cert-inspection: create stubs for in-memory certificates

We have no method to detect those, we have to create stub entries for every instance of apiserver

Author: vrutkovs

pkg/certs/cert-inspection/certgraphanalysis/collector.go

@@ -2,12 +2,14 @@ package certgraphanalysis
 
 import (
 	"context"
+	"fmt"
 	"strings"
 
 	"github.com/openshift/api/annotations"
 	"github.com/openshift/library-go/pkg/certs/cert-inspection/certgraphapi"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/labels"
 	utilerrors "k8s.io/apimachinery/pkg/util/errors"
 	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/client-go/kubernetes"
@@ -251,11 +253,16 @@ func MergePKILists(ctx context.Context, first, second *certgraphapi.PKIList) *ce
 	}
 	onDiskResourceData = deduplicateOnDiskMetadata(onDiskResourceData)
 
+	inMemoryResourceData := certgraphapi.PerInMemoryResourceData{
+		CertKeyPairs: append(first.InMemoryResourceData.CertKeyPairs, second.InMemoryResourceData.CertKeyPairs...),
+	}
+
 	return &certgraphapi.PKIList{
 		CertificateAuthorityBundles: *caBundlesList,
 		CertKeyPairs:                *certList,
 		InClusterResourceData:       inClusterData,
 		OnDiskResourceData:          onDiskResourceData,
+		InMemoryResourceData:        inMemoryResourceData,
 	}
 }
 
@@ -299,3 +306,85 @@ func GetBootstrapIPAndHostname(ctx context.Context, kubeClient kubernetes.Interf
 
 	return bootstrapIP, bootstrapHostname, nil
 }
+
+type InMemoryCertDetail struct {
+	Namespace     string
+	LabelSelector labels.Selector
+	Description   string
+	NamePrefix    string
+	Validity      string
+	CertInfo      certgraphapi.PKIRegistryCertKeyPairInfo
+}
+
+// CreateInMemoryPKIList creates a PKIList listing in-memory certificate for each apiserver
+
+func CreateInMemoryPKIList(ctx context.Context, kubeClient kubernetes.Interface, details []InMemoryCertDetail) (*certgraphapi.PKIList, error) {
+	errs := []error{}
+	result := &certgraphapi.PKIList{}
+
+	for _, detail := range details {
+		err := addInMemoryCertificateStub(ctx, result, kubeClient, detail)
+		if err != nil {
+			errs = append(errs, fmt.Errorf("failed to add in-memory certificate stub for %#v: %w", detail, err))
+		}
+	}
+	return result, utilerrors.NewAggregate(errs)
+
+}
+
+func addInMemoryCertificateStub(ctx context.Context, list *certgraphapi.PKIList, kubeClient kubernetes.Interface, detail InMemoryCertDetail) error {
+	if list == nil {
+		list = &certgraphapi.PKIList{}
+	}
+
+	if list.InMemoryResourceData.CertKeyPairs == nil {
+		list.InMemoryResourceData.CertKeyPairs = []certgraphapi.PKIRegistryInMemoryCertKeyPair{}
+	}
+	if list.CertKeyPairs.Items == nil {
+		list.CertKeyPairs.Items = []certgraphapi.CertKeyPair{}
+	}
+
+	// For each matched pod in namespace, create a cert key pair
+	podList, err := kubeClient.CoreV1().Pods(detail.Namespace).List(ctx, metav1.ListOptions{
+		LabelSelector: detail.LabelSelector.String(),
+	})
+
+	if err != nil {
+		return err
+	}
+
+	for i, pod := range podList.Items {
+		certKeyPair := certgraphapi.CertKeyPair{
+			Name:        fmt.Sprintf("%s-%d::1", detail.NamePrefix, i),
+			Description: detail.Description,
+			Spec: certgraphapi.CertKeyPairSpec{
+				InMemoryLocations: []certgraphapi.InClusterPodLocation{
+					{
+						Namespace: pod.Namespace,
+						// Using fake pod name to avoid removing IPs or hashes
+						Name: fmt.Sprintf("%s-%d", detail.NamePrefix, i),
+					},
+				},
+				CertMetadata: certgraphapi.CertKeyMetadata{
+					ValidityDuration: detail.Validity,
+					CertIdentifier: certgraphapi.CertIdentifier{
+						// PubkeyModulus needs to be unique so that the secret would not be removed during deduplication
+						PubkeyModulus: fmt.Sprintf("in-memory-%s-%d", detail.NamePrefix, i),
+					},
+				},
+			},
+		}
+
+		list.CertKeyPairs.Items = append(list.CertKeyPairs.Items, certKeyPair)
+
+		list.InMemoryResourceData.CertKeyPairs = append(list.InMemoryResourceData.CertKeyPairs, certgraphapi.PKIRegistryInMemoryCertKeyPair{
+			PodLocation: certgraphapi.InClusterPodLocation{
+				Namespace: pod.Namespace,
+				Name:      fmt.Sprintf("%s-%d", detail.NamePrefix, i),
+			},
+			CertKeyInfo: detail.CertInfo,
+		})
+	}
+	return nil
+
+}

pkg/certs/cert-inspection/certgraphanalysis/deduplication.go

@@ -25,6 +25,7 @@ func deduplicateCertKeyPairs(in []*certgraphapi.CertKeyPair) []*certgraphapi.Cer
 				found = true
 				ret[j] = CombineSecretLocations(ret[j], currIn.Spec.SecretLocations)
 				ret[j] = CombineCertOnDiskLocations(ret[j], currIn.Spec.OnDiskLocations)
+				ret[j] = CombineCertInMemoryLocations(ret[j], currIn.Spec.InMemoryLocations)
 				break
 			}
 		}
@@ -199,3 +200,20 @@ func deduplicateOnDiskMetadata(in certgraphapi.PerOnDiskResourceData) certgrapha
 	}
 	return out
 }
+
+// CombineCertInMemoryLocations returns a CertKeyPair with all in-memory locations from in and rhs de-duplicated into a single list
+func CombineCertInMemoryLocations(in *certgraphapi.CertKeyPair, rhs []certgraphapi.InClusterPodLocation) *certgraphapi.CertKeyPair {
+	out := in.DeepCopy()
+	for _, curr := range rhs {
+		found := false
+		for _, existing := range in.Spec.InMemoryLocations {
+			if curr == existing {
+				found = true
+			}
+		}
+		if !found {
+			out.Spec.InMemoryLocations = append(out.Spec.InMemoryLocations, curr)
+		}
+	}
+	return out
+}

pkg/certs/cert-inspection/certgraphapi/type_registry.go

@@ -1,8 +1,9 @@
 package certgraphapi
 
 type PKIRegistryCertKeyPair struct {
-	InClusterLocation *PKIRegistryInClusterCertKeyPair
-	OnDiskLocation    *PKIRegistryOnDiskCertKeyPair
+	InClusterLocation   *PKIRegistryInClusterCertKeyPair
+	OnDiskLocation      *PKIRegistryOnDiskCertKeyPair
+	InMemoryPodLocation *PKIRegistryInMemoryCertKeyPair
 }
 
 // PKIRegistryOnDiskCertKeyPair identifies certificate key pair on disk and stores its metadata
@@ -13,6 +14,14 @@ type PKIRegistryOnDiskCertKeyPair struct {
 	CertKeyInfo PKIRegistryCertKeyPairInfo `json:"certKeyInfo"`
 }
 
+// PKIRegistryInMemoryCertKeyPair identifies certificate key pair and stores its metadata
+type PKIRegistryInMemoryCertKeyPair struct {
+	// PodLocation points to the pod location
+	PodLocation InClusterPodLocation `json:"podLocation"`
+	// CertKeyInfo stores metadata for certificate key pair
+	CertKeyInfo PKIRegistryCertKeyPairInfo `json:"certKeyInfo"`
+}
+
 // PKIRegistryInClusterCertKeyPair identifies certificate key pair and stores its metadata
 type PKIRegistryInClusterCertKeyPair struct {
 	// SecretLocation points to the secret location

pkg/certs/cert-inspection/certgraphapi/types.go

@@ -14,6 +14,7 @@ type PKIList struct {
 
 	InClusterResourceData PerInClusterResourceData
 	OnDiskResourceData    PerOnDiskResourceData
+	InMemoryResourceData  PerInMemoryResourceData
 
 	CertificateAuthorityBundles CertificateAuthorityBundleList
 	CertKeyPairs                CertKeyPairList
@@ -29,6 +30,12 @@ type PerInClusterResourceData struct {
 	CertKeyPairs []PKIRegistryInClusterCertKeyPair `json:"certKeyPairs"`
 }
 
+// PerInMemoryResourceData tracks metadata that corresponds to specific certificates stored in pod memory.
+type PerInMemoryResourceData struct {
+	// +mapType:=atomic
+	CertKeyPairs []PKIRegistryInMemoryCertKeyPair `json:"certKeyPairs"`
+}
+
 // PerOnDiskResourceData tracks metadata that corresponds to specific files on disk.
 // This data should not duplicate the analysis of the certkeypair lists, but is pulled from files on disk.
 // It will be stitched together by a generator after the fact.
@@ -89,8 +96,9 @@ type CertKeyPairStatus struct {
 }
 
 type CertKeyPairSpec struct {
-	SecretLocations []InClusterSecretLocation
-	OnDiskLocations []OnDiskCertKeyPairLocation
+	SecretLocations   []InClusterSecretLocation
+	OnDiskLocations   []OnDiskCertKeyPairLocation
+	InMemoryLocations []InClusterPodLocation
 
 	CertMetadata CertKeyMetadata
 	Details      CertKeyPairDetails
@@ -106,6 +114,11 @@ type InClusterConfigMapLocation struct {
 	Name      string
 }
 
+type InClusterPodLocation struct {
+	Namespace string
+	Name      string
+}
+
 type OnDiskCertKeyPairLocation struct {
 	Cert OnDiskLocation
 	Key  OnDiskLocation