secret required
 // to store SSL information required for BackendSets and Listeners
 type certificateData struct {
-	CACert     string
-	PublicCert string
-	PrivateKey string
-	Passphrase string
+	Name       string
+	CACert     []byte
+	PublicCert []byte
+	PrivateKey []byte
+	Passphrase []byte
 }
 
 type sslSecretReader interface {
-	readSSLSecret(secretType string, svc *v1.Service) (sslSecret *certificateData, err error)
+	readSSLSecret(ns, name string) (sslSecret *certificateData, err error)
 }
 
 type noopSSLSecretReader struct{}
 
-func (ssr noopSSLSecretReader) readSSLSecret(secretType string, svc *v1.Service) (sslSecret *certificateData, err error) {
-	return &certificateData{}, nil
+func (ssr noopSSLSecretReader) readSSLSecret(ns, name string) (sslSecret *certificateData, err error) {
+	return nil, nil
 }
 
 // SSLConfig is a description of a SSL certificate.
 type SSLConfig struct {
-	Name                string
-	Type                string
-	Ports               sets.Int
-	ListenerSSLSecret   *certificateData
-	BackendSetSSLSecret *certificateData
+	Ports                   sets.Int
+	ListenerSSLSecretName   string
+	BackendSetSSLSecretName string
 
 	sslSecretReader
 }
@@ -66,15 +65,15 @@ func requiresCertificate(svc *v1.Service) bool {
 }
 
 // NewSSLConfig constructs a new SSLConfig.
-func NewSSLConfig(name string, sslType string, ports []int, ssr sslSecretReader) *SSLConfig {
+func NewSSLConfig(listenerSecretName, backendSetSecretName string, ports []int, ssr sslSecretReader) *SSLConfig {
 	if ssr == nil {
 		ssr = noopSSLSecretReader{}
 	}
 	return &SSLConfig{
-		Name:            name,
-		Type:            sslType,
-		Ports:           sets.NewInt(ports...),
-		sslSecretReader: ssr,
+		Ports: sets.NewInt(ports...),
+		ListenerSSLSecretName:   listenerSecretName,
+		BackendSetSSLSecretName: backendSetSecretName,
+		sslSecretReader:         ssr,
 	}
 }
 
@@ -90,16 +89,15 @@ type LBSpec struct {
 
 	Ports               map[string]portSpec
 	SourceCIDRs         []string
-	ListenerSSLConfig   *SSLConfig
-	BackendSetSSLConfig *SSLConfig
+	SSLConfig           *SSLConfig
 	securityListManager securityListManager
 
 	service *v1.Service
 	nodes   []*v1.Node
 }
 
 // NewLBSpec creates a LB Spec from a Kubernetes service and a slice of nodes.
-func NewLBSpec(svc *v1.Service, nodes []*v1.Node, defaultSubnets []string, listenerSSLConfig *SSLConfig, backendSetSSLConfig *SSLConfig, secListFactory securityListManagerFactory) (*LBSpec, error) {
+func NewLBSpec(svc *v1.Service, nodes []*v1.Node, defaultSubnets []string, sslConfig *SSLConfig, secListFactory securityListManagerFactory) (*LBSpec, error) {
 	if len(defaultSubnets) != 2 {
 		return nil, errors.New("default subnets incorrectly configured")
 	}
@@ -145,7 +143,7 @@ func NewLBSpec(svc *v1.Service, nodes []*v1.Node, defaultSubnets []string, liste
 		}
 	}
 
-	listeners, err := getListeners(svc, listenerSSLConfig)
+	listeners, err := getListeners(svc, sslConfig)
 	if err != nil {
 		return nil, err
 	}
@@ -156,12 +154,11 @@ func NewLBSpec(svc *v1.Service, nodes []*v1.Node, defaultSubnets []string, liste
 		Internal:    internal,
 		Subnets:     subnets,
 		Listeners:   listeners,
-		BackendSets: getBackendSets(svc, nodes, backendSetSSLConfig),
+		BackendSets: getBackendSets(svc, nodes, sslConfig),
 
-		Ports:               getPorts(svc),
-		ListenerSSLConfig:   listenerSSLConfig,
-		BackendSetSSLConfig: backendSetSSLConfig,
-		SourceCIDRs:         sourceCIDRs,
+		Ports:       getPorts(svc),
+		SSLConfig:   sslConfig,
+		SourceCIDRs: sourceCIDRs,
 
 		service: svc,
 		nodes:   nodes,
@@ -171,26 +168,42 @@ func NewLBSpec(svc *v1.Service, nodes []*v1.Node, defaultSubnets []string, liste
 }
 
 // Certificates builds a map of required SSL certificates.
-func buildCertificates(sslConfig *SSLConfig, svc *v1.Service, certs map[string]loadbalancer.CertificateDetails) error {
-	if sslConfig == nil {
-		return nil
+func (s *LBSpec) Certificates() (map[string]loadbalancer.CertificateDetails, error) {
+	certs := make(map[string]loadbalancer.CertificateDetails)
+	if s.SSLConfig == nil {
+		return certs, nil
 	}
-	sslSecret, err := sslConfig.readSSLSecret(sslConfig.Type, svc)
+	//Read listener Kubernetes Secret
+	sslSecret, err := s.SSLConfig.readSSLSecret(s.service.Namespace, s.SSLConfig.ListenerSSLSecretName)
 	if err != nil {
-		return errors.Wrap(err, "reading SSL Secret")
+		return nil, errors.Wrap(err, "reading SSL Listener Secret")
 	}
-	if sslSecret.PublicCert == "" || sslSecret.PrivateKey == "" {
-		return nil
+	if len(sslSecret.PublicCert) == 0 || len(sslSecret.PrivateKey) == 0 {
+		return certs, nil
 	}
 
-	certs[sslConfig.Name] = loadbalancer.CertificateDetails{
-		CertificateName:   &sslConfig.Name,
-		PublicCertificate: &sslSecret.PublicCert,
-		CaCertificate:     &sslSecret.CACert,
-		PrivateKey:        &sslSecret.PrivateKey,
-		Passphrase:        &sslSecret.Passphrase,
+	certs[s.SSLConfig.ListenerSSLSecretName] = loadbalancer.CertificateDetails{
+		CertificateName:   &s.SSLConfig.ListenerSSLSecretName,
+		PublicCertificate: common.String(string(sslSecret.PublicCert)),
+		PrivateKey:        common.String(string(sslSecret.PrivateKey)),
 	}
-	return nil
+	// Read backendSet Kubernetes Secret
+	sslSecret, err = s.SSLConfig.readSSLSecret(s.service.Namespace, s.SSLConfig.BackendSetSSLSecretName)
+	if err != nil {
+		return nil, errors.Wrap(err, "reading SSL BackendSet Secret")
+	}
+	if len(sslSecret.PublicCert) == 0 || len(sslSecret.PrivateKey) == 0 {
+		return certs, nil
+	}
+
+	certs[s.SSLConfig.BackendSetSSLSecretName] = loadbalancer.CertificateDetails{
+		CertificateName:   &s.SSLConfig.BackendSetSSLSecretName,
+		CaCertificate:     common.String(string(sslSecret.CACert)),
+		PublicCertificate: common.String(string(sslSecret.PublicCert)),
+		PrivateKey:        common.String(string(sslSecret.PrivateKey)),
+		Passphrase:        common.String(string(sslSecret.Passphrase)),
+	}
+	return certs, nil
 }
 
 // TODO(apryde): aggregate errors using an error list.
@@ -263,7 +276,11 @@ func getBackendSets(svc *v1.Service, nodes []*v1.Node, sslCfg *SSLConfig) map[st
 	for _, servicePort := range svc.Spec.Ports {
 		name := getBackendSetName(string(servicePort.Protocol), int(servicePort.Port))
 		port := int(servicePort.Port)
-		sslConfig := getSSLConfiguration(sslCfg, port)
+		var secretName string
+		if sslCfg != nil {
+			secretName = sslCfg.BackendSetSSLSecretName
+		}
+		sslConfig := getSSLConfiguration(sslCfg, secretName, port)
 		if sslConfig != nil {
 			backendSets[name] = loadbalancer.BackendSetDetails{
 				Policy:           common.String(DefaultLoadBalancerPolicy),
@@ -304,12 +321,12 @@ func getHealthChecker(cfg *SSLConfig, port int, svc *v1.Service) *loadbalancer.H
 	}
 }
 
-func getSSLConfiguration(cfg *SSLConfig, port int) *loadbalancer.SslConfigurationDetails {
+func getSSLConfiguration(cfg *SSLConfig, name string, port int) *loadbalancer.SslConfigurationDetails {
 	if cfg == nil || !cfg.Ports.Has(port) {
 		return nil
 	}
 	return &loadbalancer.SslConfigurationDetails{
-		CertificateName:       &cfg.Name,
+		CertificateName:       &name,
 		VerifyDepth:           common.Int(0),
 		VerifyPeerCertificate: common.Bool(false),
 	}
@@ -347,7 +364,11 @@ func getListeners(svc *v1.Service, sslCfg *SSLConfig) (map[string]loadbalancer.L
 			}
 		}
 		port := int(servicePort.Port)
-		sslConfiguration := getSSLConfiguration(sslCfg, port)
+		var secretName string
+		if sslCfg != nil {
+			secretName = sslCfg.ListenerSSLSecretName
+		}
+		sslConfiguration := getSSLConfiguration(sslCfg, secretName, port)
 		name := getListenerName(protocol, port, sslConfiguration)
 
 		listener := loadbalancer.ListenerDetails{