add ceritficate bundle abstraction

Author: porthorian

internal/mode/static/state/graph/certificate_bundle.go

@@ -0,0 +1,62 @@
+package graph
+
+import (
+	"crypto/tls"
+	"crypto/x509"
+	"encoding/base64"
+	"encoding/pem"
+	"fmt"
+
+	"k8s.io/apimachinery/pkg/types"
+	v1 "sigs.k8s.io/gateway-api/apis/v1"
+)
+
+const CAKey = "ca.crt"
+
+type CertificateBundle struct {
+	Name types.NamespacedName
+	Kind v1.Kind
+
+	// Required ...
+	TLSCert       []byte
+	TLSPrivateKey []byte
+
+	// Optional
+	CACert []byte
+}
+
+func (cb *CertificateBundle) validate() error {
+	_, err := tls.X509KeyPair(cb.TLSCert, cb.TLSPrivateKey)
+	if err != nil {
+		return fmt.Errorf("TLS secret is invalid: %w", err)
+	}
+
+	if err = validateCA(cb.CACert); len(cb.CACert) >= 1 && err != nil {
+		return fmt.Errorf("Certificate in secret is invalid: %w", err)
+	}
+
+	return nil
+}
+
+// validateCA validates the ca.crt entry in the ConfigMap. If it is valid, the function returns nil.
+func validateCA(caData []byte) error {
+	data := make([]byte, base64.StdEncoding.DecodedLen(len(caData)))
+	_, err := base64.StdEncoding.Decode(data, caData)
+	if err != nil {
+		data = caData
+	}
+	block, _ := pem.Decode(data)
+	if block == nil {
+		return fmt.Errorf("the data field %s must hold a valid CERTIFICATE PEM block", CAKey)
+	}
+	if block.Type != "CERTIFICATE" {
+		return fmt.Errorf("the data field %s must hold a valid CERTIFICATE PEM block, but got '%s'", CAKey, block.Type)
+	}
+
+	_, err = x509.ParseCertificate(block.Bytes)
+	if err != nil {
+		return fmt.Errorf("failed to validate certificate: %w", err)
+	}
+
+	return nil
+}

internal/mode/static/state/graph/configmaps.go

@@ -1,18 +1,13 @@
 package graph
 
 import (
-	"crypto/x509"
-	"encoding/base64"
-	"encoding/pem"
 	"errors"
 	"fmt"
 
 	apiv1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/types"
 )
 
-const CAKey = "ca.crt"
-
 // CaCertConfigMap represents a ConfigMap resource that holds CA Cert data.
 type CaCertConfigMap struct {
 	// Source holds the actual ConfigMap resource. Can be nil if the ConfigMap does not exist.
@@ -97,26 +92,3 @@ func (r *configMapResolver) getResolvedConfigMaps() map[types.NamespacedName]*Ca
 
 	return resolved
 }
-
-// validateCA validates the ca.crt entry in the ConfigMap. If it is valid, the function returns nil.
-func validateCA(caData []byte) error {
-	data := make([]byte, base64.StdEncoding.DecodedLen(len(caData)))
-	_, err := base64.StdEncoding.Decode(data, caData)
-	if err != nil {
-		data = caData
-	}
-	block, _ := pem.Decode(data)
-	if block == nil {
-		return fmt.Errorf("the data field %s must hold a valid CERTIFICATE PEM block", CAKey)
-	}
-	if block.Type != "CERTIFICATE" {
-		return fmt.Errorf("the data field %s must hold a valid CERTIFICATE PEM block, but got '%s'", CAKey, block.Type)
-	}
-
-	_, err = x509.ParseCertificate(block.Bytes)
-	if err != nil {
-		return fmt.Errorf("failed to validate certificate: %w", err)
-	}
-
-	return nil
-}

internal/mode/static/state/graph/secret.go

@@ -1,7 +1,6 @@
 package graph
 
 import (
-	"crypto/tls"
 	"errors"
 	"fmt"
 
@@ -13,6 +12,9 @@ import (
 type Secret struct {
 	// Source holds the actual Secret resource. Can be nil if the Secret does not exist.
 	Source *apiv1.Secret
+
+	// CertBundle holds actual certificate data.
+	CertBundle *CertificateBundle
 }
 
 type secretEntry struct {
@@ -43,6 +45,7 @@ func (r *secretResolver) resolve(nsname types.NamespacedName) error {
 	secret, exist := r.clusterSecrets[nsname]
 
 	var validationErr error
+	var certBundle *CertificateBundle
 
 	switch {
 	case !exist:
@@ -53,15 +56,23 @@ func (r *secretResolver) resolve(nsname types.NamespacedName) error {
 
 	default:
 		// A TLS Secret is guaranteed to have these data fields.
-		_, err := tls.X509KeyPair(secret.Data[apiv1.TLSCertKey], secret.Data[apiv1.TLSPrivateKeyKey])
-		if err != nil {
-			validationErr = fmt.Errorf("TLS secret is invalid: %w", err)
+		certBundle = &CertificateBundle{
+			TLSCert:       secret.Data[apiv1.TLSCertKey],
+			TLSPrivateKey: secret.Data[apiv1.TLSPrivateKeyKey],
+		}
+
+		// Not always guaranteed to have a ca certificate in the secret.
+		if _, exists := secret.Data[CAKey]; exists {
+			certBundle.CACert = secret.Data[CAKey]
 		}
+
+		validationErr = certBundle.validate()
 	}
 
 	r.resolvedSecrets[nsname] = &secretEntry{
 		Secret: Secret{
-			Source: secret,
+			Source:     secret,
+			CertBundle: certBundle,
 		},
 		err: validationErr,
 	}