Correct annotations for certificates generated via vault intermediate CA (#1544)

mr-miles · web-flow · commit be674d6b3e56 · 2024-02-06T17:03:27.000Z
* Add handling of intermediate CAs from vault
* Add PKIRootPath to VaultTLSSpec
* Tests for extra field
diff --git a/api/v1beta1/rabbitmqcluster_types.go b/api/v1beta1/rabbitmqcluster_types.go
@@ -152,11 +152,17 @@ type VaultTLSSpec struct {
 	// Specifies the requested IP Subject Alternative Names, in a comma-delimited list.
 	// +optional
 	IpSans string `json:"ipSans,omitempty"`
+	// Specifies an optional path to retrieve the root CA from vault.  Useful if certificates are issued by an intermediate CA
+	// +optional
+	PKIRootPath string `json:"pkiRootPath,omitempty"`
 }
 
 func (spec *VaultSpec) TLSEnabled() bool {
 	return spec.TLS.PKIIssuerPath != ""
 }
+func (spec *VaultSpec) RootCAEnabled() bool {
+	return spec.TLS.PKIRootPath != ""
+}
 func (spec *VaultSpec) DefaultUserSecretEnabled() bool {
 	return spec.DefaultUserPath != ""
 }
diff --git a/api/v1beta1/rabbitmqcluster_types_test.go b/api/v1beta1/rabbitmqcluster_types_test.go
@@ -427,6 +427,31 @@ var _ = Describe("RabbitmqCluster", func() {
 					Expect(fetchedRabbit.VaultDefaultUserSecretEnabled()).To(BeFalse())
 					Expect(fetchedRabbit.Spec.SecretBackend.Vault.DefaultUserSecretEnabled()).To(BeFalse())
 					Expect(fetchedRabbit.VaultTLSEnabled()).To(BeTrue())
+					Expect(fetchedRabbit.Spec.SecretBackend.Vault.RootCAEnabled()).To(BeFalse())
+					Expect(fetchedRabbit.Spec.SecretBackend.Vault.TLSEnabled()).To(BeTrue())
+				})
+			})
+			When("only TLS is configured and root CA path is specified", func() {
+				It("sets vault configuration correctly", func() {
+					rabbit := generateRabbitmqClusterObject("rabbit-vault-tls-ca")
+					rabbit.Spec.SecretBackend.Vault = &VaultSpec{
+						Role: "test-role",
+						TLS: VaultTLSSpec{
+							PKIIssuerPath: "pki/issue/hashicorp-com",
+							PKIRootPath: "pki-root/certs/ca",
+						},
+					}
+					Expect(k8sClient.Create(context.Background(), rabbit)).To(Succeed())
+					fetchedRabbit := &RabbitmqCluster{}
+					Expect(k8sClient.Get(context.Background(), getKey(rabbit), fetchedRabbit)).To(Succeed())
+
+					Expect(fetchedRabbit.Spec.SecretBackend.Vault.Role).To(Equal("test-role"))
+					Expect(fetchedRabbit.Spec.SecretBackend.Vault.TLS.PKIRootPath).To(Equal("pki-root/certs/ca"))
+					Expect(fetchedRabbit.VaultEnabled()).To(BeTrue())
+					Expect(fetchedRabbit.VaultDefaultUserSecretEnabled()).To(BeFalse())
+					Expect(fetchedRabbit.Spec.SecretBackend.Vault.DefaultUserSecretEnabled()).To(BeFalse())
+					Expect(fetchedRabbit.VaultTLSEnabled()).To(BeTrue())
+					Expect(fetchedRabbit.Spec.SecretBackend.Vault.RootCAEnabled()).To(BeTrue())
 					Expect(fetchedRabbit.Spec.SecretBackend.Vault.TLSEnabled()).To(BeTrue())
 				})
 			})
diff --git a/internal/resource/statefulset.go b/internal/resource/statefulset.go
@@ -860,15 +860,15 @@ default_pass = {{ .Data.data.password }}
 		certDir := strings.TrimSuffix(tlsCertDir, "/")
 		vaultAnnotations["vault.hashicorp.com/secret-volume-path-"+tlsCertFilename] = certDir
 		vaultAnnotations["vault.hashicorp.com/agent-inject-secret-"+tlsCertFilename] = pathCert
-		vaultAnnotations["vault.hashicorp.com/agent-inject-template-"+tlsCertFilename] = generateVaultTLSTemplate(commonName, altNames, vault, "certificate")
+		vaultAnnotations["vault.hashicorp.com/agent-inject-template-"+tlsCertFilename] = generateVaultTLSCertificateTemplate(commonName, altNames, vault)
 
 		vaultAnnotations["vault.hashicorp.com/secret-volume-path-"+tlsKeyFilename] = certDir
 		vaultAnnotations["vault.hashicorp.com/agent-inject-secret-"+tlsKeyFilename] = pathCert
-		vaultAnnotations["vault.hashicorp.com/agent-inject-template-"+tlsKeyFilename] = generateVaultTLSTemplate(commonName, altNames, vault, "private_key")
+		vaultAnnotations["vault.hashicorp.com/agent-inject-template-"+tlsKeyFilename] = generateVaultTLSTemplate(commonName, altNames, vault.TLS.PKIIssuerPath, vault.TLS.IpSans, "private_key")
 
 		vaultAnnotations["vault.hashicorp.com/secret-volume-path-"+caCertFilename] = certDir
 		vaultAnnotations["vault.hashicorp.com/agent-inject-secret-"+caCertFilename] = pathCert
-		vaultAnnotations["vault.hashicorp.com/agent-inject-template-"+caCertFilename] = generateVaultTLSTemplate(commonName, altNames, vault, "issuing_ca")
+		vaultAnnotations["vault.hashicorp.com/agent-inject-template-"+caCertFilename] = generateVaultCATemplate(commonName, altNames, vault)
 	}
 
 	return metadata.ReconcileAnnotations(currentAnnotations, vaultAnnotations, vault.Annotations)
@@ -883,11 +883,37 @@ func podHostNames(instance *rabbitmqv1beta1.RabbitmqCluster) string {
 	return strings.TrimPrefix(altNames, ",")
 }
 
-func generateVaultTLSTemplate(commonName, altNames string, vault *rabbitmqv1beta1.VaultSpec, tlsAttribute string) string {
+func generateVaultTLSTemplate(commonName, altNames string, vaultPath string, ipSans string, tlsAttribute string) string {
 	return fmt.Sprintf(`
 {{- with secret "%s" "common_name=%s" "alt_names=%s" "ip_sans=%s" -}}
 {{ .Data.%s }}
-{{- end }}`, vault.TLS.PKIIssuerPath, commonName, altNames, vault.TLS.IpSans, tlsAttribute)
+{{- end }}`, vaultPath, commonName, altNames, ipSans, tlsAttribute)
+}
+
+func generateVaultCATemplate(commonName, altNames string, vault *rabbitmqv1beta1.VaultSpec) string {
+	if (vault.TLS.PKIRootPath == "") {
+		return generateVaultTLSTemplate(commonName, altNames, vault.TLS.PKIIssuerPath, vault.TLS.IpSans, "issuing_ca")
+	} else {
+		return fmt.Sprintf(`
+{{- with secret "%s" -}}
+{{ .Data.certificate }}
+{{- end }}`, vault.TLS.PKIRootPath)
+	}
+}
+
+func generateVaultTLSCertificateTemplate(commonName, altNames string, vault *rabbitmqv1beta1.VaultSpec) string {
+	return fmt.Sprintf(`
+{{- with secret "%s" "common_name=%s" "alt_names=%s" "ip_sans=%s" -}}
+{{ .Data.certificate }}
+{{- if .Data.ca_chain -}}
+{{- $lastintermediatecertindex := len .Data.ca_chain | subtract 1 -}}
+{{ range $index, $cacert := .Data.ca_chain }}
+{{ if (lt $index $lastintermediatecertindex) }}
+{{ $cacert }}
+{{ end }}
+{{ end }}
+{{- end -}}
+{{- end -}}`, vault.TLS.PKIIssuerPath, commonName, altNames, vault.TLS.IpSans)
 }
 
 func (builder *StatefulSetBuilder) updateContainerPorts() []corev1.ContainerPort {
diff --git a/internal/resource/statefulset_test.go b/internal/resource/statefulset_test.go
@@ -1100,7 +1100,15 @@ default_pass = {{ .Data.data.password }}
 						Expect(a).To(HaveKeyWithValue("vault.hashicorp.com/agent-inject-template-tls.crt", `
 {{- with secret "pki/issue/vmware-com" "common_name=myrabbit.foo-namespace.svc" "alt_names=myrabbit-server-0.myrabbit-nodes.foo-namespace" "ip_sans=" -}}
 {{ .Data.certificate }}
-{{- end }}`))
+{{- if .Data.ca_chain -}}
+{{- $lastintermediatecertindex := len .Data.ca_chain | subtract 1 -}}
+{{ range $index, $cacert := .Data.ca_chain }}
+{{ if (lt $index $lastintermediatecertindex) }}
+{{ $cacert }}
+{{ end }}
+{{ end }}
+{{- end -}}
+{{- end -}}`))
 						Expect(a).To(HaveKeyWithValue("vault.hashicorp.com/agent-inject-template-tls.key", `
 {{- with secret "pki/issue/vmware-com" "common_name=myrabbit.foo-namespace.svc" "alt_names=myrabbit-server-0.myrabbit-nodes.foo-namespace" "ip_sans=" -}}
 {{ .Data.private_key }}
@@ -1116,6 +1124,7 @@ default_pass = {{ .Data.data.password }}
 						instance.Spec.SecretBackend.Vault.TLS.CommonName = "myrabbit.com"
 						instance.Spec.SecretBackend.Vault.TLS.AltNames = "alt1,alt2"
 						instance.Spec.SecretBackend.Vault.TLS.IpSans = "9.9.9.9"
+						instance.Spec.SecretBackend.Vault.TLS.PKIRootPath = "pki-root/certs/ca"
 						Expect(stsBuilder.Update(statefulSet)).To(Succeed())
 					})
 
@@ -1124,14 +1133,22 @@ default_pass = {{ .Data.data.password }}
 						Expect(a).To(HaveKeyWithValue("vault.hashicorp.com/agent-inject-template-tls.crt", `
 {{- with secret "pki/issue/vmware-com" "common_name=myrabbit.com" "alt_names=myrabbit-server-0.myrabbit-nodes.foo-namespace,alt1,alt2" "ip_sans=9.9.9.9" -}}
 {{ .Data.certificate }}
-{{- end }}`))
+{{- if .Data.ca_chain -}}
+{{- $lastintermediatecertindex := len .Data.ca_chain | subtract 1 -}}
+{{ range $index, $cacert := .Data.ca_chain }}
+{{ if (lt $index $lastintermediatecertindex) }}
+{{ $cacert }}
+{{ end }}
+{{ end }}
+{{- end -}}
+{{- end -}}`))
 						Expect(a).To(HaveKeyWithValue("vault.hashicorp.com/agent-inject-template-tls.key", `
 {{- with secret "pki/issue/vmware-com" "common_name=myrabbit.com" "alt_names=myrabbit-server-0.myrabbit-nodes.foo-namespace,alt1,alt2" "ip_sans=9.9.9.9" -}}
 {{ .Data.private_key }}
 {{- end }}`))
 						Expect(a).To(HaveKeyWithValue("vault.hashicorp.com/agent-inject-template-ca.crt", `
-{{- with secret "pki/issue/vmware-com" "common_name=myrabbit.com" "alt_names=myrabbit-server-0.myrabbit-nodes.foo-namespace,alt1,alt2" "ip_sans=9.9.9.9" -}}
-{{ .Data.issuing_ca }}
+{{- with secret "pki-root/certs/ca" -}}
+{{ .Data.certificate }}
 {{- end }}`))
 					})
 				})

Original file line number	Diff line number	Diff line change
`@@ -152,11 +152,17 @@ type VaultTLSSpec struct {`
`152`	`152`	`// Specifies the requested IP Subject Alternative Names, in a comma-delimited list.`
`153`	`153`	`// +optional`
`154`	`154`	IpSans string `json:"ipSans,omitempty"`
	`155`	`+ // Specifies an optional path to retrieve the root CA from vault. Useful if certificates are issued by an intermediate CA`
	`156`	`+ // +optional`
	`157`	+ PKIRootPath string `json:"pkiRootPath,omitempty"`
`155`	`158`	`}`
`156`	`159`
`157`	`160`	`func (spec *VaultSpec) TLSEnabled() bool {`
`158`	`161`	`return spec.TLS.PKIIssuerPath != ""`
`159`	`162`	`}`
	`163`	`+func (spec *VaultSpec) RootCAEnabled() bool {`
	`164`	`+ return spec.TLS.PKIRootPath != ""`
	`165`	`+}`
`160`	`166`	`func (spec *VaultSpec) DefaultUserSecretEnabled() bool {`
`161`	`167`	`return spec.DefaultUserPath != ""`
`162`	`168`	`}`