cert-manager
diff --git a/‎README.md
Lines changed: 4 additions & 1 deletion b/‎README.md
Lines changed: 4 additions & 1 deletion
diff --git a/‎TODO
Lines changed: 9 additions & 0 deletions b/‎TODO
Lines changed: 9 additions & 0 deletions
diff --git a/‎go.mod
Lines changed: 66 additions & 0 deletions b/‎go.mod
Lines changed: 66 additions & 0 deletions
diff --git a/‎go.sum
Lines changed: 185 additions & 0 deletions b/‎go.sum
Lines changed: 185 additions & 0 deletions
diff --git a/‎internal/pki/cert_pool.go
Lines changed: 190 additions & 0 deletions b/‎internal/pki/cert_pool.go
Lines changed: 190 additions & 0 deletions
@@ -1 +1,4 @@
-# webhook-cert-lib
+# cert-manager webhook-cert-lib
+
+Note: This project is under development and will be changed without notice.
+Do NOT use in production!
@@ -0,0 +1,9 @@
+MUST:
+- make sure to re-reconcile certificates before they expire
+- Scope down controller RBAC to single CA Secret resource.
+- Use cli flags in the program to list the injectables, allowing use to scope down the injectable RBAC.
+
+CONSIDER:
+- maybe remove dependency on controller-runtime (use client-go directly instead)
+- maybe support all controller-runtime Server types: webhook and metrics (might require rebranding)
+- Can we make the solution leader-election-less? Does it make sense that we use the existing cr leader election or should we create a separate leader-election just for the logic in this library?
@@ -0,0 +1,66 @@
+module github.com/cert-manager/webhook-cert-lib
+
+go 1.23.0
+
+toolchain go1.24.2
+
+require (
+	github.com/go-logr/logr v1.4.2
+	k8s.io/api v0.32.3
+	k8s.io/apimachinery v0.32.3
+	k8s.io/client-go v0.32.3
+	k8s.io/utils v0.0.0-20250321185631-1f6e0b77f77e
+	sigs.k8s.io/controller-runtime v0.20.4
+)
+
+require (
+	github.com/beorn7/perks v1.0.1 // indirect
+	github.com/cespare/xxhash/v2 v2.3.0 // indirect
+	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
+	github.com/emicklei/go-restful/v3 v3.12.2 // indirect
+	github.com/evanphx/json-patch/v5 v5.9.11 // indirect
+	github.com/fsnotify/fsnotify v1.9.0 // indirect
+	github.com/fxamacker/cbor/v2 v2.8.0 // indirect
+	github.com/go-openapi/jsonpointer v0.21.1 // indirect
+	github.com/go-openapi/jsonreference v0.21.0 // indirect
+	github.com/go-openapi/swag v0.23.1 // indirect
+	github.com/gogo/protobuf v1.3.2 // indirect
+	github.com/golang/protobuf v1.5.4 // indirect
+	github.com/google/btree v1.1.3 // indirect
+	github.com/google/gnostic-models v0.6.9 // indirect
+	github.com/google/go-cmp v0.7.0 // indirect
+	github.com/google/gofuzz v1.2.0 // indirect
+	github.com/google/uuid v1.6.0 // indirect
+	github.com/josharian/intern v1.0.0 // indirect
+	github.com/json-iterator/go v1.1.12 // indirect
+	github.com/mailru/easyjson v0.9.0 // indirect
+	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
+	github.com/modern-go/reflect2 v1.0.2 // indirect
+	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
+	github.com/pkg/errors v0.9.1 // indirect
+	github.com/prometheus/client_golang v1.22.0 // indirect
+	github.com/prometheus/client_model v0.6.2 // indirect
+	github.com/prometheus/common v0.63.0 // indirect
+	github.com/prometheus/procfs v0.16.0 // indirect
+	github.com/spf13/pflag v1.0.6 // indirect
+	github.com/x448/float16 v0.8.4 // indirect
+	golang.org/x/net v0.39.0 // indirect
+	golang.org/x/oauth2 v0.29.0 // indirect
+	golang.org/x/sync v0.13.0 // indirect
+	golang.org/x/sys v0.32.0 // indirect
+	golang.org/x/term v0.31.0 // indirect
+	golang.org/x/text v0.24.0 // indirect
+	golang.org/x/time v0.11.0 // indirect
+	gomodules.xyz/jsonpatch/v2 v2.5.0 // indirect
+	google.golang.org/protobuf v1.36.6 // indirect
+	gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
+	gopkg.in/inf.v0 v0.9.1 // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
+	k8s.io/apiextensions-apiserver v0.32.3 // indirect
+	k8s.io/klog/v2 v2.130.1 // indirect
+	k8s.io/kube-openapi v0.0.0-20250318190949-c8a335a9a2ff // indirect
+	sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 // indirect
+	sigs.k8s.io/randfill v1.0.0 // indirect
+	sigs.k8s.io/structured-merge-diff/v4 v4.7.0 // indirect
+	sigs.k8s.io/yaml v1.4.0 // indirect
+)
@@ -0,0 +1,190 @@
+/*
+Copyright The cert-manager Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package pki
+
+import (
+	"bytes"
+	"crypto/sha256"
+	"crypto/x509"
+	"encoding/pem"
+	"fmt"
+	"slices"
+	"time"
+)
+
+// CertPool is a set of certificates.
+type CertPool struct {
+	certificates map[[32]byte]*x509.Certificate
+
+	filterExpired bool
+}
+
+type Option func(*CertPool)
+
+func WithFilteredExpiredCerts(filterExpired bool) Option {
+	return func(cp *CertPool) {
+		cp.filterExpired = filterExpired
+	}
+}
+
+// NewCertPool returns a new, empty CertPool.
+// It will deduplicate certificates based on their SHA256 hash.
+// Optionally, it can filter out expired certificates.
+func NewCertPool(options ...Option) *CertPool {
+	certPool := &CertPool{
+		certificates: make(map[[32]byte]*x509.Certificate),
+	}
+
+	for _, option := range options {
+		option(certPool)
+	}
+
+	return certPool
+}
+
+func (cp *CertPool) AddCert(cert *x509.Certificate) bool {
+	if cert == nil {
+		panic("adding nil Certificate to CertPool")
+	}
+	if cp.filterExpired && time.Now().After(cert.NotAfter) {
+		return false
+	}
+
+	hash := sha256.Sum256(cert.Raw)
+	cp.certificates[hash] = cert
+	return true
+}
+
+// AddCertsFromPEM strictly validates a given input PEM bundle to confirm it contains
+// only valid CERTIFICATE PEM blocks. If successful, returns the validated PEM blocks with any
+// comments or extra data stripped.
+//
+// This validation is broadly similar to the standard library function
+// crypto/x509.CertPool.AppendCertsFromPEM - that is, we decode each PEM block at a time and parse
+// it as a certificate.
+//
+// The difference here is that we want to ensure that the bundle _only_ contains certificates, and
+// not just skip over things which aren't certificates.
+//
+// If, for example, someone accidentally used a combined cert + private key as an input to a trust
+// bundle, we wouldn't want to then distribute the private key in the target.
+//
+// In addition, the standard library AppendCertsFromPEM also silently skips PEM blocks with
+// non-empty Headers. We error on such PEM blocks, for the same reason as above; headers could
+// contain (accidental) private information. They're also non-standard according to
+// https://www.rfc-editor.org/rfc/rfc7468
+//
+// Additionally, if the input PEM bundle contains no non-expired certificates, an error is returned.
+// TODO: Reconsider what should happen if the input only contains expired certificates.
+func (cp *CertPool) AddCertsFromPEM(pemData []byte) error {
+	if pemData == nil {
+		return fmt.Errorf("certificate data can't be nil")
+	}
+
+	ok := false
+	for {
+		var block *pem.Block
+		block, pemData = pem.Decode(pemData)
+
+		if block == nil {
+			break
+		}
+
+		if block.Type != "CERTIFICATE" {
+			// only certificates are allowed in a bundle
+			return fmt.Errorf("invalid PEM block in bundle: only CERTIFICATE blocks are permitted but found '%s'", block.Type)
+		}
+
+		if len(block.Headers) != 0 {
+			return fmt.Errorf("invalid PEM block in bundle; blocks are not permitted to have PEM headers")
+		}
+
+		certificate, err := x509.ParseCertificate(block.Bytes)
+		if err != nil {
+			// the presence of an invalid cert (including things which aren't certs)
+			// should cause the bundle to be rejected
+			return fmt.Errorf("invalid PEM block in bundle; invalid PEM certificate: %w", err)
+		}
+
+		if certificate == nil {
+			return fmt.Errorf("failed appending a certificate: certificate is nil")
+		}
+
+		if cp.AddCert(certificate) {
+			ok = true // at least one non-expired certificate was found in the input
+		}
+	}
+
+	if !ok {
+		return fmt.Errorf("no non-expired certificates found in input bundle")
+	}
+
+	return nil
+}
+
+// Get certificates quantity in the certificates pool
+func (cp *CertPool) Size() int {
+	return len(cp.certificates)
+}
+
+func (cp *CertPool) PEM() string {
+	if cp == nil || len(cp.certificates) == 0 {
+		return ""
+	}
+
+	buffer := bytes.Buffer{}
+
+	for _, cert := range cp.Certificates() {
+		if err := pem.Encode(&buffer, &pem.Block{Type: "CERTIFICATE", Bytes: cert.Raw}); err != nil {
+			return ""
+		}
+	}
+
+	return string(bytes.TrimSpace(buffer.Bytes()))
+}
+
+func (cp *CertPool) PEMSplit() []string {
+	if cp == nil || len(cp.certificates) == 0 {
+		return nil
+	}
+
+	pems := make([]string, 0, len(cp.certificates))
+	for _, cert := range cp.Certificates() {
+		pems = append(pems, string(bytes.TrimSpace(pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: cert.Raw}))))
+	}
+
+	return pems
+}
+
+// Get the list of all x509 Certificates in the certificates pool
+func (cp *CertPool) Certificates() []*x509.Certificate {
+	hashes := make([][32]byte, 0, len(cp.certificates))
+	for hash := range cp.certificates {
+		hashes = append(hashes, hash)
+	}
+
+	slices.SortFunc(hashes, func(i, j [32]byte) int {
+		return bytes.Compare(i[:], j[:])
+	})
+
+	orderedCertificates := make([]*x509.Certificate, 0, len(cp.certificates))
+	for _, hash := range hashes {
+		orderedCertificates = append(orderedCertificates, cp.certificates[hash])
+	}
+
+	return orderedCertificates
+}