mirror of
https://github.com/shankar0123/certctl.git
synced 2026-06-07 14:21:37 +00:00
shankar0123
5567d4b411
Implement both M47 connectors with full cross-layer wiring: Kubernetes Secrets target: DNS-1123 validation, kubernetes.io/tls Secret create-or-update, chain concatenation, serial number validation, Helm RBAC gating. 18 tests. AWS ACM Private CA issuer: synchronous issuance (like Vault), ARN regex validation, RFC 5280 revocation reason mapping, CA cert retrieval, factory + env var seeding. 23 tests. Cross-cutting: domain types, service validation, config, factory, agent dispatch, frontend (TargetsPage, issuerTypes), OpenAPI, seed data, Helm chart, connectors docs, README. Testing docs (testing-guide, qa-test-guide, qa_test.go) with Parts thematically integrated near related connectors. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
421 lines
15 KiB
Go
421 lines
15 KiB
Go
// Package k8ssecret implements a target.Connector for deploying certificates to Kubernetes Secrets.
|
|
// This enables the "proxy agent" pattern — a certctl agent running in a Kubernetes cluster
|
|
// (or outside with kubeconfig access) can deploy certificates as kubernetes.io/tls Secrets.
|
|
// The connector is generic and doesn't depend on k8s.io packages — the K8sClient interface
|
|
// abstracts all Kubernetes operations for maximum testability.
|
|
package k8ssecret
|
|
|
|
import (
|
|
"context"
|
|
"encoding/json"
|
|
"fmt"
|
|
"log/slog"
|
|
"regexp"
|
|
"time"
|
|
|
|
"github.com/shankar0123/certctl/internal/connector/target"
|
|
"github.com/shankar0123/certctl/internal/connector/target/certutil"
|
|
)
|
|
|
|
// Config represents the Kubernetes Secrets deployment target configuration.
|
|
// Supports in-cluster auth by default (ServiceAccount token auto-mounted) or
|
|
// out-of-cluster auth via kubeconfig file.
|
|
type Config struct {
|
|
Namespace string `json:"namespace"` // Required. Kubernetes namespace.
|
|
SecretName string `json:"secret_name"` // Required. Name of the kubernetes.io/tls Secret.
|
|
Labels map[string]string `json:"labels,omitempty"` // Optional. Additional labels to add to the Secret.
|
|
KubeconfigPath string `json:"kubeconfig_path,omitempty"` // Optional. Path to kubeconfig for out-of-cluster auth.
|
|
}
|
|
|
|
// SecretData represents the structure of a Kubernetes Secret.
|
|
type SecretData struct {
|
|
Name string
|
|
Namespace string
|
|
Type string // Always "kubernetes.io/tls"
|
|
Data map[string][]byte // "tls.crt" and "tls.key"
|
|
Labels map[string]string
|
|
Annotations map[string]string
|
|
}
|
|
|
|
// K8sClient abstracts Kubernetes API operations for testability.
|
|
// The real implementation will use k8s.io/client-go; tests inject a mock.
|
|
type K8sClient interface {
|
|
// GetSecret retrieves a Secret from the given namespace.
|
|
// Returns an error if the Secret doesn't exist.
|
|
GetSecret(ctx context.Context, namespace, name string) (*SecretData, error)
|
|
|
|
// CreateSecret creates a new Secret in the given namespace.
|
|
CreateSecret(ctx context.Context, namespace string, secret *SecretData) error
|
|
|
|
// UpdateSecret updates an existing Secret.
|
|
UpdateSecret(ctx context.Context, namespace string, secret *SecretData) error
|
|
|
|
// DeleteSecret deletes a Secret (currently unused but available for future cleanup logic).
|
|
DeleteSecret(ctx context.Context, namespace, name string) error
|
|
}
|
|
|
|
// Connector implements the target.Connector interface for Kubernetes Secrets.
|
|
// This connector runs on the AGENT side and handles Secret deployment via the Kubernetes API.
|
|
type Connector struct {
|
|
config *Config
|
|
client K8sClient
|
|
logger *slog.Logger
|
|
}
|
|
|
|
// Validation regex patterns
|
|
var (
|
|
// namespaceRegex validates Kubernetes namespace names per DNS-1123 (RFC 1123).
|
|
// Namespace must start and end with alphanumeric, contain only lowercase alphanumeric and hyphens, max 63 chars.
|
|
namespaceRegex = regexp.MustCompile(`^[a-z0-9]([a-z0-9\-]*[a-z0-9])?$`)
|
|
|
|
// secretNameRegex validates Kubernetes Secret names per DNS-1123 subdomain.
|
|
// Name must start and end with alphanumeric, contain only lowercase alphanumeric, hyphens, and dots, max 253 chars.
|
|
secretNameRegex = regexp.MustCompile(`^[a-z0-9]([a-z0-9\-\.]*[a-z0-9])?$`)
|
|
|
|
// labelKeyRegex validates Kubernetes label key format.
|
|
// Optional prefix (domain), required name (alphanumeric, hyphens, underscores, dots).
|
|
labelKeyRegex = regexp.MustCompile(`^([a-zA-Z0-9\-_\.]+/)?[a-zA-Z0-9\-_\.]+$`)
|
|
)
|
|
|
|
// New creates a new Kubernetes Secrets target connector.
|
|
// For now, returns a stub error since we're not pulling in k8s.io dependencies.
|
|
// The real implementation will use k8s.io/client-go to create a real K8s client.
|
|
func New(cfg *Config, logger *slog.Logger) (*Connector, error) {
|
|
if cfg == nil {
|
|
return nil, fmt.Errorf("Kubernetes config is required")
|
|
}
|
|
|
|
// Stub real K8s client — the actual implementation will use k8s.io/client-go
|
|
// For now, return error to guide users to use the agent with proper kubeconfig
|
|
client := &realK8sClient{
|
|
config: cfg,
|
|
logger: logger,
|
|
}
|
|
|
|
return &Connector{
|
|
config: cfg,
|
|
client: client,
|
|
logger: logger,
|
|
}, nil
|
|
}
|
|
|
|
// NewWithClient creates a new Kubernetes Secrets target connector with an injectable K8s client.
|
|
// Used in tests to mock Kubernetes API operations.
|
|
func NewWithClient(cfg *Config, client K8sClient, logger *slog.Logger) *Connector {
|
|
return &Connector{
|
|
config: cfg,
|
|
client: client,
|
|
logger: logger,
|
|
}
|
|
}
|
|
|
|
// ValidateConfig validates the Kubernetes Secrets deployment target configuration.
|
|
func (c *Connector) ValidateConfig(ctx context.Context, rawConfig json.RawMessage) error {
|
|
var cfg Config
|
|
if err := json.Unmarshal(rawConfig, &cfg); err != nil {
|
|
return fmt.Errorf("invalid Kubernetes config: %w", err)
|
|
}
|
|
|
|
// Required fields
|
|
if cfg.Namespace == "" {
|
|
return fmt.Errorf("Kubernetes namespace is required")
|
|
}
|
|
if cfg.SecretName == "" {
|
|
return fmt.Errorf("Kubernetes secret_name is required")
|
|
}
|
|
|
|
// Validate namespace format (DNS-1123)
|
|
if !namespaceRegex.MatchString(cfg.Namespace) || len(cfg.Namespace) > 63 {
|
|
return fmt.Errorf("Kubernetes namespace must match DNS-1123 pattern and be max 63 characters, got %q", cfg.Namespace)
|
|
}
|
|
|
|
// Validate secret name format (DNS-1123 subdomain)
|
|
if !secretNameRegex.MatchString(cfg.SecretName) || len(cfg.SecretName) > 253 {
|
|
return fmt.Errorf("Kubernetes secret name must match DNS-1123 subdomain pattern and be max 253 characters, got %q", cfg.SecretName)
|
|
}
|
|
|
|
// Validate labels if present
|
|
for key := range cfg.Labels {
|
|
if !labelKeyRegex.MatchString(key) {
|
|
return fmt.Errorf("Kubernetes label key contains invalid characters: %q", key)
|
|
}
|
|
}
|
|
|
|
c.config = &cfg
|
|
c.logger.Info("Kubernetes Secrets configuration validated",
|
|
"namespace", cfg.Namespace,
|
|
"secret_name", cfg.SecretName)
|
|
|
|
return nil
|
|
}
|
|
|
|
// DeployCertificate deploys a certificate to a Kubernetes Secret.
|
|
//
|
|
// Steps:
|
|
// 1. Build tls.crt (cert PEM + chain PEM)
|
|
// 2. Require KeyPEM (private key)
|
|
// 3. Try to get existing Secret — if found, update it; if not found, create it
|
|
// 4. Set Secret type to kubernetes.io/tls with standard and custom labels
|
|
// 5. Add deployment metadata annotations
|
|
func (c *Connector) DeployCertificate(ctx context.Context, request target.DeploymentRequest) (*target.DeploymentResult, error) {
|
|
if request.CertPEM == "" {
|
|
return &target.DeploymentResult{
|
|
Success: false,
|
|
Message: "certificate PEM is required",
|
|
DeployedAt: time.Now(),
|
|
}, fmt.Errorf("certificate PEM is required")
|
|
}
|
|
|
|
if request.KeyPEM == "" {
|
|
return &target.DeploymentResult{
|
|
Success: false,
|
|
Message: "private key PEM is required",
|
|
DeployedAt: time.Now(),
|
|
}, fmt.Errorf("private key PEM is required")
|
|
}
|
|
|
|
c.logger.Info("deploying certificate to Kubernetes Secret",
|
|
"namespace", c.config.Namespace,
|
|
"secret_name", c.config.SecretName)
|
|
|
|
startTime := time.Now()
|
|
|
|
// Build tls.crt = cert + chain (standard kubernetes.io/tls format)
|
|
tlsCrt := request.CertPEM
|
|
if request.ChainPEM != "" {
|
|
tlsCrt += "\n" + request.ChainPEM
|
|
}
|
|
|
|
// Build Secret data
|
|
secretData := &SecretData{
|
|
Name: c.config.SecretName,
|
|
Namespace: c.config.Namespace,
|
|
Type: "kubernetes.io/tls",
|
|
Data: map[string][]byte{
|
|
"tls.crt": []byte(tlsCrt),
|
|
"tls.key": []byte(request.KeyPEM),
|
|
},
|
|
Labels: map[string]string{
|
|
"app.kubernetes.io/managed-by": "certctl",
|
|
},
|
|
Annotations: map[string]string{
|
|
"certctl.io/deployed-at": startTime.Format(time.RFC3339),
|
|
},
|
|
}
|
|
|
|
// Add custom labels
|
|
if c.config.Labels != nil {
|
|
for k, v := range c.config.Labels {
|
|
secretData.Labels[k] = v
|
|
}
|
|
}
|
|
|
|
// Add certificate ID to annotations if available
|
|
if certID, ok := request.Metadata["certificate_id"]; ok {
|
|
secretData.Annotations["certctl.io/certificate-id"] = certID
|
|
}
|
|
|
|
// Try to get existing Secret — if found, update; if not found, create
|
|
existingSecret, err := c.client.GetSecret(ctx, c.config.Namespace, c.config.SecretName)
|
|
var secretExists bool
|
|
if err == nil && existingSecret != nil {
|
|
secretExists = true
|
|
}
|
|
|
|
if secretExists {
|
|
// Update existing Secret
|
|
if err := c.client.UpdateSecret(ctx, c.config.Namespace, secretData); err != nil {
|
|
errMsg := fmt.Sprintf("failed to update Kubernetes Secret: %v", err)
|
|
c.logger.Error("Secret update failed", "error", err)
|
|
return &target.DeploymentResult{
|
|
Success: false,
|
|
TargetAddress: fmt.Sprintf("%s/%s", c.config.Namespace, c.config.SecretName),
|
|
Message: errMsg,
|
|
DeployedAt: time.Now(),
|
|
}, fmt.Errorf("%s", errMsg)
|
|
}
|
|
c.logger.Info("Kubernetes Secret updated",
|
|
"namespace", c.config.Namespace,
|
|
"secret_name", c.config.SecretName)
|
|
} else {
|
|
// Create new Secret
|
|
if err := c.client.CreateSecret(ctx, c.config.Namespace, secretData); err != nil {
|
|
errMsg := fmt.Sprintf("failed to create Kubernetes Secret: %v", err)
|
|
c.logger.Error("Secret creation failed", "error", err)
|
|
return &target.DeploymentResult{
|
|
Success: false,
|
|
TargetAddress: fmt.Sprintf("%s/%s", c.config.Namespace, c.config.SecretName),
|
|
Message: errMsg,
|
|
DeployedAt: time.Now(),
|
|
}, fmt.Errorf("%s", errMsg)
|
|
}
|
|
c.logger.Info("Kubernetes Secret created",
|
|
"namespace", c.config.Namespace,
|
|
"secret_name", c.config.SecretName)
|
|
}
|
|
|
|
deploymentDuration := time.Since(startTime)
|
|
|
|
return &target.DeploymentResult{
|
|
Success: true,
|
|
TargetAddress: fmt.Sprintf("%s/%s", c.config.Namespace, c.config.SecretName),
|
|
DeploymentID: fmt.Sprintf("k8s-secret-%d", time.Now().Unix()),
|
|
Message: fmt.Sprintf("Certificate deployed to Kubernetes Secret %s/%s", c.config.Namespace, c.config.SecretName),
|
|
DeployedAt: time.Now(),
|
|
Metadata: map[string]string{
|
|
"namespace": c.config.Namespace,
|
|
"secret_name": c.config.SecretName,
|
|
"duration_ms": fmt.Sprintf("%d", deploymentDuration.Milliseconds()),
|
|
},
|
|
}, nil
|
|
}
|
|
|
|
// ValidateDeployment verifies that the deployed certificate Secret is valid and accessible.
|
|
//
|
|
// Steps:
|
|
// 1. Get the Secret from the cluster
|
|
// 2. Verify tls.crt is present and non-empty
|
|
// 3. Verify tls.key is present and non-empty
|
|
// 4. Parse the certificate and extract serial number
|
|
// 5. Compare with request serial number
|
|
func (c *Connector) ValidateDeployment(ctx context.Context, request target.ValidationRequest) (*target.ValidationResult, error) {
|
|
c.logger.Info("validating Kubernetes Secret deployment",
|
|
"certificate_id", request.CertificateID,
|
|
"serial", request.Serial,
|
|
"namespace", c.config.Namespace,
|
|
"secret_name", c.config.SecretName)
|
|
|
|
startTime := time.Now()
|
|
targetAddr := fmt.Sprintf("%s/%s", c.config.Namespace, c.config.SecretName)
|
|
|
|
// Get the Secret from the cluster
|
|
secretData, err := c.client.GetSecret(ctx, c.config.Namespace, c.config.SecretName)
|
|
if err != nil {
|
|
errMsg := fmt.Sprintf("failed to get Kubernetes Secret: %v", err)
|
|
c.logger.Error("validation failed", "error", err)
|
|
return &target.ValidationResult{
|
|
Valid: false,
|
|
Serial: request.Serial,
|
|
TargetAddress: targetAddr,
|
|
Message: errMsg,
|
|
ValidatedAt: time.Now(),
|
|
}, fmt.Errorf("%s", errMsg)
|
|
}
|
|
|
|
if secretData == nil {
|
|
errMsg := "Kubernetes Secret not found"
|
|
c.logger.Error("validation failed", "error", errMsg)
|
|
return &target.ValidationResult{
|
|
Valid: false,
|
|
Serial: request.Serial,
|
|
TargetAddress: targetAddr,
|
|
Message: errMsg,
|
|
ValidatedAt: time.Now(),
|
|
}, fmt.Errorf("%s", errMsg)
|
|
}
|
|
|
|
// Verify tls.crt exists and is non-empty
|
|
tlsCrt, ok := secretData.Data["tls.crt"]
|
|
if !ok || len(tlsCrt) == 0 {
|
|
errMsg := "Secret tls.crt not found or empty"
|
|
c.logger.Error("validation failed", "error", errMsg)
|
|
return &target.ValidationResult{
|
|
Valid: false,
|
|
Serial: request.Serial,
|
|
TargetAddress: targetAddr,
|
|
Message: errMsg,
|
|
ValidatedAt: time.Now(),
|
|
}, fmt.Errorf("%s", errMsg)
|
|
}
|
|
|
|
// Verify tls.key exists and is non-empty
|
|
tlsKey, ok := secretData.Data["tls.key"]
|
|
if !ok || len(tlsKey) == 0 {
|
|
errMsg := "Secret tls.key not found or empty"
|
|
c.logger.Error("validation failed", "error", errMsg)
|
|
return &target.ValidationResult{
|
|
Valid: false,
|
|
Serial: request.Serial,
|
|
TargetAddress: targetAddr,
|
|
Message: errMsg,
|
|
ValidatedAt: time.Now(),
|
|
}, fmt.Errorf("%s", errMsg)
|
|
}
|
|
|
|
// Parse the certificate and extract serial
|
|
cert, err := certutil.ParseCertificatePEM(string(tlsCrt))
|
|
if err != nil {
|
|
errMsg := fmt.Sprintf("failed to parse certificate in Secret: %v", err)
|
|
c.logger.Error("validation failed", "error", err)
|
|
return &target.ValidationResult{
|
|
Valid: false,
|
|
Serial: request.Serial,
|
|
TargetAddress: targetAddr,
|
|
Message: errMsg,
|
|
ValidatedAt: time.Now(),
|
|
}, fmt.Errorf("%s", errMsg)
|
|
}
|
|
|
|
// Get certificate serial number as hex string
|
|
deployedSerial := cert.SerialNumber.Text(16)
|
|
|
|
// Compare serials
|
|
if deployedSerial != request.Serial {
|
|
errMsg := fmt.Sprintf("serial mismatch: expected %s, got %s", request.Serial, deployedSerial)
|
|
c.logger.Error("validation failed", "error", errMsg)
|
|
return &target.ValidationResult{
|
|
Valid: false,
|
|
Serial: request.Serial,
|
|
TargetAddress: targetAddr,
|
|
Message: errMsg,
|
|
ValidatedAt: time.Now(),
|
|
}, fmt.Errorf("%s", errMsg)
|
|
}
|
|
|
|
validationDuration := time.Since(startTime)
|
|
c.logger.Info("Kubernetes Secret deployment validated successfully",
|
|
"duration", validationDuration.String(),
|
|
"namespace", c.config.Namespace,
|
|
"secret_name", c.config.SecretName)
|
|
|
|
return &target.ValidationResult{
|
|
Valid: true,
|
|
Serial: deployedSerial,
|
|
TargetAddress: targetAddr,
|
|
Message: fmt.Sprintf("Certificate valid in Kubernetes Secret %s/%s", c.config.Namespace, c.config.SecretName),
|
|
ValidatedAt: time.Now(),
|
|
Metadata: map[string]string{
|
|
"namespace": c.config.Namespace,
|
|
"secret_name": c.config.SecretName,
|
|
"duration_ms": fmt.Sprintf("%d", validationDuration.Milliseconds()),
|
|
},
|
|
}, nil
|
|
}
|
|
|
|
// realK8sClient is a stub placeholder for the real k8s.io/client-go implementation.
|
|
// The actual implementation will be added when the k8s.io dependencies are wired in.
|
|
type realK8sClient struct {
|
|
config *Config
|
|
logger *slog.Logger
|
|
}
|
|
|
|
// GetSecret stub implementation.
|
|
func (r *realK8sClient) GetSecret(ctx context.Context, namespace, name string) (*SecretData, error) {
|
|
return nil, fmt.Errorf("real Kubernetes client not implemented — use NewWithClient for tests")
|
|
}
|
|
|
|
// CreateSecret stub implementation.
|
|
func (r *realK8sClient) CreateSecret(ctx context.Context, namespace string, secret *SecretData) error {
|
|
return fmt.Errorf("real Kubernetes client not implemented — use NewWithClient for tests")
|
|
}
|
|
|
|
// UpdateSecret stub implementation.
|
|
func (r *realK8sClient) UpdateSecret(ctx context.Context, namespace string, secret *SecretData) error {
|
|
return fmt.Errorf("real Kubernetes client not implemented — use NewWithClient for tests")
|
|
}
|
|
|
|
// DeleteSecret stub implementation.
|
|
func (r *realK8sClient) DeleteSecret(ctx context.Context, namespace, name string) error {
|
|
return fmt.Errorf("real Kubernetes client not implemented — use NewWithClient for tests")
|
|
}
|