Sign new certificate using loadbalancer-serving-signer (#104)

loganmc10 · web-flow · commit ab043edbcf40 · 2023-09-19T07:08:48.000-06:00
* Sign new certificate using loadbalancer-serving-signer

* update docs
diff --git a/README.md b/README.md
@@ -7,7 +7,7 @@
 ## Description
 This operator can assist in reconfiguring a cluster once it has been moved to a new location. It performs the following steps:
 
-* Update the API and Ingress domain aliases using a generated self-signed certificate, or using a user provided certificate.
+* Update the API and Ingress domain aliases using a generated certificate (signed by loadbalancer-serving-signer), or using a user provided certificate.
 * Update the internal DNS records for the API and Ingress (SNO only).
 * (Optional) Update the cluster-wide pull secret.
 * (Optional) Add new SSH keys for the 'core' user.
diff --git a/api/v1beta1/clusterrelocation_types.go b/api/v1beta1/clusterrelocation_types.go
@@ -38,7 +38,7 @@ type ClusterRelocationSpec struct {
 	AddInternalDNSEntries *bool `json:"addInternalDNSEntries,omitempty"`
 
 	// APICertRef is a reference to a TLS secret that will be used for the API server.
-	// If it is omitted, a self-signed certificate will be generated.
+	// If it is omitted, a certificate will be generated and signed by loadbalancer-serving-signer.
 	// The type of the secret must be kubernetes.io/tls.
 	//+operator-sdk:csv:customresourcedefinitions:type=spec
 	APICertRef *corev1.SecretReference `json:"apiCertRef,omitempty"`
@@ -56,7 +56,7 @@ type ClusterRelocationSpec struct {
 	ImageDigestMirrors []configv1.ImageDigestMirrors `json:"imageDigestMirrors,omitempty"`
 
 	// IngressCertRef is a reference to a TLS secret that will be used for the Ingress Controller.
-	// If it is omitted, a self-signed certificate will be generated.
+	// If it is omitted, a certificate will be generated and signed by loadbalancer-serving-signer.
 	// The type of the secret must be kubernetes.io/tls.
 	//+operator-sdk:csv:customresourcedefinitions:type=spec
 	IngressCertRef *corev1.SecretReference `json:"ingressCertRef,omitempty"`
diff --git a/config/crd/bases/rhsyseng.github.io_clusterrelocations.yaml b/config/crd/bases/rhsyseng.github.io_clusterrelocations.yaml
@@ -246,8 +246,9 @@ spec:
                 type: boolean
               apiCertRef:
                 description: APICertRef is a reference to a TLS secret that will be
-                  used for the API server. If it is omitted, a self-signed certificate
-                  will be generated. The type of the secret must be kubernetes.io/tls.
+                  used for the API server. If it is omitted, a certificate will be
+                  generated and signed by loadbalancer-serving-signer. The type of
+                  the secret must be kubernetes.io/tls.
                 properties:
                   name:
                     description: name is unique within a namespace to reference a
@@ -341,8 +342,9 @@ spec:
                 type: array
               ingressCertRef:
                 description: IngressCertRef is a reference to a TLS secret that will
-                  be used for the Ingress Controller. If it is omitted, a self-signed
-                  certificate will be generated. The type of the secret must be kubernetes.io/tls.
+                  be used for the Ingress Controller. If it is omitted, a certificate
+                  will be generated and signed by loadbalancer-serving-signer. The
+                  type of the secret must be kubernetes.io/tls.
                 properties:
                   name:
                     description: name is unique within a namespace to reference a
diff --git a/internal/api/reconcile.go b/internal/api/reconcile.go
@@ -23,7 +23,7 @@ func Reconcile(ctx context.Context, c client.Client, scheme *runtime.Scheme, rel
 	var origSecretName string
 	var origSecretNamespace string
 	if relocation.Spec.APICertRef == nil {
-		// If they haven't specified an APICertRef, we generate a self-signed certificate for them
+		// If they haven't specified an APICertRef, we generate a certificate for them
 		origSecretName = "generated-api-secret"
 		origSecretNamespace = rhsysenggithubiov1beta1.ConfigNamespace
 		secret := &corev1.Secret{ObjectMeta: metav1.ObjectMeta{Name: origSecretName, Namespace: origSecretNamespace}}
@@ -36,7 +36,7 @@ func Reconcile(ctx context.Context, c client.Client, scheme *runtime.Scheme, rel
 			if !ok {
 				logger.Info("generating new TLS cert for API")
 				var err error
-				secret.Data, err = secrets.GenerateTLSKeyPair(relocation.Spec.Domain, "api")
+				secret.Data, err = secrets.GenerateTLSKeyPair(ctx, c, relocation.Spec.Domain, "api")
 				if err != nil {
 					return err
 				}
@@ -49,7 +49,7 @@ func Reconcile(ctx context.Context, c client.Client, scheme *runtime.Scheme, rel
 				if commonName != fmt.Sprintf("api.%s", relocation.Spec.Domain) {
 					logger.Info("Domain name has changed, generating new TLS certificate for API")
 					var err error
-					secret.Data, err = secrets.GenerateTLSKeyPair(relocation.Spec.Domain, "api")
+					secret.Data, err = secrets.GenerateTLSKeyPair(ctx, c, relocation.Spec.Domain, "api")
 					if err != nil {
 						return err
 					}
@@ -63,7 +63,7 @@ func Reconcile(ctx context.Context, c client.Client, scheme *runtime.Scheme, rel
 			return err
 		}
 		if op != controllerutil.OperationResultNone {
-			logger.Info("Self-signed API TLS cert modified", "OperationResult", op)
+			logger.Info("API TLS cert modified", "OperationResult", op)
 		}
 	} else {
 		if relocation.Spec.APICertRef.Name == "" || relocation.Spec.APICertRef.Namespace == "" {
diff --git a/internal/ingress/reconcile.go b/internal/ingress/reconcile.go
@@ -29,7 +29,7 @@ func Reconcile(ctx context.Context, c client.Client, scheme *runtime.Scheme, rel
 	var origSecretName string
 	var origSecretNamespace string
 	if relocation.Spec.IngressCertRef == nil {
-		// If they haven't specified an IngressCertRef, we generate a self-signed certificate for them
+		// If they haven't specified an IngressCertRef, we generate a certificate for them
 		origSecretName = "generated-ingress-secret"
 		origSecretNamespace = rhsysenggithubiov1beta1.IngressNamespace
 		secret := &corev1.Secret{ObjectMeta: metav1.ObjectMeta{Name: origSecretName, Namespace: origSecretNamespace}}
@@ -42,7 +42,7 @@ func Reconcile(ctx context.Context, c client.Client, scheme *runtime.Scheme, rel
 			if !ok {
 				logger.Info("generating new TLS cert for Ingresses")
 				var err error
-				secret.Data, err = secrets.GenerateTLSKeyPair(relocation.Spec.Domain, "*.apps")
+				secret.Data, err = secrets.GenerateTLSKeyPair(ctx, c, relocation.Spec.Domain, "*.apps")
 				if err != nil {
 					return err
 				}
@@ -55,7 +55,7 @@ func Reconcile(ctx context.Context, c client.Client, scheme *runtime.Scheme, rel
 				if commonName != fmt.Sprintf("*.apps.%s", relocation.Spec.Domain) {
 					logger.Info("Domain name has changed, generating new TLS certificate for Ingresses")
 					var err error
-					secret.Data, err = secrets.GenerateTLSKeyPair(relocation.Spec.Domain, "*.apps")
+					secret.Data, err = secrets.GenerateTLSKeyPair(ctx, c, relocation.Spec.Domain, "*.apps")
 					if err != nil {
 						return err
 					}
@@ -69,7 +69,7 @@ func Reconcile(ctx context.Context, c client.Client, scheme *runtime.Scheme, rel
 			return err
 		}
 		if op != controllerutil.OperationResultNone {
-			logger.Info("Self-signed Ingress TLS cert modified", "OperationResult", op)
+			logger.Info("Ingress TLS cert modified", "OperationResult", op)
 		}
 
 		secretName := origSecretName
diff --git a/internal/secrets/secrets.go b/internal/secrets/secrets.go
@@ -44,14 +44,36 @@ func GetCertCommonName(TLSCertKey []byte) (string, error) {
 	return cert.Subject.CommonName, nil
 }
 
-func GenerateTLSKeyPair(domain string, prefix string) (map[string][]byte, error) {
+func GenerateTLSKeyPair(ctx context.Context, c client.Client, domain string, prefix string) (map[string][]byte, error) {
+	// Sign the certificate using loadbalancer-serving-signer
+	lbSigningSecret := &corev1.Secret{}
+	if err := c.Get(ctx, types.NamespacedName{Name: "loadbalancer-serving-signer", Namespace: "openshift-kube-apiserver-operator"}, lbSigningSecret); err != nil {
+		return nil, err
+	}
+	certBlock, _ := pem.Decode(lbSigningSecret.Data[corev1.TLSCertKey])
+	if certBlock == nil {
+		return nil, fmt.Errorf("could not decode loadbalancer-serving-signer certificate")
+	}
+	lbSigningCert, err := x509.ParseCertificate(certBlock.Bytes)
+	if err != nil {
+		return nil, err
+	}
+	keyBlock, _ := pem.Decode(lbSigningSecret.Data[corev1.TLSPrivateKeyKey])
+	if keyBlock == nil {
+		return nil, fmt.Errorf("could not decode loadbalancer-serving-signer private key")
+	}
+	lbSigningPrivateKey, err := x509.ParsePKCS1PrivateKey(keyBlock.Bytes)
+	if err != nil {
+		return nil, err
+	}
+
 	// Generate a private key
 	privateKey, err := rsa.GenerateKey(rand.Reader, 2048)
 	if err != nil {
 		return nil, err
 	}
 
-	// Create a self-signed certificate template
+	// Create a certificate template
 	certificateTemplate := x509.Certificate{
 		SerialNumber:          big.NewInt(1),
 		Subject:               pkix.Name{CommonName: fmt.Sprintf("%s.%s", prefix, domain)},
@@ -61,8 +83,8 @@ func GenerateTLSKeyPair(domain string, prefix string) (map[string][]byte, error)
 		DNSNames:              []string{fmt.Sprintf("%s.%s", prefix, domain)},
 	}
 
-	// Create a self-signed certificate using the private key and certificate template
-	derBytes, err := x509.CreateCertificate(rand.Reader, &certificateTemplate, &certificateTemplate, &privateKey.PublicKey, privateKey)
+	// Create a certificate using the private key and certificate template, signed by loadbalancer-serving-signer
+	derBytes, err := x509.CreateCertificate(rand.Reader, &certificateTemplate, lbSigningCert, &privateKey.PublicKey, lbSigningPrivateKey)
 	if err != nil {
 		return nil, err
 	}
