feat(filemonitor): add new filemonitor package

Watcher is a generic (also cross platform) file watching mechanism for
receiving file system events in real time. A simple API has been written
to watch a list of paths and to run a user defined callback for
processing of the events.

Using the above, a keystore has been made such that when a target
directory containing certificates are updated the contents are made
available via a callback. This callback is compatible with passing to an
http server tls config, which allows for zero downtime certificate
swapping.

Author: Jeff Peeler

pkg/lib/filemonitor/cert_updater.go

@@ -0,0 +1,90 @@
+package filemonitor
+
+import (
+	"context"
+	"crypto/tls"
+	"crypto/x509"
+	"fmt"
+	"path/filepath"
+	"sync"
+
+	"github.com/fsnotify/fsnotify"
+	"github.com/sirupsen/logrus"
+)
+
+type keystore struct {
+	mutex      sync.RWMutex
+	cert       *tls.Certificate
+	tlsCrtPath string
+	tlsKeyPath string
+}
+
+type getCertFn = func(*tls.ClientHelloInfo) (*tls.Certificate, error)
+
+// NewKeystore returns a store for storing the certificate data and the ability to retrieve it safely
+func NewKeystore(tlsCrt, tlsKey string) *keystore {
+	cert, err := tls.LoadX509KeyPair(tlsCrt, tlsKey)
+	if err != nil {
+		panic(err)
+	}
+	return &keystore{
+		mutex:      sync.RWMutex{},
+		cert:       &cert,
+		tlsCrtPath: tlsCrt,
+		tlsKeyPath: tlsKey,
+	}
+}
+
+// HandleFilesystemUpdate is intended to be used as the OnUpdateFn for a watcher
+// and expects the certificate files to be in the same directory.
+func (k *keystore) HandleFilesystemUpdate(logger *logrus.Logger, event fsnotify.Event) {
+	switch op := event.Op; op {
+	case fsnotify.Create:
+		logger.Debugf("got fs event for %v", event.Name)
+
+		if err := k.storeCertificate(k.tlsCrtPath, k.tlsKeyPath); err != nil {
+			// this can happen if both certificates aren't updated at the same
+			// time, but it's okay as replacement only occurs with a valid key pair
+			logger.Debugf("certificates not in sync: %v", err)
+		} else {
+			info, err := x509.ParseCertificate(k.cert.Certificate[0])
+			if err != nil {
+				logger.Debugf("certificates refreshed, but parsing returned error: %v", err)
+			} else {
+				logger.Debugf("certificates refreshed: Subject=%v NotBefore=%v NotAfter=%v", info.Subject, info.NotBefore, info.NotAfter)
+			}
+		}
+	}
+}
+
+func (k *keystore) storeCertificate(tlsCrt, tlsKey string) error {
+	cert, err := tls.LoadX509KeyPair(tlsCrt, tlsKey)
+	if err == nil {
+		k.mutex.Lock()
+		defer k.mutex.Unlock()
+		k.cert = &cert
+	}
+	return err
+}
+
+func (k *keystore) GetCertificate(h *tls.ClientHelloInfo) (*tls.Certificate, error) {
+	k.mutex.RLock()
+	defer k.mutex.RUnlock()
+	return k.cert, nil
+}
+
+// OLMGetCertRotationFn is a convenience function for OLM use only, but serves as an example for monitoring file system events
+func OLMGetCertRotationFn(logger *logrus.Logger, tlsCertPath, tlsKeyPath string) (getCertFn, error) {
+	if filepath.Dir(tlsCertPath) != filepath.Dir(tlsKeyPath) {
+		return nil, fmt.Errorf("certificates expected to be in same directory %v vs %v", tlsCertPath, tlsKeyPath)
+	}
+
+	keystore := NewKeystore(tlsCertPath, tlsKeyPath)
+	watcher, err := NewWatch(logger, []string{filepath.Dir(tlsCertPath)}, keystore.HandleFilesystemUpdate)
+	if err != nil {
+		return nil, err
+	}
+	watcher.Run(context.Background())
+
+	return keystore.GetCertificate, nil
+}

pkg/lib/filemonitor/cert_updater_test.go

@@ -0,0 +1,135 @@
+package filemonitor
+
+import (
+	"crypto/tls"
+	"crypto/x509"
+	"fmt"
+	"html"
+	"io/ioutil"
+	"net"
+	"net/http"
+	"os"
+	"path/filepath"
+	"strconv"
+	"testing"
+	"time"
+
+	"k8s.io/apimachinery/pkg/util/wait"
+
+	"github.com/sirupsen/logrus"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestOLMGetCertRotationFn(t *testing.T) {
+	logger := logrus.New()
+	logger.SetLevel(logrus.DebugLevel)
+	logger.SetFormatter(&logrus.TextFormatter{
+		TimestampFormat: time.RFC3339Nano,
+	})
+
+	testData := "testdata"
+	monitorDir := "monitor"
+	caCrt := filepath.Join(testData, "ca.crt")
+	oldCrt := filepath.Join(testData, "server-old.crt")
+	oldKey := filepath.Join(testData, "server-old.key")
+	newCrt := filepath.Join(testData, "server-new.crt")
+	newKey := filepath.Join(testData, "server-new.key")
+	loadCrt := filepath.Join(monitorDir, "loaded.crt")
+	loadKey := filepath.Join(monitorDir, "loaded.key")
+
+	// these values must match values specified in the testdata generation script
+	expectedOldCN := "CN=127.0.0.1,OU=OpenShift,O=Red Hat,L=Columbia,ST=SC,C=US"
+	expectedNewCN := "CN=127.0.0.1,OU=OpenShift,O=Red Hat,L=New York City,ST=NY,C=US"
+
+	// the directory is expected to contain exactly one keypair, so create an empty directory to swap the keys in
+	err := os.RemoveAll(monitorDir) // this is for test development, shouldn't ever exist beforehand otherwise
+	require.NoError(t, err)
+	err = os.Mkdir(monitorDir, 0777)
+	require.NoError(t, err)
+
+	// symlink old files to loading files
+	err = os.Symlink(filepath.Join("..", oldCrt), loadCrt)
+	require.NoError(t, err)
+	err = os.Symlink(filepath.Join("..", oldKey), loadKey)
+	require.NoError(t, err)
+
+	tlsGetCertFn, err := OLMGetCertRotationFn(logger, loadCrt, loadKey)
+	require.NoError(t, err)
+
+	// find a free port to listen on and start server
+	listener, err := net.Listen("tcp", ":0")
+	require.NoError(t, err)
+	freePort := listener.Addr().(*net.TCPAddr).Port
+	http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
+		fmt.Fprintf(w, "Path: %q", html.EscapeString(r.URL.Path))
+	})
+	httpsServer := &http.Server{
+		Addr: ":" + strconv.Itoa(freePort),
+		TLSConfig: &tls.Config{
+			GetCertificate: tlsGetCertFn,
+		},
+	}
+	go func() {
+		if err := httpsServer.ServeTLS(listener, "", ""); err != nil {
+			panic(err)
+		}
+	}()
+
+	caCert, err := ioutil.ReadFile(caCrt)
+	require.NoError(t, err)
+	caCertPool := x509.NewCertPool()
+	caCertPool.AppendCertsFromPEM(caCert)
+
+	client := &http.Client{
+		Transport: &http.Transport{
+			TLSClientConfig: &tls.Config{
+				RootCAs: caCertPool,
+			},
+		},
+	}
+
+	resp, err := client.Get(fmt.Sprintf("https://localhost:%v", freePort))
+	require.NoError(t, err)
+	assert.Equal(t, resp.StatusCode, http.StatusOK)
+	assert.Equal(t, expectedOldCN, resp.TLS.PeerCertificates[0].Subject.String())
+	resp.Body.Close()
+	client.CloseIdleConnections()
+
+	// atomically switch out the symlink so the file contents are always seen in a consistent state
+	// (the same idea is used in the atomic writer in kubernetes)
+	atomicCrt := loadCrt + ".atomic-op"
+	atomicKey := loadKey + ".atomic-op"
+	err = os.Symlink(filepath.Join("..", newCrt), atomicCrt)
+	require.NoError(t, err)
+	err = os.Symlink(filepath.Join("..", newKey), atomicKey)
+	require.NoError(t, err)
+
+	err = os.Rename(atomicCrt, loadCrt)
+	require.NoError(t, err)
+	err = os.Rename(atomicKey, loadKey)
+	require.NoError(t, err)
+
+	// sometimes the the filesystem operations need time to catch up so the server cert is updated
+	err = wait.PollImmediate(500*time.Millisecond, 10*time.Second, func() (bool, error) {
+		currentCert, _ := tlsGetCertFn(nil)
+		info, err := x509.ParseCertificate(currentCert.Certificate[0])
+		if err != nil {
+			return false, err
+		}
+		if info.Subject.String() == expectedNewCN {
+			return true, nil
+		}
+
+		return false, nil
+	})
+	require.NoError(t, err)
+
+	resp, err = client.Get(fmt.Sprintf("https://localhost:%v", freePort))
+	require.NoError(t, err)
+	assert.Equal(t, resp.StatusCode, http.StatusOK)
+	assert.Equal(t, expectedNewCN, resp.TLS.PeerCertificates[0].Subject.String())
+
+	os.RemoveAll(monitorDir)
+}

pkg/lib/filemonitor/testdata/ca.crt

@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDCTCCAfGgAwIBAgIUZSqEGDsDVte9dO9YVGNd3n9/EakwDQYJKoZIhvcNAQEL
+BQAwFDESMBAGA1UEAwwJMTI3LjAuMC4xMB4XDTE5MTEyMzAyMDM1OFoXDTQ3MDQx
+MDAyMDM1OFowFDESMBAGA1UEAwwJMTI3LjAuMC4xMIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEA4Gwb6+HM2IJn/ZZIERVA/ngKQzk+Lk+36Yrn1ka8HOum
+vmWhozle3FwczCOQks5Jc2v5W6ulZHg0uQtNutw3lWkinVqGZzI34E0bxKchPniy
+egGnW3n9/dgIVd9ooPnOLJJXEwV4ZVIhubfB/EHib9rha2nIKVyYxihhrkCMU8aq
+qhYqOzJYk9eWzwB+mXAxW5AMmUAmVF0J9JvpG/FHliG+WgJNrxunuGuIa4XLw50H
+V5bJ5pXUdX/L0EPTQ1KWpmjByFD/dcOmFGc+pdw+x84CYUAH2DkxewUHAe0e6hlO
+RY3tuOXEigtfU6F0jUxD2RjC2pBp1WoH+UyyUiRQTQIDAQABo1MwUTAdBgNVHQ4E
+FgQU0jPw9F7SBqdbDbws33KFGPqKqb8wHwYDVR0jBBgwFoAU0jPw9F7SBqdbDbws
+33KFGPqKqb8wDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAjDnW
+CiQ8X+Ncm09bF6SXjtTzwbSduJ7VEkVjVm+nW0/Rh56Lgw0Z/ceWy/GyqYzuhsUz
+6uQOrS3drlg+p2fn4ZqtKWmDByYaUQS709I/qDkBE9mXxjojOhnQEqgjdQ5yoIP7
+mXeJQlFlrSaf4yEW264XQjbasKGQi2QBejhHK+aHw6PsszaNxqeqvTr0K95OTPPv
+vl2L0A4grMKtXnws8LL6zazz9eqib0K9iyHOLxvtWnPjc1y3XmFPr8mjWmbc9pl3
+5UGohvZy/wBjPS0YPLMDoGGu0jajvbNqcoEMFJ6Zo6oPGJIpwpqCjgLAgwMpx9oL
+EhMnEidqcop3+Z28kA==
+-----END CERTIFICATE-----

pkg/lib/filemonitor/testdata/cert-config/Makefile

@@ -0,0 +1,14 @@
+DESTINATION:=../
+
+all:
+	./gen-certs.sh
+
+clean:
+	rm -f *.csr *.crt *.key *.srl
+
+copy:
+	cp ca.crt $(DESTINATION)
+	cp server-old.crt $(DESTINATION)
+	cp server-old.key $(DESTINATION)
+	cp server-new.crt $(DESTINATION)
+	cp server-new.key $(DESTINATION)

pkg/lib/filemonitor/testdata/cert-config/csr-new.conf

@@ -0,0 +1,28 @@
+[ req ]
+default_bits = 2048
+prompt = no
+default_md = sha256
+req_extensions = req_ext
+distinguished_name = dn
+
+[ dn ]
+C = US
+ST = NY
+L = New York City
+O = Red Hat
+OU = OpenShift
+CN = 127.0.0.1
+
+[ req_ext ]
+subjectAltName = @alt_names
+
+[ alt_names ]
+DNS.1 = localhost
+IP.1 = 127.0.0.1
+
+[ v3_ext ]
+authorityKeyIdentifier=keyid,issuer:always
+basicConstraints=CA:FALSE
+keyUsage=keyEncipherment,dataEncipherment
+extendedKeyUsage=serverAuth,clientAuth
+subjectAltName=@alt_names

pkg/lib/filemonitor/testdata/cert-config/csr-old.conf

@@ -0,0 +1,28 @@
+[ req ]
+default_bits = 2048
+prompt = no
+default_md = sha256
+req_extensions = req_ext
+distinguished_name = dn
+
+[ dn ]
+C = US
+ST = SC
+L = Columbia
+O = Red Hat
+OU = OpenShift
+CN = 127.0.0.1
+
+[ req_ext ]
+subjectAltName = @alt_names
+
+[ alt_names ]
+DNS.1 = localhost
+IP.1 = 127.0.0.1
+
+[ v3_ext ]
+authorityKeyIdentifier=keyid,issuer:always
+basicConstraints=CA:FALSE
+keyUsage=keyEncipherment,dataEncipherment
+extendedKeyUsage=serverAuth,clientAuth
+subjectAltName=@alt_names

pkg/lib/filemonitor/testdata/cert-config/gen-certs.sh

@@ -0,0 +1,41 @@
+#!/bin/bash
+# Based off:
+# https://kubernetes.io/docs/concepts/cluster-administration/certificates/
+#
+# This scripts generates self-signed certificate keypairs, with the only
+# difference being that the subjects are different (set in $CSR) to easily allow
+# detecting which are in use.
+
+function set_variables {
+  MASTER_IP="127.0.0.1"
+  CA_CRT=ca.crt
+  CA_KEY=ca.key
+  CSR=csr-$SUFFIX.conf
+  SERVER_CSR=server-$SUFFIX.csr
+  SERVER_CRT=server-$SUFFIX.crt
+  SERVER_KEY=server-$SUFFIX.key
+}
+
+function generate_ca {
+  openssl genrsa -out $CA_KEY 2048
+  openssl req -x509 -new -nodes -key $CA_KEY -subj "/CN=${MASTER_IP}" -days 10000 -out $CA_CRT
+}
+
+function generate_certs {
+  echo "Generating certs for $SUFFIX"
+  openssl genrsa -out "$SERVER_KEY" 2048
+  openssl req -new -key "$SERVER_KEY" -out "$SERVER_CSR" -config "$CSR"
+  openssl x509 -req -in "$SERVER_CSR" -CA $CA_CRT -CAkey "$CA_KEY" -CAcreateserial -out "$SERVER_CRT" -days 10000 -extensions v3_ext -extfile "$CSR"
+  #openssl x509  -noout -text -in "$SERVER_CRT"
+  echo "---"
+}
+
+
+SUFFIX=old
+set_variables
+generate_ca # do this only once
+generate_certs
+
+SUFFIX=new
+set_variables
+generate_certs

pkg/lib/filemonitor/testdata/server-new.crt

@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDtjCCAp6gAwIBAgIUTxuDVC0t2atYlgVW5iZ7Fz/9DMQwDQYJKoZIhvcNAQEL
+BQAwFDESMBAGA1UEAwwJMTI3LjAuMC4xMB4XDTE5MTEyMzAyMDM1OFoXDTQ3MDQx
+MDAyMDM1OFowbDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAk5ZMRYwFAYDVQQHDA1O
+ZXcgWW9yayBDaXR5MRAwDgYDVQQKDAdSZWQgSGF0MRIwEAYDVQQLDAlPcGVuU2hp
+ZnQxEjAQBgNVBAMMCTEyNy4wLjAuMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
+AQoCggEBAL2SdYBu/Gee0CbxIAHAHaBRpOA6ZjzbBgiWbLDfvexqoNU3aR5ryjE/
+8QOdHxYQMon8ymDut6I/SF/XS+fke0WPtPmP1DyX2wAhzJLjpIR9GX1AVayHbKMB
+/kxbyI8ow0qmCQhtnCvBb4JWBDWYwn1t9qpHpE3E8kbM2sh4jI/03nxZkLv63qhE
+kLxXd1dnOJOGOsQEHULWyMSo0sRyEOvr5gNz4YlhxAITvdQAhjRU0HTASKTvEez7
+Ksm18S25tc/nE61Ql1QlXAHZF9/nIH9ZOKtHvZi1vRzwUlfmAMd5PeShfSRxGPYt
+nrOZo3i4fuppwY17Ek2+4OG03oomlZMCAwEAAaOBpzCBpDBPBgNVHSMESDBGgBTS
+M/D0XtIGp1sNvCzfcoUY+oqpv6EYpBYwFDESMBAGA1UEAwwJMTI3LjAuMC4xghRl
+KoQYOwNW171071hUY13ef38RqTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIEMDAdBgNV
+HSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwGgYDVR0RBBMwEYIJbG9jYWxob3N0
+hwR/AAABMA0GCSqGSIb3DQEBCwUAA4IBAQA14DWLtAPYC2jYAwrQTbV7NeI9hkKX
+n4Zhf2R/aN30gXKD4yKfi1QOxoOdywaJD4659Q5trJkRB1mOE2pKsuL+PsLd8Z4h
+7K7D2avsTf06Dwl4LBjhCuWNKqIJFATRYX5BkbBvm2N3R/Z8tu31IAzyCZGItTVw
+yLzttjiZ43SzoVmHGbIkaqYzmUkhgknZsrQAF09e7JxfsOmAk2T6ykad7lnJq12C
+mrsSwH193Yx/8YdWokxZxZeGpt5lyeZZJU05DU5LXydpQh7t/XdfE9Y6zpqEaH1R
+Ra7xE8IwC9t1c+Z1tcnXKxEgJ/2e1Zm7nqHQC+D5Y3hEngAJYRi8OM+Q
+-----END CERTIFICATE-----