Vault update is added

kube-tarian · May 3, 2024 · 51a5fac · 51a5fac
1 parent 9a82e89
commit 51a5fac
Show file tree

Hide file tree

Showing 3 changed files with 62 additions and 35 deletions.
diff --git a/capten/agent/internal/app/ca_cert_issuer.go b/capten/agent/internal/app/ca_cert_issuer.go
@@ -10,6 +10,7 @@ import (
 	cmmeta "github.com/cert-manager/cert-manager/pkg/apis/meta/v1"
 	cmclient "github.com/cert-manager/cert-manager/pkg/client/clientset/versioned"
 	"github.com/kube-tarian/kad/capten/common-pkg/cert"
+	"github.com/kube-tarian/kad/capten/common-pkg/credential"
 	"github.com/kube-tarian/kad/capten/common-pkg/k8s"
 	"github.com/pkg/errors"
 	k8serror "k8s.io/apimachinery/pkg/api/errors"
@@ -31,7 +32,7 @@ func setupCACertIssuser(clusterIssuerName string) error {
 		return err
 	}
 
-	_, err = setupCertificateIssuer(k8sclient, clusterIssuerName)
+	err = setupCertificateIssuer(k8sclient, clusterIssuerName)
 	if err != nil {
 		log.Errorf("Setup Certificates Issuer failed, %v", err)
 		return err
@@ -49,29 +50,20 @@ func setupCACertIssuser(clusterIssuerName string) error {
 }
 
 // Setup agent certificate issuer
-func setupCertificateIssuer(k8sclient *k8s.K8SClient, clusterIssuerName string) (*cert.CertificatesData, error) {
-	// TODO: Check certificates exist in Vault and control plan cluster
-	// If exist skip
-	// Else
-	// 1. generate root certificates
-	// 2. Create Certificate Issuer
-	// 3. Store in Vault
-	certsData, err := cert.GenerateRootCerts()
+func setupCertificateIssuer(k8sclient *k8s.K8SClient, clusterIssuerName string) error {
+	// Create Agent Cluster Issuer
+	certsData, err := k8s.CreateOrUpdateClusterIssuer(clusterIssuerName, k8sclient, false)
 	if err != nil {
-		return nil, err
+		return fmt.Errorf("failed to create/update CA Issuer %s in cert-manager: %v", clusterIssuerName, err)
 	}
 
-	err = k8s.CreateOrUpdateClusterCAIssuerSecret(k8sclient, certsData.RootCert.CertData, certsData.RootKey.KeyData, certsData.CaChainCertData)
+	// Update Vault
+	err = credential.PutClusterCerts(context.TODO(), "kad-agent", "kad-agent", string(certsData.CaChainCertData), string(certsData.RootKey.KeyData), string(certsData.RootCert.CertData))
 	if err != nil {
-		return nil, fmt.Errorf("failed to create/update CA Issuer Secret: %v", err)
+		log.Errorf("Failed to write to vault, %v", err)
+		log.Infof("Continued to start the agent as these certs from vault are not used...")
 	}
-
-	err = k8s.CreateOrUpdateClusterIssuer(clusterIssuerName)
-	if err != nil {
-		return nil, fmt.Errorf("failed to create/update CA Issuer %s in cert-manager: %v", clusterIssuerName, err)
-	}
-
-	return certsData, nil
+	return nil
 }
 
 func generateServerCertificates(k8sClient *k8s.K8SClient, clusterIssuerName string) error {

diff --git a/capten/common-pkg/k8s/cert_issuer.go b/capten/common-pkg/k8s/cert_issuer.go
@@ -2,6 +2,7 @@ package k8s
 
 import (
 	"context"
+	"fmt"
 
 	"github.com/intelops/go-common/logging"
 	"github.com/kube-tarian/kad/capten/common-pkg/cert"
@@ -17,15 +18,20 @@ import (
 
 var log = logging.NewLogger()
 
-func CreateOrUpdateClusterIssuer(clusterCAIssuer string) error {
+func CreateOrUpdateClusterIssuer(clusterCAIssuer string, k8sclient *K8SClient, forceUpdate bool) (*cert.CertificatesData, error) {
 	config, err := rest.InClusterConfig()
 	if err != nil {
-		return errors.WithMessage(err, "error while building kubeconfig")
+		return nil, errors.WithMessage(err, "error while building kubeconfig")
 	}
 
 	cmClient, err := cmclient.NewForConfig(config)
 	if err != nil {
-		return err
+		return nil, err
+	}
+
+	certsData, err := cert.GenerateRootCerts()
+	if err != nil {
+		return nil, err
 	}
 
 	issuer := &certmanagerv1.ClusterIssuer{
@@ -42,23 +48,48 @@ func CreateOrUpdateClusterIssuer(clusterCAIssuer string) error {
 	}
 
 	serverIssuer, err := cmClient.CertmanagerV1().ClusterIssuers().Get(context.Background(), issuer.Name, metav1.GetOptions{})
-	if err != nil && k8serrors.IsNotFound(err) {
-		result, err := cmClient.CertmanagerV1().ClusterIssuers().Create(context.Background(), issuer, metav1.CreateOptions{})
-		if err != nil {
-			return errors.WithMessage(err, "error in creating cert issuer")
+	if err != nil {
+		if k8serrors.IsNotFound(err) {
+			err = CreateOrUpdateClusterCAIssuerSecret(k8sclient, certsData.RootCert.CertData, certsData.RootKey.KeyData, certsData.CaChainCertData)
+			if err != nil {
+				return nil, fmt.Errorf("failed to create/update CA Issuer Secret: %v", err)
+			}
+
+			result, err := cmClient.CertmanagerV1().ClusterIssuers().Create(context.Background(), issuer, metav1.CreateOptions{})
+			if err != nil {
+				return nil, errors.WithMessage(err, "error in creating cert issuer")
+			}
+			log.Debugf("ClusterIssuer %s created successfully", result.Name)
+			return certsData, nil
+		} else if k8serrors.IsAlreadyExists(err) {
+			secret, err := k8sclient.GetSecretObject(cert.CertManagerNamespace, cert.ClusterCACertSecretName)
+			if err != nil {
+				log.Errorf("Failed to read secert %s, %v", cert.ClusterCACertSecretName, err)
+				return nil, err
+			}
+			certsData.CaChainCertData = secret.Data["ca.crt"]
+			certsData.RootCert.CertData = secret.Data[corev1.TLSCertKey]
+			certsData.RootKey.KeyData = secret.Data[corev1.TLSPrivateKeyKey]
+			return certsData, nil
 		}
-		log.Debugf("ClusterIssuer %s created successfully", result.Name)
-		return nil
+		return nil, err
 	}
 
-	serverIssuer.Spec.IssuerConfig.CA.SecretName = cert.ClusterCACertSecretName
-	issuerClient := cmClient.CertmanagerV1().ClusterIssuers()
-	result, err := issuerClient.Update(context.TODO(), serverIssuer, metav1.UpdateOptions{})
-	if err != nil {
-		return errors.WithMessage(err, "error while updating cluster issuer")
+	if forceUpdate {
+		err = CreateOrUpdateClusterCAIssuerSecret(k8sclient, certsData.RootCert.CertData, certsData.RootKey.KeyData, certsData.CaChainCertData)
+		if err != nil {
+			return nil, fmt.Errorf("failed to create/update CA Issuer Secret: %v", err)
+		}
+
+		serverIssuer.Spec.IssuerConfig.CA.SecretName = cert.ClusterCACertSecretName
+		issuerClient := cmClient.CertmanagerV1().ClusterIssuers()
+		_, err := issuerClient.Update(context.TODO(), serverIssuer, metav1.UpdateOptions{})
+		if err != nil {
+			return nil, errors.WithMessage(err, "error while updating cluster issuer")
+		}
 	}
-	log.Debugf("ClusterIssuer %s updated successfully", result.Name)
-	return nil
+	log.Debugf("ClusterIssuer %s updated successfully", issuer.Name)
+	return certsData, nil
 }
 
 func CreateOrUpdateClusterCAIssuerSecret(k8sClient *K8SClient, caCertData, caKeyData, caCertChainData []byte) error {

diff --git a/capten/common-pkg/k8s/client.go b/capten/common-pkg/k8s/client.go
@@ -172,6 +172,10 @@ func (k *K8SClient) GetSecretData(namespace, secretName string) (*SecretData, er
 	}, nil
 }
 
+func (k *K8SClient) GetSecretObject(namespace, secretName string) (*v1.Secret, error) {
+	return k.Clientset.CoreV1().Secrets(namespace).Get(context.TODO(), secretName, metav1.GetOptions{})
+}
+
 func (k *K8SClient) CreateOrUpdateSecret(
 	ctx context.Context,
 	namespace, secretName string,