Add support for local caching of CA cert/key to ease development

Author: deitch

README.md

@@ -199,6 +199,24 @@ make manifests
 
 As always with `make`, you can force the rebuilding of a component with `make -B <target>`.
 
+## Running locally
+
+You can run the `manager` locally on your own laptop in order to ease and speed development, or even run it through a debugger. The steps are:
+
+1. Create a kubernetes bootstrap cluster, e.g. kind
+1. Set your `KUBECONFIG` to point to that cluster, e.g. `export KUBECONFIG=...`
+1. Create a local OS/arch `manager` binary, essentially `make manager`. This will save it as `bin/manager-<os>-<arch>`, e.g. `bin/manager-linux-arm64` or `bin/manager-darwin-amd64`
+1. Generate your yaml `./generate-yaml.sh`
+1. Run the manager against the cluster with the local configs, `bin/manager-darwin-amd64 -config ./config/default/machine_configs.yaml -ca-cache ./out/cache.json`
+
+In the above example:
+
+* We are running on macOS (`darwin`) and an Intel x86_64 (`amd64`)
+* We are using the default config file `./config/default/machine_configs.yaml`
+* We are caching the CA keys and certs in `out/cache.json`
+
+Caching the CA caches the certs **and the keys**. Only do this in test mode, or if you really are sure what you are doing. The purpose, in this case, is to allow you to stop and start the process, and pick up existing certs.
+
 ## References
 
 * [kubeadm yaml api](https://godoc.org/k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm/v1beta2)

cmd/clusterctl/main.go

@@ -38,9 +38,12 @@ func main() {
 	}
 
 	// get a deployer, which is needed at various stages
-	deployer := deployer.New(deployer.Params{
+	deployer, err := deployer.New(deployer.Params{
 		Client: client,
 	})
+	if err != nil {
+		klog.Fatalf("unable to get deployer: %v", err)
+	}
 
 	common.RegisterClusterProvisioner("packet", deployer)
 	cmd.Execute()

cmd/manager/main.go

@@ -53,6 +53,7 @@ func main() {
 	metricsAddr := flag.String("metrics-addr", ":8080", "The address the metric endpoint binds to.")
 
 	machineSetupConfig := flag.String("config", "/etc/machineconfig/machine_configs.yaml", "path to the machine setup config")
+	caCache := flag.String("ca-cache", "", "path to file to save cluster credentials; should be used for development purposes only, as it saves actual CA credentials")
 	flag.Parse()
 
 	log := logf.Log.WithName("packet-controller-manager")
@@ -77,10 +78,14 @@ func main() {
 		klog.Fatalf("unable to get Packet client: %v", err)
 	}
 	// get a deployer, which is needed at various stages
-	deployer := deployer.New(deployer.Params{
-		Client: client,
-		Port:   controlPort,
+	deployer, err := deployer.New(deployer.Params{
+		Client:  client,
+		Port:    controlPort,
+		CACache: *caCache,
 	})
+	if err != nil {
+		klog.Fatalf(err.Error())
+	}
 
 	clusterActuator, err := cluster.NewActuator(cluster.ActuatorParams{
 		ClustersGetter: cs.ClusterV1alpha1(),

pkg/cloud/packet/actuators/cluster/actuator.go

@@ -53,12 +53,15 @@ func NewActuator(params ActuatorParams) (*Actuator, error) {
 func (a *Actuator) Reconcile(cluster *clusterv1.Cluster) error {
 	log.Printf("Reconciling cluster %v.", cluster.Name)
 	// ensure that we have a CA cert/key and save it
-	if _, ok := a.deployer.Certs[cluster.Name]; !ok {
+	if cert, _ := a.deployer.GetCA(cluster.Name); cert == nil {
 		caCertAndKey, err := ca.GenerateCACertAndKey(cluster.Name, "")
 		if err != nil {
 			return fmt.Errorf("unable to generate CA cert and key: %v", err)
 		}
-		a.deployer.Certs[cluster.Name] = caCertAndKey
+		err = a.deployer.PutCA(cluster.Name, caCertAndKey)
+		if err != nil {
+			return fmt.Errorf("unable to save CA cert and key: %v", err)
+		}
 	}
 	return nil
 }
@@ -67,6 +70,6 @@ func (a *Actuator) Reconcile(cluster *clusterv1.Cluster) error {
 func (a *Actuator) Delete(cluster *clusterv1.Cluster) error {
 	log.Printf("Deleting cluster %v.", cluster.Name)
 	// remove the CA cert key
-	delete(a.deployer.Certs, cluster.Name)
+	a.deployer.DeleteCA(cluster.Name)
 	return nil
 }

pkg/cloud/packet/deployer/deploy.go

@@ -18,9 +18,11 @@ package deployer
 
 import (
 	"crypto/x509"
+	"encoding/json"
 	"encoding/pem"
 	"fmt"
 	"log"
+	"os"
 	"time"
 
 	"github.com/packethost/cluster-api-provider-packet/pkg/cloud/packet"
@@ -43,24 +45,33 @@ const (
 // Deployer satisfies the ProviderDeployer(https://github.com/kubernetes-sigs/cluster-api/blob/master/cmd/clusterctl/clusterdeployer/clusterdeployer.go) interface.
 type Deployer struct {
 	client      *packet.PacketClient
+	caCache     string
 	ControlPort int
 	// Certs map of clusterName to CA CertificateAuthority pointers. Each CertificateAuthority contains the Certificate and PrivateKey as its PEM-Encoded bytes
 	Certs map[string]*cert.CertificateAuthority
 }
 
 // Params is used to create a new deployer.
 type Params struct {
-	Client *packet.PacketClient
-	Port   int
+	Client  *packet.PacketClient
+	Port    int
+	CACache string
 }
 
 // New returns a new Deployer.
-func New(params Params) *Deployer {
-	return &Deployer{
+func New(params Params) (*Deployer, error) {
+	d := Deployer{
 		client:      params.Client,
+		caCache:     params.CACache,
 		ControlPort: params.Port,
 		Certs:       map[string]*cert.CertificateAuthority{},
 	}
+	// start by loading cache, if needed
+	err := d.readCache()
+	if err != nil {
+		return nil, fmt.Errorf("unable to read CA cache %s: %v", d.caCache, err)
+	}
+	return &d, nil
 }
 
 // GetIP returns IP address of the machine in the cluster. If no machine is given, find the IP for the cluster itself, i.e. the master
@@ -234,3 +245,67 @@ func (d *Deployer) NewBootstrapToken(cluster *clusterv1.Cluster) (string, error)
 	}
 	return token, nil
 }
+
+// readCache read the CAs that have been cached to a file
+// if blank, returns nil
+func (d *Deployer) readCache() error {
+	if d.caCache == "" {
+		return nil
+	}
+	// open for reading if it is there
+	f, err := os.Open(d.caCache)
+	switch {
+	case err != nil && os.IsNotExist(err):
+		return nil
+	case err != nil:
+		return fmt.Errorf("failed to open cache %s for reading: %v", d.caCache, err)
+	}
+	defer f.Close()
+	// it exists, so read it
+	decoder := json.NewDecoder(f)
+	certs := map[string]*cert.CertificateAuthority{}
+	if err := decoder.Decode(&certs); err != nil {
+		return fmt.Errorf("error reading cache file %s: %v", d.caCache, err)
+	}
+	// save the data
+	d.Certs = certs
+	return nil
+}
+
+// writeCache write the CAs to a cache file
+// if blank, returns nil
+func (d *Deployer) writeCache() error {
+	if d.caCache == "" {
+		return nil
+	}
+	// create the file if it does not exist
+	f, err := os.OpenFile(d.caCache, os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0600)
+	if err != nil {
+		return fmt.Errorf("failed to open cache %s for writing: %v", d.caCache, err)
+	}
+	defer f.Close()
+	encoder := json.NewEncoder(f)
+	encoder.Encode(d.Certs)
+	return nil
+}
+
+// GetCA get the CA cert pair for a cluster
+func (d *Deployer) GetCA(name string) (*cert.CertificateAuthority, error) {
+	c, ok := d.Certs[name]
+	if !ok {
+		return nil, nil
+	}
+	return c, nil
+}
+
+// PutCA put the CA cert pair for a cluster
+func (d *Deployer) PutCA(name string, ca *cert.CertificateAuthority) error {
+	d.Certs[name] = ca
+	return d.writeCache()
+}
+
+// DeleteCA remove the CA cert pair for a cluster
+func (d *Deployer) DeleteCA(name string) error {
+	delete(d.Certs, name)
+	return d.writeCache()
+}