Merge pull request #14 from IBM/fix/ca

Fix/ca

Author: yuji-watanabe-jp

develop/local-deploy/crds/research.ibm.com_v1alpha1_integrityenforcer_cr_local.yaml

@@ -12,7 +12,11 @@ spec:
     - request:
         namespace: '*'
       subject:
-        email: [email protected]
+        commonName: "Cluster Admin"
+    - request:
+        namespace: '*'
+      subject:
+        email: "[email protected]"
     enforce:
     - namespace: '*'
     ignoreRequest: []
@@ -34,6 +38,10 @@ spec:
   enforcerConfigCrName: ie-config
   globalConfig: {}
   imagePullSecrets: []
+  certPoolConfig:
+    createIfNotExist: false
+    keyValue: test
+    name: ie-certpool-secret
   keyRingConfig:
     createIfNotExist: false
     keyValue: test

develop/signservice/signservice-operator/deploy/crds/research.ibm.com_signservices_crd.yaml

@@ -31,14 +31,25 @@ spec:
         spec:
           description: SignServiceSpec defines the desired state of SignService
           properties:
-            PrivateKeyRingSecretName:
-              type: string
+            certSigners:
+              items:
+                properties:
+                  isCA:
+                    type: boolean
+                  issuerName:
+                    type: string
+                  name:
+                    type: string
+                type: object
+              type: array
             enabled:
               description: 'INSERT ADDITIONAL SPEC FIELDS - desired state of cluster
                 Important: Run "operator-sdk generate k8s" to regenerate code after
                 modifying this file Add custom validation using kubebuilder tags:
                 https://book-v1.book.kubebuilder.io/beyond_basics/generating_crd.html'
               type: boolean
+            ieCertPoolSecretName:
+              type: string
             imagePullSecrets:
               items:
                 description: LocalObjectReference contains enough information to let
@@ -56,6 +67,8 @@ spec:
               type: array
             keyRingSecretName:
               type: string
+            privateKeyRingSecretName:
+              type: string
             serviceAccountName:
               type: string
             signService:
@@ -77,20 +90,30 @@ spec:
                   properties:
                     limits:
                       additionalProperties:
-                        type: string
+                        anyOf:
+                        - type: integer
+                        - type: string
+                        pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                        x-kubernetes-int-or-string: true
                       description: 'Limits describes the maximum amount of compute
                         resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/'
                       type: object
                     requests:
                       additionalProperties:
-                        type: string
+                        anyOf:
+                        - type: integer
+                        - type: string
+                        pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                        x-kubernetes-int-or-string: true
                       description: 'Requests describes the minimum amount of compute
                         resources required. If Requests is omitted for a container,
                         it defaults to Limits if that is explicitly specified, otherwise
                         to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/'
                       type: object
                   type: object
               type: object
+            signServiceSecretName:
+              type: string
             signers:
               items:
                 type: string

develop/signservice/signservice-operator/deploy/crds/research.ibm.com_v1alpha1_signservice_cr.yaml

@@ -5,9 +5,23 @@ metadata:
 spec:
   enabled: true
   keyRingSecretName: keyring-secret
-  PrivateKeyRingSecretName: private-keyring-secret
+  privateKeyRingSecretName: private-keyring-secret
+  signServiceSecretName: signservice-secret
+  ieCertPoolSecretName: ie-certpool-secret
   serviceAccountName: signservice-sa
   imagePullSecrets: []
+  certSigners:
+  - name: "Root CA"
+    isCA: true
+  - name: "Intermediate CA"
+    issuerName: "Root CA"
+    isCA: true
+  - name: "Cluster Admin"
+    issuerName: "Intermediate CA"
+    isCA: false
+  - name: "Service Team Admin A"
+    issuerName: "Intermediate CA"
+    isCA: false
   signers:
   - [email protected]
   invalidSigners:

develop/signservice/signservice-operator/deploy/crds/research.ibm.com_v1alpha1_signservice_cr_local.yaml

@@ -5,9 +5,23 @@ metadata:
 spec:
   enabled: true
   keyRingSecretName: keyring-secret
-  PrivateKeyRingSecretName: private-keyring-secret
+  privateKeyRingSecretName: private-keyring-secret
+  signServiceSecretName: signservice-secret
+  ieCertPoolSecretName: ie-certpool-secret
   serviceAccountName: signservice-sa
   imagePullSecrets: []
+  certSigners:
+  - name: "Root CA"
+    isCA: true
+  - name: "Intermediate CA"
+    issuerName: "Root CA"
+    isCA: true
+  - name: "Cluster Admin"
+    issuerName: "Intermediate CA"
+    isCA: false
+  - name: "Service Team Admin A"
+    issuerName: "Intermediate CA"
+    isCA: false
   signers:
   - [email protected]
   invalidSigners:

develop/signservice/signservice-operator/go.mod

@@ -21,7 +21,6 @@ replace (
 	github.com/IBM/integrity-enforcer/enforcer => ../../../enforcer
 	github.com/IBM/integrity-enforcer/operator => ../../../operator
 	github.com/Azure/go-autorest => github.com/Azure/go-autorest v13.3.4-0.20200207053602-7439e774c9e9+incompatible
-	github.com/IBM/integrity-enforcer/enforcer => ../../../enforcer
 	k8s.io/api => k8s.io/api v0.16.5-beta.1
 	k8s.io/apiextensions-apiserver => k8s.io/apiextensions-apiserver v0.16.5-beta.1
 	k8s.io/apimachinery => k8s.io/apimachinery v0.16.5-beta.1

develop/signservice/signservice-operator/go.sum

@@ -64,6 +64,7 @@ github.com/DATA-DOG/go-sqlmock v1.4.1/go.mod h1:f/Ixk793poVmq4qj/V1dPUg2JEAKC73Q
 github.com/DataDog/datadog-go v3.2.0+incompatible/go.mod h1:LButxg5PwREeZtORoXG3tL4fMGNddJ+vMq1mwgfaqoQ=
 github.com/GoogleCloudPlatform/k8s-cloud-provider v0.0.0-20190822182118-27a4ced34534/go.mod h1:iroGtC8B3tQiqtds1l+mgk/BBOrxbqjH+eUfFQYRc14=
 github.com/IBM/integrity-enforcer v0.0.0-20200602121605-c0fa868d3900 h1:oAVE0J7k3c9vpux3RcbUz+bRX685eP++ZOWXT9lOiCU=
+github.com/IBM/integrity-enforcer v0.0.0-20200629083539-d7f76e65d8ac h1:MkZ13HjGkxhClkHHSlVemcWdkqLVRXl1oonWgrLwrDw=
 github.com/IBM/integrity-enforcer/operator v0.0.0-20200602121605-c0fa868d3900 h1:1t4sod4GyNSuVWc8EL0nc3QZWlsmGI45LY1Rc1xaNCA=
 github.com/IBM/integrity-enforcer/operator v0.0.0-20200602121605-c0fa868d3900/go.mod h1:yOulHMTF8y/Lo9IimqaBEdlaXZ29sj5OZiqXmAzlSWM=
 github.com/JeffAshton/win_pdh v0.0.0-20161109143554-76bb4ee9f0ab/go.mod h1:3VYc5hodBMJ5+l/7J4xAyMeuM2PNuepvHlGs8yilUCA=

develop/signservice/signservice-operator/pkg/apis/research/v1alpha1/signservice_types.go

@@ -17,6 +17,7 @@
 package v1alpha1
 
 import (
+	pkix "github.com/IBM/integrity-enforcer/develop/signservice/signservice-operator/pkg/pkix"
 	v1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
@@ -31,12 +32,15 @@ type SignServiceSpec struct {
 	// Add custom validation using kubebuilder tags: https://book-v1.book.kubebuilder.io/beyond_basics/generating_crd.html
 	Enabled                  bool                      `json:"enabled,omitempty"`
 	KeyRingSecretName        string                    `json:"keyRingSecretName,omitempty"`
-	PrivateKeyRingSecretName string                    `json:"PrivateKeyRingSecretName,omitempty"`
+	PrivateKeyRingSecretName string                    `json:"privateKeyRingSecretName,omitempty"`
+	SignServiceSecretName    string                    `json:"signServiceSecretName,omitempty"`
+	IECertPoolSecretName     string                    `json:"ieCertPoolSecretName,omitempty"`
 	ImagePullSecrets         []v1.LocalObjectReference `json:"imagePullSecrets,omitempty"`
 	ServiceAccountName       string                    `json:"serviceAccountName,omitempty"`
 	SignService              SignServiceContainer      `json:"signService,omitempty"`
 	Signers                  []string                  `json:"signers,omitempty"`
 	InvalidSigners           []string                  `json:"invalidSigners,omitempty"`
+	CertSigners              []pkix.SignerCertName     `json:"certSigners,omitempty"`
 }
 
 type SignServiceContainer struct {

develop/signservice/signservice-operator/pkg/apis/research/v1alpha1/zz_generated.deepcopy.go

@@ -22,6 +22,7 @@ import (
 
 	researchv1alpha1 "github.com/IBM/integrity-enforcer/develop/signservice/signservice-operator/pkg/apis/research/v1alpha1"
 	"github.com/IBM/integrity-enforcer/develop/signservice/signservice-operator/pkg/pgpkey"
+	"github.com/IBM/integrity-enforcer/develop/signservice/signservice-operator/pkg/pkix"
 	res "github.com/IBM/integrity-enforcer/develop/signservice/signservice-operator/pkg/resources"
 	"github.com/IBM/integrity-enforcer/operator/pkg/cert"
 	appsv1 "k8s.io/api/apps/v1"
@@ -84,6 +85,36 @@ func (r *ReconcileSignService) createOrUpdateSecret(instance *researchv1alpha1.S
 
 }
 
+// create 2 signer secrets for signservice and for ie at the same time
+func (r *ReconcileSignService) createOrUpdateSignerCertSecret(
+	instance *researchv1alpha1.SignService) (reconcile.Result, error) {
+
+	// signservice-secret
+	expected := res.BuildSignServiceSecretForIE(instance)
+
+	reqLogger := log.WithValues(
+		"Instance.Name", instance.Name,
+		"Secret.Name", expected.Name)
+
+	keyBoxList, err := pkix.CreateKeyBoxListFromSignerChain(instance.Spec.CertSigners)
+	if err != nil {
+		reqLogger.Error(err, "Failed to generate keyring.")
+		return reconcile.Result{}, err
+	}
+
+	expected.Data = keyBoxList.ToSecretData()
+	recResult, err := r.createOrUpdateSecret(instance, expected)
+	if err != nil {
+		reqLogger.Error(err, "Failed to generate keyring.")
+		return recResult, err
+	}
+
+	// ie-certpool-secret
+	expected2 := res.BuildIECertPoolSecretForIE(instance)
+	expected2.Data = keyBoxList.ToCertPoolData()
+	return r.createOrUpdateSecret(instance, expected2)
+}
+
 // create public and private keyring secret at the same time
 func (r *ReconcileSignService) createOrUpdateKeyringSecret(
 	instance *researchv1alpha1.SignService) (reconcile.Result, error) {

develop/signservice/signservice-operator/pkg/controller/signservice/signservice.go

@@ -124,26 +124,33 @@ func (r *ReconcileSignService) Reconcile(request reconcile.Request) (reconcile.R
 			return recResult, recErr
 		}
 
-		//SignService Secret
-		// public and private keyring secrets are created at the same time
+		//SignService Secret & IECertPool Secret
+		// 2 signer secrets are created at the same time
+		recResult, recErr = r.createOrUpdateSignerCertSecret(instance)
+		if recErr != nil || recResult.Requeue {
+			return recResult, recErr
+		}
+
+		//SignService gpg keyring Secret
+		// public and private secrets are created at the same time
 		recResult, recErr = r.createOrUpdateKeyringSecret(instance)
 		if recErr != nil || recResult.Requeue {
 			return recResult, recErr
 		}
 
-		//SignService Deployment
+		//SignService ServiceAccount
 		recResult, recErr = r.createOrUpdateServiceAccount(instance)
 		if recErr != nil || recResult.Requeue {
 			return recResult, recErr
 		}
 
-		//SignService Deployment
+		//SignService Role
 		recResult, recErr = r.createOrUpdateRole(instance)
 		if recErr != nil || recResult.Requeue {
 			return recResult, recErr
 		}
 
-		//SignService Deployment
+		//SignService RoleBinding
 		recResult, recErr = r.createOrUpdateRoleBinding(instance)
 		if recErr != nil || recResult.Requeue {
 			return recResult, recErr