config: add certificate authorities (pomerium#485)

LuxorLabs · Jan 17, 2023 · c2a8be2 · c2a8be2
1 parent 3e5c08d
commit c2a8be2
Show file tree

Hide file tree

Showing 8 changed files with 54 additions and 3 deletions.
diff --git a/apis/ingress/v1/pomerium_types.go b/apis/ingress/v1/pomerium_types.go
@@ -232,6 +232,10 @@ type PomeriumSpec struct {
 	// +optional
 	Certificates []string `json:"certificates"`
 
+	// CASecret should refer to k8s secrets with key <code>ca.crt</code> containing a CA certificate.
+	// +optional
+	CASecrets []string `json:"caSecrets"`
+
 	// Secrets references a Secret with Pomerium bootstrap parameters.
 	//
 	// <p>

diff --git a/apis/ingress/v1/zz_generated.deepcopy.go b/apis/ingress/v1/zz_generated.deepcopy.go
diff --git a/config/crd/bases/ingress.pomerium.io_pomerium.yaml b/config/crd/bases/ingress.pomerium.io_pomerium.yaml
@@ -63,6 +63,12 @@ spec:
                 required:
                 - url
                 type: object
+              caSecrets:
+                description: CASecret should refer to k8s secrets with key <code>ca.crt</code>
+                  containing a CA certificate.
+                items:
+                  type: string
+                type: array
               certificates:
                 description: Certificates is a list of secrets of type TLS to use
                 format: namespace/name

diff --git a/controllers/settings/fetch.go b/controllers/settings/fetch.go
@@ -101,6 +101,16 @@ func fetchConfigSecrets(ctx context.Context, client client.Client, cfg *model.Co
 	s := cfg.Spec
 	return applyAll(
 		apply("bootstrap secret", required(&s.Secrets), &cfg.Secrets),
+		func() error {
+			for _, caSecret := range s.CASecrets {
+				secret, err := get(caSecret)()
+				if err != nil {
+					return fmt.Errorf("ca: %w", err)
+				}
+				cfg.CASecrets = append(cfg.CASecrets, secret)
+			}
+			return nil
+		},
 		apply("secret", required(&s.IdentityProvider.Secret), &cfg.IdpSecret),
 		apply("request params", optional(s.IdentityProvider.RequestParamsSecret), &cfg.RequestParams),
 		apply("service account", optional(s.IdentityProvider.ServiceAccountFromSecret), &cfg.IdpServiceAccount),

diff --git a/deployment.yaml b/deployment.yaml
@@ -71,6 +71,12 @@ spec:
                 required:
                 - url
                 type: object
+              caSecrets:
+                description: CASecret should refer to k8s secrets with key <code>ca.crt</code>
+                  containing a CA certificate.
+                items:
+                  type: string
+                type: array
               certificates:
                 description: Certificates is a list of secrets of type TLS to use
                 format: namespace/name

diff --git a/model/ingress_config.go b/model/ingress_config.go
@@ -80,6 +80,8 @@ type Config struct {
 	icsv1.Pomerium
 	// Secrets are key secrets
 	Secrets *corev1.Secret
+	// CASecrets are ca secrets
+	CASecrets []*corev1.Secret
 	// Certs are fetched certs from settings.Certificates
 	Certs map[types.NamespacedName]*corev1.Secret
 	// RequestParams is a secret from Settings.IdentityProvider.RequestParams

diff --git a/pomerium/config.go b/pomerium/config.go
@@ -1,10 +1,13 @@
 package pomerium
 
 import (
+	"bytes"
 	"context"
+	"encoding/base64"
 	"fmt"
 	"net/url"
 
+	"google.golang.org/protobuf/proto"
 	"google.golang.org/protobuf/types/known/durationpb"
 	corev1 "k8s.io/api/core/v1"
 
@@ -28,6 +31,7 @@ func applyConfig(ctx context.Context, p *pb.Config, c *model.Config) error {
 		name string
 		fn   func(context.Context, *pb.Config, *model.Config) error
 	}{
+		{"ca", applyCertificateAuthority},
 		{"certs", applyCerts},
 		{"authenticate", applyAuthenticate},
 		{"idp", applyIDP},
@@ -79,6 +83,22 @@ func applyCookie(_ context.Context, p *pb.Config, c *model.Config) error {
 	return nil
 }
 
+func applyCertificateAuthority(ctx context.Context, p *pb.Config, c *model.Config) error {
+	if len(c.CASecrets) == 0 {
+		return nil
+	}
+
+	var buf bytes.Buffer
+
+	for _, secret := range c.CASecrets {
+		buf.Write(secret.Data[model.CAKey])
+		buf.WriteRune('\n')
+	}
+
+	p.Settings.CertificateAuthority = proto.String(base64.StdEncoding.EncodeToString(buf.Bytes()))
+	return nil
+}
+
 func applyCerts(_ context.Context, p *pb.Config, c *model.Config) error {
 	if len(c.Certs) != len(c.Spec.Certificates) {
 		return fmt.Errorf("expected %d cert secrets, only %d was fetched. this is a bug", len(c.Spec.Certificates), len(c.Certs))

diff --git a/pomerium/ctrl/run.go b/pomerium/ctrl/run.go
@@ -14,9 +14,7 @@ import (
 	"github.com/pomerium/ingress-controller/pomerium"
 )
 
-var (
-	_ = pomerium.ConfigReconciler(new(Runner))
-)
+var _ = pomerium.ConfigReconciler(new(Runner))
 
 // Runner implements pomerium control loop
 type Runner struct {