From 94130a41407503fe11da6c4cdfadce24caf01349 Mon Sep 17 00:00:00 2001 From: Ben Ash Date: Wed, 10 Jul 2024 16:03:36 +0000 Subject: [PATCH] VPS: add ca.crt from issuing CA for tls secret type --- controllers/vaultpkisecret_controller.go | 41 +++++++++--- controllers/vaultpkisecret_controller_test.go | 64 +++++++++++++++++++ .../vaultpkisecret/terraform/deployment.tf | 5 +- 3 files changed, 98 insertions(+), 12 deletions(-) diff --git a/controllers/vaultpkisecret_controller.go b/controllers/vaultpkisecret_controller.go index de0b90a72..250db1e14 100644 --- a/controllers/vaultpkisecret_controller.go +++ b/controllers/vaultpkisecret_controller.go @@ -4,10 +4,12 @@ package controllers import ( + "bytes" "context" "encoding/base64" "encoding/json" "fmt" + "maps" "strings" "time" @@ -244,16 +246,7 @@ func (r *VaultPKISecretReconciler) Reconcile(ctx context.Context, req ctrl.Reque } // If using data transformation (templates), avoid generating tls.key and tls.crt. if o.Spec.Destination.Type == corev1.SecretTypeTLS && len(transOption.KeyedTemplates) == 0 { - data[corev1.TLSCertKey] = data["certificate"] - // the ca_chain includes the issuing ca - if len(data["ca_chain"]) > 0 { - data[corev1.TLSCertKey] = append(data[corev1.TLSCertKey], []byte("\n")...) - data[corev1.TLSCertKey] = append(data[corev1.TLSCertKey], []byte(data["ca_chain"])...) - } else if len(data["issuing_ca"]) > 0 { - data[corev1.TLSCertKey] = append(data[corev1.TLSCertKey], []byte("\n")...) - data[corev1.TLSCertKey] = append(data[corev1.TLSCertKey], data["issuing_ca"]...) - } - data[corev1.TLSPrivateKeyKey] = data["private_key"] + data = convertToK8sTLSSecretData(data) } if b, err := json.Marshal(data); err == nil { @@ -494,3 +487,31 @@ func computePKIRenewalWindow(ctx context.Context, o *secretsv1beta1.VaultPKISecr return horizon, inWindow } + +func convertToK8sTLSSecretData(data map[string][]byte) map[string][]byte { + ret := maps.Clone(data) + if v, ok := ret["certificate"]; ok { + ret[corev1.TLSCertKey] = v + } + + if v, ok := ret["private_key"]; ok { + ret[corev1.TLSPrivateKeyKey] = v + } + + // the ca_chain includes the issuing ca + var caData []byte + if v, ok := data["ca_chain"]; ok && len(v) > 0 { + caData = v + } else if v, ok := data["issuing_ca"]; ok && len(v) > 0 { + ret[corev1.ServiceAccountRootCAKey] = v + caData = v + } + + if len(caData) > 0 { + if _, ok := ret[corev1.TLSCertKey]; ok { + ret[corev1.TLSCertKey] = bytes.Join([][]byte{ret[corev1.TLSCertKey], caData}, []byte("\n")) + } + } + + return ret +} diff --git a/controllers/vaultpkisecret_controller_test.go b/controllers/vaultpkisecret_controller_test.go index a2c2e171f..acfe4026f 100644 --- a/controllers/vaultpkisecret_controller_test.go +++ b/controllers/vaultpkisecret_controller_test.go @@ -177,3 +177,67 @@ func Test_computePKIRenewalWindow(t *testing.T) { }) } } + +func Test_convertToK8sTLSSecretData(t *testing.T) { + t.Parallel() + + tests := []struct { + name string + data map[string][]byte + want map[string][]byte + }{ + { + name: "empty", + data: map[string][]byte{}, + want: map[string][]byte{}, + }, + { + name: "without-ca", + data: map[string][]byte{ + "private_key": []byte("v_private_key"), + "certificate": []byte("v_certificate"), + }, + want: map[string][]byte{ + "private_key": []byte("v_private_key"), + "certificate": []byte("v_certificate"), + "tls.key": []byte("v_private_key"), + "tls.crt": []byte("v_certificate"), + }, + }, + { + name: "with-ca-chain", + data: map[string][]byte{ + "private_key": []byte("v_private_key"), + "certificate": []byte("v_certificate"), + "ca_chain": []byte("v_ca_chain"), + }, + want: map[string][]byte{ + "private_key": []byte("v_private_key"), + "certificate": []byte("v_certificate"), + "ca_chain": []byte("v_ca_chain"), + "tls.key": []byte("v_private_key"), + "tls.crt": []byte("v_certificate\nv_ca_chain"), + }, + }, + { + name: "with-issuing-ca", + data: map[string][]byte{ + "private_key": []byte("v_private_key"), "certificate": []byte("v_certificate"), + "issuing_ca": []byte("v_issuing_ca"), + }, + want: map[string][]byte{ + "private_key": []byte("v_private_key"), + "certificate": []byte("v_certificate"), + "issuing_ca": []byte("v_issuing_ca"), + "tls.key": []byte("v_private_key"), + "tls.crt": []byte("v_certificate\nv_issuing_ca"), + "ca.crt": []byte("v_issuing_ca"), + }, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + assert.Equalf(t, tt.want, convertToK8sTLSSecretData(tt.data), "convertToK8sTLSSecretData(%v)", tt.data) + }) + } +} diff --git a/test/integration/vaultpkisecret/terraform/deployment.tf b/test/integration/vaultpkisecret/terraform/deployment.tf index b615db4cd..3f717f548 100644 --- a/test/integration/vaultpkisecret/terraform/deployment.tf +++ b/test/integration/vaultpkisecret/terraform/deployment.tf @@ -41,8 +41,9 @@ resource "kubernetes_deployment" "vso" { } } container { - image = "nginx:latest" - name = "example" + image = "nginx:latest" + name = "example" + image_pull_policy = "IfNotPresent" volume_mount { name = "secrets"