feat(csv): add generated APIService resource check

- Adds check for existence and validity of generated owned APIService resources
in succeeded CSV phase
- Adds transition from succeeded phase to pending on
non-existent/invalid generated APIService resources
- Refactors cert expiration info in CSV spec and status

Author: njhale

deploy/chart/templates/0000_30_02-clusterserviceversion.crd.yaml

@@ -180,17 +180,7 @@ spec:
                           values:
                             type: array
                             description: set of values for the expression
-            certValidForDays:
-              type: integer
-              description: Number of days generated APIService certs are valid for
-              format: int32
-              minimum: 1
-              maximum: 730
-            certMinFreshSeconds:
-              type: integer
-              description: Minimum freshness of a cert before it is renewed; in seconds
-              format: int32
-              minimum: 10
+                            
             apiservicedefinitions:
               type: object
               properties:

pkg/api/apis/operators/v1alpha1/clusterserviceversion_types.go

@@ -135,14 +135,6 @@ type ClusterServiceVersionSpec struct {
 	// Label selector for related resources.
 	// +optional
 	Selector *metav1.LabelSelector `json:"selector,omitempty" protobuf:"bytes,2,opt,name=selector"`
-
-	// Number of days generated owned APIService certs are valid for
-	// +optional
-	CertValidForDays int `json:"certValidFor,omitempty"`
-
-	// Minimum freshness of a cert before it is renewed; in seconds
-	// +optional
-	CertMinFreshSeconds int `json:"certMinFresh,omitempty"`
 }
 
 type Maintainer struct {
@@ -189,19 +181,20 @@ const (
 type ConditionReason string
 
 const (
-	CSVReasonRequirementsUnknown ConditionReason = "RequirementsUnknown"
-	CSVReasonRequirementsNotMet  ConditionReason = "RequirementsNotMet"
-	CSVReasonRequirementsMet     ConditionReason = "AllRequirementsMet"
-	CSVReasonOwnerConflict       ConditionReason = "OwnerConflict"
-	CSVReasonComponentFailed     ConditionReason = "InstallComponentFailed"
-	CSVReasonInvalidStrategy     ConditionReason = "InvalidInstallStrategy"
-	CSVReasonWaiting             ConditionReason = "InstallWaiting"
-	CSVReasonInstallSuccessful   ConditionReason = "InstallSucceeded"
-	CSVReasonInstallCheckFailed  ConditionReason = "InstallCheckFailed"
-	CSVReasonComponentUnhealthy  ConditionReason = "ComponentUnhealthy"
-	CSVReasonBeingReplaced       ConditionReason = "BeingReplaced"
-	CSVReasonReplaced            ConditionReason = "Replaced"
-	CSVReasonNeedCertRefresh     ConditionReason = "NeedCertRefresh"
+	CSVReasonRequirementsUnknown     ConditionReason = "RequirementsUnknown"
+	CSVReasonRequirementsNotMet      ConditionReason = "RequirementsNotMet"
+	CSVReasonRequirementsMet         ConditionReason = "AllRequirementsMet"
+	CSVReasonOwnerConflict           ConditionReason = "OwnerConflict"
+	CSVReasonComponentFailed         ConditionReason = "InstallComponentFailed"
+	CSVReasonInvalidStrategy         ConditionReason = "InvalidInstallStrategy"
+	CSVReasonWaiting                 ConditionReason = "InstallWaiting"
+	CSVReasonInstallSuccessful       ConditionReason = "InstallSucceeded"
+	CSVReasonInstallCheckFailed      ConditionReason = "InstallCheckFailed"
+	CSVReasonComponentUnhealthy      ConditionReason = "ComponentUnhealthy"
+	CSVReasonBeingReplaced           ConditionReason = "BeingReplaced"
+	CSVReasonReplaced                ConditionReason = "Replaced"
+	CSVReasonNeedCertRotation        ConditionReason = "NeedCertRotation"
+	CSVReasonAPIServiceResourceIssue ConditionReason = "APIServiceResourceIssue"
 )
 
 // Conditions appear in the status as a record of state transitions on the ClusterServiceVersion
@@ -287,9 +280,12 @@ type ClusterServiceVersionStatus struct {
 	Conditions []ClusterServiceVersionCondition `json:"conditions,omitempty"`
 	// The status of each requirement for this CSV
 	RequirementStatus []RequirementStatus `json:"requirementStatus,omitempty"`
-	// Time to refresh generated owned APIService certs
+	// Last time the owned APIService certs were updated
+	// +optional
+	CertsLastUpdated metav1.Time `json:"certsLastUpdated,omitempty"`
+	// Time the owned APIService certs will rotate next
 	// +optional
-	CertRefresh metav1.Time `json:"certRefresh,omitempty"`
+	CertsRotateAt metav1.Time `json:"certsRotateAt,omitempty"`
 }
 
 // ClusterServiceVersion is a Custom Resource of type `ClusterServiceVersionSpec`.

pkg/api/apis/operators/v1alpha1/zz_generated.deepcopy.go

@@ -4,14 +4,21 @@ import (
 	"crypto/ecdsa"
 	"crypto/elliptic"
 	"crypto/rand"
+	"crypto/sha256"
 	"crypto/x509"
 	"crypto/x509/pkix"
+	"encoding/hex"
 	"encoding/pem"
 	"fmt"
+	"math"
 	"math/big"
 	"time"
 )
 
+const (
+	Organization = "Red Hat, Inc."
+)
+
 // KeyPair stores an x509 certificate and its ECDSA private key
 type KeyPair struct {
 	Cert *x509.Certificate
@@ -42,19 +49,21 @@ func (kp *KeyPair) ToPEM() (certPEM []byte, privPEM []byte, err error) {
 }
 
 // GenerateCA generates a self-signed CA cert/key pair that expires in expiresIn days
-func GenerateCA(expiresIn int) (*KeyPair, time.Time, error) {
-	if expiresIn > 730 || expiresIn <= 0 {
-		return nil, time.Time{}, fmt.Errorf("invalid cert expiration")
+func GenerateCA(notAfter time.Time) (*KeyPair, error) {
+	notBefore := time.Now()
+	if notAfter.Before(notBefore) {
+		return nil, fmt.Errorf("invalid notAfter: %s before %s", notAfter.String(), notBefore.String())
 	}
 
-	notBefore := time.Now()
-	notAfter := notBefore.AddDate(0, 0, expiresIn)
+	serial, err := rand.Int(rand.Reader, new(big.Int).SetInt64(math.MaxInt64))
+	if err != nil {
+		return nil, err
+	}
 
 	caDetails := &x509.Certificate{
-		//TODO(Nick): figure out what to use for a SerialNumber
-		SerialNumber: big.NewInt(1653),
+		SerialNumber: serial,
 		Subject: pkix.Name{
-			Organization: []string{"Red Hat, Inc."},
+			Organization: []string{Organization},
 		},
 		NotBefore:             notBefore,
 		NotAfter:              notAfter,
@@ -66,43 +75,47 @@ func GenerateCA(expiresIn int) (*KeyPair, time.Time, error) {
 
 	privateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
 	if err != nil {
-		return nil, time.Time{}, err
+		return nil, err
 	}
 
 	publicKey := &privateKey.PublicKey
 	certRaw, err := x509.CreateCertificate(rand.Reader, caDetails, caDetails, publicKey, privateKey)
 	if err != nil {
-		return nil, time.Time{}, err
+		return nil, err
 	}
 
 	cert, err := x509.ParseCertificate(certRaw)
 	if err != nil {
-		return nil, time.Time{}, err
+		return nil, err
 	}
 
 	ca := &KeyPair{
 		Cert: cert,
 		Priv: privateKey,
 	}
 
-	return ca, notAfter, nil
+	return ca, nil
 }
 
 // CreateSignedServingPair creates a serving cert/key pair signed by the given ca
-func CreateSignedServingPair(expiresIn int, ca *KeyPair, hosts []string) (*KeyPair, error) {
-	if expiresIn > 730 || expiresIn <= 0 {
-		return nil, fmt.Errorf("invalid cert expiration")
+func CreateSignedServingPair(notAfter time.Time, ca *KeyPair, hosts []string) (*KeyPair, error) {
+	notBefore := time.Now()
+	if notAfter.Before(notBefore) {
+		return nil, fmt.Errorf("invalid notAfter: %s before %s", notAfter.String(), notBefore.String())
+	}
+
+	serial, err := rand.Int(rand.Reader, new(big.Int).SetInt64(math.MaxInt64))
+	if err != nil {
+		return nil, err
 	}
 
 	certDetails := &x509.Certificate{
-		//TODO(Nick): figure out what to use for a SerialNumber
-		SerialNumber: big.NewInt(1653),
+		SerialNumber: serial,
 		Subject: pkix.Name{
-			Organization: []string{"Red Hat, Inc."},
+			Organization: []string{Organization},
 		},
-		NotBefore: time.Now(),
-		// Valid for 2 years
-		NotAfter:              time.Now().AddDate(0, 0, expiresIn),
+		NotBefore:             notBefore,
+		NotAfter:              notAfter,
 		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth},
 		KeyUsage:              x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
 		BasicConstraintsValid: true,
@@ -132,3 +145,51 @@ func CreateSignedServingPair(expiresIn int, ca *KeyPair, hosts []string) (*KeyPa
 
 	return servingCert, nil
 }
+
+// PEMToCert converts the PEM block of the given byte array to an x509 certificate
+func PEMToCert(certPEM []byte) (*x509.Certificate, error) {
+	block, _ := pem.Decode(certPEM)
+	if block == nil {
+		return nil, fmt.Errorf("cert PEM empty")
+	}
+
+	cert, err := x509.ParseCertificate(block.Bytes)
+	if err != nil {
+		return nil, err
+	}
+
+	return cert, nil
+}
+
+// VerifyCert checks that the given cert is signed and trusted by the given CA
+func VerifyCert(ca, cert *x509.Certificate, host string) error {
+	roots := x509.NewCertPool()
+	roots.AddCert(ca)
+
+	opts := x509.VerifyOptions{
+		DNSName: host,
+		Roots:   roots,
+	}
+
+	if _, err := cert.Verify(opts); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+// Active checks if the given cert is within its valid time window
+func Active(cert *x509.Certificate) bool {
+	now := time.Now()
+	active := now.After(cert.NotBefore) && now.Before(cert.NotAfter)
+	return active
+}
+
+type PEMHash func(certPEM []byte) (hash string)
+
+func PEMSHA256(certPEM []byte) (hash string) {
+	hasher := sha256.New()
+	hasher.Write(certPEM)
+	hash = hex.EncodeToString(hasher.Sum(nil))
+	return
+}