pkg/certs: Move certgen into a public package so other projects can consume

[stevesloka]

Some projects like the Contour Operator, need ways to create certificates for
Contour deployments. Currently, this is done via a Kubernetes Job which executes
the Contour command certgen which generates self-signed certificates used for
communication between Contour<>Envoy.

This moves the generation logic into a public package (e.g. pkg/certs) which
allows projects to consume this same code to generate certificates by other
means other than the Contour certgen command.

Fixes #3130

Signed-off-by: Steve Sloka slokas@vmware.com

[stevesloka]

@danehans @Miciah

// ref projectcontour/contour-operator#34

[codecov]

Codecov Report

Merging #3135 (cc2c5f2) into main (ca29391) will decrease coverage by 0.08%.
The diff coverage is 69.56%.

@@            Coverage Diff             @@
##             main    #3135      +/-   ##
==========================================
- Coverage   75.39%   75.30%   -0.09%     
==========================================
  Files          97       96       -1     
  Lines        6023     5925      -98     
==========================================
- Hits         4541     4462      -79     
+ Misses       1372     1363       -9     
+ Partials      110      100      -10     

Impacted Files	Coverage Δ
cmd/contour/certgen.go	26.00% <0.00%> (-21.30%)	⬇️
internal/certgen/certgen.go	72.83% <100.00%> (ø)
internal/dag/httpproxy_processor.go	94.15% <0.00%> (-0.02%)	⬇️
internal/k8s/log.go	69.56% <0.00%> (+6.52%)	⬆️

[skriss]

any reason not to combine GenerateCerts and OutputCerts into a single exported function, since they need to be called one after the other? It'd make for a slightly cleaner public API IMHO.

[stevesloka]

Yeah I'll do that, less API exposed is better. =)

[stevesloka]

In looking into this a bit more, it seems like we should have 3 public methods outlined below. The confusing part about how it's built today is that if you request a cert in yaml or pem format, you still need to pass a kubeclient which isn't used at all in those two situations.

1. Kubernetes Secret (--kube), GenerateKubeCertificates(format string, kubeclient *kubernetes.Clientset, overwrite bool)
2. Yaml (--yaml), GenerateYamlCertificates(format, outputDirectory string, force bool)
3. PEM (--pem), GeneratePemCertificates(format, outputDirectory string, force bool)

Note: We could combine the yaml & pem into a single one, but I'd probably keep separate? /shrug

This means then that the doCertgen() inside cmd/contour will look at the flags passed and call each public method appropriately, but external callers have a clean API to use to code against.

[jpeach]

I propose just one API:

type CertificateSet struct {
    Contour []byte
    Envoy []byte
    CA []byte
}

func GenerateCertificates(options ...) (CertificateSet, error)

The caller can deal with emitting the certificates in the way they need (i.e. contour-operator probably can't directly use any of the specific APIs above). We probably need the options so the caller can do things like set unique SAN entries.

[stevesloka]

The operator can use the apis above as-is.

The work to serialize them to pem or yaml or secrets is a benefit of using a library as this is intended so the caller doesn't need to reinvent that work.

[stevesloka]

There could be further customizations to add name, etc, etc, but could come as well as needed.

[jpeach]

The operator can use the apis above as-is.

Are you sure? The operator doesn't need GenerateYamlCertificates or GenerateYamlCertificates. It may need GenerateKubeCertificates, but (1) depending on the Kubernetes framework it uses, it may not have easy access to the right client struct (2) it may need to specify the name or namespace of the secret (3) it may need to set owner references or other object meta information (4) it may combine the certificates into secrets in way this function does not anticipate.

[stevesloka]

Requirements / needs will change over time, 💯 .

[youngnick]

I like the sound of @jpeach's suggestion, it seems like a nice, clean API. I think it's probably better to have separate Output functions for each type though, so that we can ensure that things consuming this package output their certs in the right way (ie files have the correct permissions etc, certificates are in the right formats, and so on). Callers don't have to use the Output functions, but supplying them makes keeping things in sync easier.

[github-actions]

Marking this PR stale since there has been no activity for 14 days. It will be closed if there is no activity for another 90 days.

[stevesloka]

Ok folks, I just did a big refactor to this, please take a look.

[sunjayBhatia]

LGTM, looks like a solid move over of the existing code and kept to the pared down interface, with some configurability

[skriss]

It'd be great to get @danehans to take a look at this too and validate that the public API will work for the operator's needs.

[skriss]

LGTM assuming @danehans confirms this will meet the Operator's needs.

[youngnick]

LGTM, nice work @stevesloka