Let front-proxy verify against non-fp client CA (#178)

* Add reconciler for a merged front proxy client CA + client CA bundle

Signed-off-by: Nelo-T. Wallus <red.brush9525@fastmail.com>
Signed-off-by: Nelo-T. Wallus <n.wallus@sap.com>

* Deploy both external and internal front proxy with merged client CA bundle

Signed-off-by: Nelo-T. Wallus <red.brush9525@fastmail.com>
Signed-off-by: Nelo-T. Wallus <n.wallus@sap.com>

---------

Signed-off-by: Nelo-T. Wallus <red.brush9525@fastmail.com>
Signed-off-by: Nelo-T. Wallus <n.wallus@sap.com>

Author: ntnn

internal/controller/frontproxy/controller_test.go

@@ -79,11 +79,31 @@ func TestReconciling(t *testing.T) {
 
 	for _, testcase := range testcases {
 		t.Run(testcase.name, func(t *testing.T) {
+			// The merged client CA reconciler fetches FrontProxyClientCA and ClientCA.
+			frontProxyClientCASecret := &corev1.Secret{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      testcase.rootShard.Name + "-front-proxy-client-ca",
+					Namespace: namespace,
+				},
+				Data: map[string][]byte{
+					"tls.crt": []byte("front-proxy-client-ca-cert"),
+				},
+			}
+			clientCASecret := &corev1.Secret{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      testcase.rootShard.Name + "-client-ca",
+					Namespace: namespace,
+				},
+				Data: map[string][]byte{
+					"tls.crt": []byte("client-ca-cert"),
+				},
+			}
+
 			client := ctrlruntimefakeclient.
 				NewClientBuilder().
 				WithScheme(scheme).
 				WithStatusSubresource(testcase.rootShard, testcase.frontProxy).
-				WithObjects(testcase.rootShard, testcase.frontProxy).
+				WithObjects(testcase.rootShard, testcase.frontProxy, frontProxyClientCASecret, clientCASecret).
 				Build()
 
 			ctx := context.Background()

internal/controller/rootshard/controller_test.go

@@ -22,6 +22,7 @@ import (
 
 	"github.com/stretchr/testify/require"
 
+	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	ctrlruntimeclient "sigs.k8s.io/controller-runtime/pkg/client"
 	ctrlruntimefakeclient "sigs.k8s.io/controller-runtime/pkg/client/fake"
@@ -64,11 +65,31 @@ func TestReconciling(t *testing.T) {
 
 	for _, testcase := range testcases {
 		t.Run(testcase.name, func(t *testing.T) {
+			// The merged client CA reconciler fetches FrontProxyClientCA and ClientCA.
+			frontProxyClientCASecret := &corev1.Secret{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      testcase.rootShard.Name + "-front-proxy-client-ca",
+					Namespace: namespace,
+				},
+				Data: map[string][]byte{
+					"tls.crt": []byte("front-proxy-client-ca-cert"),
+				},
+			}
+			clientCASecret := &corev1.Secret{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      testcase.rootShard.Name + "-client-ca",
+					Namespace: namespace,
+				},
+				Data: map[string][]byte{
+					"tls.crt": []byte("client-ca-cert"),
+				},
+			}
+
 			client := ctrlruntimefakeclient.
 				NewClientBuilder().
 				WithScheme(scheme).
 				WithStatusSubresource(testcase.rootShard).
-				WithObjects(testcase.rootShard).
+				WithObjects(testcase.rootShard, frontProxyClientCASecret, clientCASecret).
 				Build()
 
 			ctx := context.Background()

internal/resources/frontproxy/ca_bundle.go

@@ -17,6 +17,7 @@ limitations under the License.
 package frontproxy
 
 import (
+	"bytes"
 	"context"
 	"fmt"
 
@@ -30,6 +31,66 @@ import (
 	operatorv1alpha1 "github.com/kcp-dev/kcp-operator/sdk/apis/operator/v1alpha1"
 )
 
+func (r *reconciler) mergedClientCASecretName() string {
+	if r.frontProxy != nil {
+		return fmt.Sprintf("%s-merged-client-ca", r.frontProxy.Name)
+	}
+	return fmt.Sprintf("%s-proxy-merged-client-ca", r.rootShard.Name)
+}
+
+// mergedClientCASecretReconciler creates a single secret with the
+// FrontProxyClientCA and shard ClientCA concatenated so that the front
+// proxy accepts clients signed by either CA.
+func (r *reconciler) mergedClientCASecretReconciler(ctx context.Context, kubeClient ctrlruntimeclient.Client) k8creconciling.NamedSecretReconcilerFactory {
+	getCA := func(caType operatorv1alpha1.CA) ([]byte, error) {
+		caSecret := &corev1.Secret{}
+		caSecretName := resources.GetRootShardCAName(r.rootShard, caType)
+		if err := kubeClient.Get(ctx, types.NamespacedName{
+			Namespace: r.rootShard.Namespace,
+			Name:      caSecretName,
+		}, caSecret); err != nil {
+			return nil, fmt.Errorf("failed to get %s secret %s: %w", caType, caSecretName, err)
+		}
+
+		cert, ok := caSecret.Data["tls.crt"]
+		if !ok {
+			return nil, fmt.Errorf("%s secret %s missing tls.crt", caType, caSecretName)
+		}
+		return cert, nil
+	}
+
+	return func() (string, k8creconciling.SecretReconciler) {
+		return r.mergedClientCASecretName(), func(secret *corev1.Secret) (*corev1.Secret, error) {
+			if secret.Data == nil {
+				secret.Data = make(map[string][]byte)
+			}
+
+			fpClientCA, err := getCA(operatorv1alpha1.FrontProxyClientCA)
+			if err != nil {
+				return nil, fmt.Errorf("error getting front proxy client ca: %w", err)
+			}
+
+			clientCA, err := getCA(operatorv1alpha1.ClientCA)
+			if err != nil {
+				return nil, fmt.Errorf("error getting client ca: %w", err)
+			}
+
+			secret.Data["tls.crt"] = bytes.Join([][]byte{fpClientCA, clientCA}, []byte{'\n'})
+
+			if secret.Labels == nil {
+				secret.Labels = make(map[string]string)
+			}
+			if r.frontProxy != nil {
+				secret.Labels[resources.FrontProxyLabel] = r.frontProxy.Name
+			} else {
+				secret.Labels[resources.RootShardLabel] = r.rootShard.Name
+			}
+
+			return secret, nil
+		}
+	}
+}
+
 func (r *reconciler) mergedCABundleSecretName() string {
 	// Validate whether called for frontProxy or rootShardFrontProxy
 	if r.frontProxy != nil {

internal/resources/frontproxy/deployment.go

@@ -176,16 +176,9 @@ func (r *reconciler) deploymentReconciler() reconciling.NamedDeploymentReconcile
 				mountSecret(r.mergedCABundleSecretName(), getCAMountPath(operatorv1alpha1.CABundleCA), true)
 			}
 
-			// Regular front-proxies use a dedicated client CA. However the internal rootshard proxy
-			// uses the internal client CA instead to make it easier for the kcp-operator to just use
-			// a single certificate to access all components.
-			if r.frontProxy != nil {
-				// rootshard frontproxy client ca
-				mountSecret(resources.GetRootShardCAName(r.rootShard, operatorv1alpha1.FrontProxyClientCA), frontProxyBasepath+"/client-ca", true)
-			} else {
-				// kcp client ca
-				mountSecret(resources.GetRootShardCAName(r.rootShard, operatorv1alpha1.ClientCA), kcpBasepath+"/tls/client-ca", true)
-			}
+			// Mount the merged client CA (FrontProxyClientCA + ClientCA) so
+			// that clients signed by either CA are accepted.
+			mountSecret(r.mergedClientCASecretName(), frontProxyBasepath+"/client-ca", true)
 
 			// front-proxy config
 			{
@@ -269,15 +262,13 @@ var defaultArgs = []string{
 func (r *reconciler) getArgs() []string {
 	args := defaultArgs
 
+	args = append(args, fmt.Sprintf("--client-ca-file=%s/client-ca/tls.crt", frontProxyBasepath))
+
 	// rootshard proxy mode
 	if r.frontProxy == nil {
-		args = append(args, fmt.Sprintf("--client-ca-file=%s/tls/client-ca/tls.crt", kcpBasepath))
 		return args
 	}
 
-	// regular front-proxy
-	args = append(args, fmt.Sprintf("--client-ca-file=%s/client-ca/tls.crt", frontProxyBasepath))
-
 	if auth := r.frontProxy.Spec.Auth; auth != nil {
 		if auth.DropGroups != nil {
 			args = append(args, fmt.Sprintf("--authentication-drop-groups=%q", strings.Join(auth.DropGroups, ",")))

internal/resources/frontproxy/deployment_test.go

@@ -82,7 +82,7 @@ func TestDeploymentReconciler(t *testing.T) {
 					resources.GetFrontProxyCertificateName(&operatorv1alpha1.RootShard{ObjectMeta: metav1.ObjectMeta{Name: "test-root-shard"}}, &operatorv1alpha1.FrontProxy{ObjectMeta: metav1.ObjectMeta{Name: "test-front-proxy"}}, operatorv1alpha1.ServerCertificate),
 					resources.GetFrontProxyCertificateName(&operatorv1alpha1.RootShard{ObjectMeta: metav1.ObjectMeta{Name: "test-root-shard"}}, &operatorv1alpha1.FrontProxy{ObjectMeta: metav1.ObjectMeta{Name: "test-front-proxy"}}, operatorv1alpha1.RequestHeaderClientCertificate),
 					resources.GetFrontProxyConfigName(&operatorv1alpha1.FrontProxy{ObjectMeta: metav1.ObjectMeta{Name: "test-front-proxy"}}),
-					resources.GetRootShardCAName(&operatorv1alpha1.RootShard{ObjectMeta: metav1.ObjectMeta{Name: "test-root-shard"}}, operatorv1alpha1.FrontProxyClientCA),
+					resources.GetMergedClientCAName("test-front-proxy"),
 					resources.GetRootShardCAName(&operatorv1alpha1.RootShard{ObjectMeta: metav1.ObjectMeta{Name: "test-root-shard"}}, operatorv1alpha1.RootCA),
 				}
 

internal/resources/frontproxy/reconciler.go

@@ -88,6 +88,7 @@ func (r *reconciler) Reconcile(ctx context.Context, client ctrlruntimeclient.Cli
 
 	secretReconcilers := []k8creconciling.NamedSecretReconcilerFactory{
 		r.dynamicKubeconfigSecretReconciler(),
+		r.mergedClientCASecretReconciler(ctx, client),
 	}
 
 	if r.getCABundleSecretRef() != nil {

internal/resources/resources.go

@@ -246,3 +246,7 @@ func GetRootShardProxyServiceName(r *operatorv1alpha1.RootShard) string {
 func GetBundleName(ownerName string) string {
 	return fmt.Sprintf("%s-bundle", ownerName)
 }
+
+func GetMergedClientCAName(ownerName string) string {
+	return fmt.Sprintf("%s-merged-client-ca", ownerName)
+}