feat: cert manager (maybe?)

Signed-off-by: Mateusz Urbanek <mateusz.urbanek.98@gmail.com>
anza-labs · Jan 30, 2025 · 7ae87f8 · 7ae87f8
1 parent 36d9606
commit 7ae87f8
Show file tree

Hide file tree

Showing 8 changed files with 112 additions and 57 deletions.
diff --git a/go.mod b/go.mod
@@ -6,6 +6,7 @@ toolchain go1.23.5
 
 require (
 	github.com/Masterminds/semver/v3 v3.3.1
+	github.com/cert-manager/cert-manager v1.16.3
 	github.com/stretchr/testify v1.10.0
 	k8s.io/api v0.32.1
 	k8s.io/apimachinery v0.32.1
@@ -208,7 +209,7 @@ require (
 	github.com/jingyugao/rowserrcheck v1.1.1 // indirect
 	github.com/jjti/go-spancheck v0.6.4 // indirect
 	github.com/jmespath-community/go-jmespath v1.1.2-0.20240930152130-6eb5a346873f // indirect
-	github.com/jmespath/go-jmespath v0.4.0 // indirect
+	github.com/jmespath/go-jmespath v0.4.1-0.20220621161143-b0104c826a24 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/jstemmer/go-junit-report/v2 v2.1.0 // indirect
@@ -412,6 +413,7 @@ require (
 	mvdan.cc/unparam v0.0.0-20240528143540-8a5130ca722f // indirect
 	oras.land/oras-go v1.2.5 // indirect
 	sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.30.3 // indirect
+	sigs.k8s.io/gateway-api v1.1.0 // indirect
 	sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3 // indirect
 	sigs.k8s.io/kubectl-validate v0.0.5-0.20240827210056-ce13d95db263 // indirect
 	sigs.k8s.io/kustomize/api v0.19.0 // indirect

diff --git a/go.sum b/go.sum
@@ -360,6 +360,8 @@ github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyY
 github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
 github.com/census-instrumentation/opencensus-proto v0.4.1 h1:iKLQ0xPNFxR/2hzXZMrBo8f1j86j5WHzznCCQxV/b8g=
 github.com/census-instrumentation/opencensus-proto v0.4.1/go.mod h1:4T9NM4+4Vw91VeyqjLS6ao50K5bOcLKN6Q42XnYaRYw=
+github.com/cert-manager/cert-manager v1.16.3 h1:seEF5eidFaeduaCuM85PFEuzH/1X/HOV5Y8zDQrHgpc=
+github.com/cert-manager/cert-manager v1.16.3/go.mod h1:6JQ/GAZ6dH+erqS1BbaqorPy8idJzCtWFUmJQBTjo6Q=
 github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc=
 github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
@@ -868,8 +870,9 @@ github.com/jjti/go-spancheck v0.6.4 h1:Tl7gQpYf4/TMU7AT84MN83/6PutY21Nb9fuQjFTpR
 github.com/jjti/go-spancheck v0.6.4/go.mod h1:yAEYdKJ2lRkDA8g7X+oKUHXOWVAXSBJRv04OhF+QUjk=
 github.com/jmespath-community/go-jmespath v1.1.2-0.20240930152130-6eb5a346873f h1:odDspPS6qzM68hfqzW5U/nADXItki7GdRSPJbMM1phY=
 github.com/jmespath-community/go-jmespath v1.1.2-0.20240930152130-6eb5a346873f/go.mod h1:VL6C6nwf/wRivvXAjziX9yFRVmvOC1qzERc8RTQ0tv4=
-github.com/jmespath/go-jmespath v0.4.0 h1:BEgLn5cpjn8UN1mAw4NjwDrS35OdebyEtFe+9YPoQUg=
 github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo=
+github.com/jmespath/go-jmespath v0.4.1-0.20220621161143-b0104c826a24 h1:liMMTbpW34dhU4az1GN0pTPADwNmvoRSeoZ6PItiqnY=
+github.com/jmespath/go-jmespath v0.4.1-0.20220621161143-b0104c826a24/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo=
 github.com/jmespath/go-jmespath/internal/testify v1.5.1 h1:shLQSRRSCCPj3f2gpwzGwWFoC7ycTf1rcQZHOlsJ6N8=
 github.com/jmespath/go-jmespath/internal/testify v1.5.1/go.mod h1:L3OGu8Wl2/fWfCI6z80xFu9LTZmf1ZRjMHUOPmWr69U=
 github.com/jonboulle/clockwork v0.1.0/go.mod h1:Ii8DK3G1RaLaWxj9trq07+26W01tbo22gdxWY5EU2bo=
@@ -991,8 +994,8 @@ github.com/mattn/go-sqlite3 v1.6.0/go.mod h1:FPy6KqzDD04eiIsT53CuJW3U88zkxoIYsOq
 github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
 github.com/mgechev/revive v1.5.1 h1:hE+QPeq0/wIzJwOphdVyUJ82njdd8Khp4fUIHGZHW3M=
 github.com/mgechev/revive v1.5.1/go.mod h1:lC9AhkJIBs5zwx8wkudyHrU+IJkrEKmpCmGMnIJPk4o=
-github.com/miekg/dns v1.1.57 h1:Jzi7ApEIzwEPLHWRcafCN9LZSBbqQpxjt/wpgvg7wcM=
-github.com/miekg/dns v1.1.57/go.mod h1:uqRjCRUuEAA6qsOiJvDd+CFo/vW+y5WR6SNmHE55hZk=
+github.com/miekg/dns v1.1.62 h1:cN8OuEF1/x5Rq6Np+h1epln8OiyPWV+lROx9LxcGgIQ=
+github.com/miekg/dns v1.1.62/go.mod h1:mvDlcItzm+br7MToIKqkglaGhlFMHJ9DTNNWONWXbNQ=
 github.com/miekg/pkcs11 v1.0.2/go.mod h1:XsNlhZGX73bx86s2hdc/FuaLm2CPZJemRLMA+WTFxgs=
 github.com/miekg/pkcs11 v1.1.1 h1:Ugu9pdy6vAYku5DEpVWVFPYnzV+bxB+iRdbuFSu7TvU=
 github.com/miekg/pkcs11 v1.1.1/go.mod h1:XsNlhZGX73bx86s2hdc/FuaLm2CPZJemRLMA+WTFxgs=
@@ -2176,6 +2179,8 @@ sigs.k8s.io/controller-runtime v0.19.4 h1:SUmheabttt0nx8uJtoII4oIP27BVVvAKFvdvGF
 sigs.k8s.io/controller-runtime v0.19.4/go.mod h1:iRmWllt8IlaLjvTTDLhRBXIEtkCK6hwVBJJsYS9Ajf4=
 sigs.k8s.io/controller-tools v0.16.5 h1:5k9FNRqziBPwqr17AMEPPV/En39ZBplLAdOwwQHruP4=
 sigs.k8s.io/controller-tools v0.16.5/go.mod h1:8vztuRVzs8IuuJqKqbXCSlXcw+lkAv/M2sTpg55qjMY=
+sigs.k8s.io/gateway-api v1.1.0 h1:DsLDXCi6jR+Xz8/xd0Z1PYl2Pn0TyaFMOPPZIj4inDM=
+sigs.k8s.io/gateway-api v1.1.0/go.mod h1:ZH4lHrL2sDi0FHZ9jjneb8kKnGzFWyrTya35sWUTrRs=
 sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3 h1:/Rv+M11QRah1itp8VhT6HoVx1Ray9eB4DBr+K+/sCJ8=
 sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3/go.mod h1:18nIHnGi6636UCz6m8i4DhaJ65T6EruyzmoQqI2BVDo=
 sigs.k8s.io/kind v0.26.0 h1:8fS6I0Q5WGlmLprSpH0DarlOSdcsv0txnwc93J2BP7M=

diff --git a/internal/manifests/controlplane.go b/internal/manifests/controlplane.go
diff --git a/internal/manifests/controlplane/certificates.go b/internal/manifests/controlplane/certificates.go
@@ -0,0 +1,65 @@
+// Copyright 2025 anza-labs contributors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package controlplane
+
+import (
+	certmanagerv1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
+
+	controlplanev1alpha1 "github.com/anza-labs/kink/api/controlplane/v1alpha1"
+	"github.com/anza-labs/kink/internal/manifests/manifestutils"
+	"github.com/anza-labs/kink/internal/naming"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+)
+
+type Certificates struct {
+	KinkControlPlane *controlplanev1alpha1.KinkControlPlane
+}
+
+func (b *Certificates) Build() []runtime.Object {
+	objects := []runtime.Object{
+		b.RootCA(),
+	}
+	return objects
+}
+
+// TODO:
+// - Issuer (Self-signed?)
+// - ETCD Server
+// - ETCD Client
+// https://github.com/kelseyhightower/kubernetes-the-hard-way/blob/master/docs/04-certificate-authority.md
+
+func (b *Certificates) RootCA() *certmanagerv1.Issuer {
+	selectorLabels := manifestutils.SelectorLabels(
+		b.KinkControlPlane.ObjectMeta,
+		ComponentCertificates, ConceptControlPlane,
+	)
+	annotations := manifestutils.Annotations(b.KinkControlPlane, nil)
+
+	return &certmanagerv1.Issuer{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:        naming.RootCA(),
+			Namespace:   b.KinkControlPlane.Namespace,
+			Labels:      selectorLabels,
+			Annotations: annotations,
+		},
+		Spec: certmanagerv1.IssuerSpec{
+			IssuerConfig: certmanagerv1.IssuerConfig{
+				SelfSigned: &certmanagerv1.SelfSignedIssuer{},
+			},
+		},
+	}
+}
diff --git a/internal/manifests/infrastructure.go → ...nifests/controlplane/certificates_test.go b/internal/manifests/infrastructure.go → ...nifests/controlplane/certificates_test.go
@@ -12,17 +12,4 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-package manifests
-
-import (
-	infrastructurev1alpha1 "github.com/anza-labs/kink/api/infrastructure/v1alpha1"
-
-	"k8s.io/apimachinery/pkg/runtime"
-)
-
-type NodeBuilder struct{}
-
-func (b *NodeBuilder) Build(spec *infrastructurev1alpha1.KinkMachine) []runtime.Object {
-	objects := []runtime.Object{}
-	return objects
-}
+package controlplane
diff --git a/internal/manifests/controlplane/controllermanager.go b/internal/manifests/controlplane/controllermanager.go
@@ -53,7 +53,10 @@ func (b *ControllerManager) Deployment() *appsv1.Deployment {
 		name, image, ComponentControllerManager, ConceptControlPlane,
 		nil,
 	)
-	selectorLabels := manifestutils.SelectorLabels(b.KinkControlPlane.ObjectMeta, ComponentControllerManager, ConceptControlPlane)
+	selectorLabels := manifestutils.SelectorLabels(
+		b.KinkControlPlane.ObjectMeta,
+		ComponentControllerManager, ConceptControlPlane,
+	)
 	annotations := manifestutils.Annotations(b.KinkControlPlane, nil)
 	podAnnotations := manifestutils.PodAnnotations(b.KinkControlPlane, nil)
 
@@ -104,7 +107,10 @@ func (b *ControllerManager) Service() *corev1.Service {
 		name, image, ComponentControllerManager, ConceptControlPlane,
 		nil,
 	)
-	selectorLabels := manifestutils.SelectorLabels(b.KinkControlPlane.ObjectMeta, ComponentControllerManager, ConceptControlPlane)
+	selectorLabels := manifestutils.SelectorLabels(
+		b.KinkControlPlane.ObjectMeta,
+		ComponentControllerManager, ConceptControlPlane,
+	)
 	annotations := manifestutils.Annotations(b.KinkControlPlane, nil)
 
 	return &corev1.Service{

diff --git a/internal/manifests/controlplane/controlplane.go b/internal/manifests/controlplane/controlplane.go
@@ -14,11 +14,18 @@
 
 package controlplane
 
-import "fmt"
+import (
+	"fmt"
+
+	controlplanev1alpha1 "github.com/anza-labs/kink/api/controlplane/v1alpha1"
+
+	"k8s.io/apimachinery/pkg/runtime"
+)
 
 const (
 	ConceptControlPlane = "kink-control-plane"
 
+	ComponentCertificates      = "certificates"
 	ComponentAPIServer         = "api-server"
 	ComponentControllerManager = "controller-manager"
 	ComponentKine              = "kine"
@@ -28,7 +35,21 @@ const (
 func buildArgs(args map[string]string) []string {
 	cmd := []string{}
 	for arg, val := range args {
-		cmd = append(cmd, fmt.Sprintf("--%s=%s"), arg, val)
+		cmd = append(cmd, fmt.Sprintf("--%s=%s", arg, val))
 	}
 	return cmd
 }
+
+type ControlPlaneBuilder struct{}
+
+func (b *ControlPlaneBuilder) Build(kcp *controlplanev1alpha1.KinkControlPlane) ([]runtime.Object, error) {
+	objects := []runtime.Object{}
+
+	objects = append(objects, (&Certificates{KinkControlPlane: kcp}).Build()...)
+	objects = append(objects, (&APIServer{KinkControlPlane: kcp}).Build()...)
+	objects = append(objects, (&ControllerManager{KinkControlPlane: kcp}).Build()...)
+	objects = append(objects, (&Kine{KinkControlPlane: kcp}).Build()...)
+	objects = append(objects, (&Scheduler{KinkControlPlane: kcp}).Build()...)
+
+	return objects, nil
+}
diff --git a/internal/naming/naming.go b/internal/naming/naming.go
@@ -22,6 +22,10 @@ func APIServerContainer() string {
 	return "api-server"
 }
 
+func RootCA() string {
+	return "root-ca"
+}
+
 func Scheduler(base string) string {
 	return DNSName(Truncate("%s-scheduler", 63, base))
 }