-
Notifications
You must be signed in to change notification settings - Fork 15
/
Copy pathtls.rs
169 lines (148 loc) · 5.91 KB
/
tls.rs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
use k8s_openapi::api::core::v1::{Volume, VolumeMount};
use schemars::JsonSchema;
use serde::{Deserialize, Serialize};
use snafu::{ResultExt, Snafu};
use crate::{
builder::{ContainerBuilder, PodBuilder, VolumeMountBuilder},
commons::{
authentication::SECRET_BASE_PATH,
secret_class::{SecretClassVolume, SecretClassVolumeError},
},
};
#[derive(
Clone, Debug, Deserialize, Eq, Hash, JsonSchema, Ord, PartialEq, PartialOrd, Serialize,
)]
#[serde(rename_all = "camelCase")]
pub struct AuthenticationProvider {
/// See [ADR017: TLS authentication](DOCS_BASE_URL_PLACEHOLDER/contributor/adr/adr017-tls_authentication).
/// If `client_cert_secret_class` is not set, the TLS settings may also be used for client authentication.
/// If `client_cert_secret_class` is set, the [SecretClass](DOCS_BASE_URL_PLACEHOLDER/secret-operator/secretclass)
/// will be used to provision client certificates.
pub client_cert_secret_class: Option<String>,
}
#[derive(Debug, Snafu)]
pub enum TlsClientDetailsError {
#[snafu(display("failed to convert secret class volume into named Kubernetes volume"))]
SecretClassVolume { source: SecretClassVolumeError },
}
#[derive(
Clone, Debug, Deserialize, Eq, Hash, JsonSchema, Ord, PartialEq, PartialOrd, Serialize,
)]
#[serde(rename_all = "camelCase")]
pub struct TlsClientDetails {
/// Use a TLS connection. If not specified no TLS will be used.
pub tls: Option<Tls>,
}
impl TlsClientDetails {
/// This functions adds
///
/// * The needed volumes to the PodBuilder
/// * The needed volume_mounts to all the ContainerBuilder in the list (e.g. init + main container)
///
/// This function will handle
///
/// * Tls secret class used to verify the cert of the LDAP server
pub fn add_volumes_and_mounts(
&self,
pod_builder: &mut PodBuilder,
container_builders: Vec<&mut ContainerBuilder>,
) -> Result<(), TlsClientDetailsError> {
let (volumes, mounts) = self.volumes_and_mounts()?;
pod_builder.add_volumes(volumes);
for cb in container_builders {
cb.add_volume_mounts(mounts.clone());
}
Ok(())
}
/// It is recommended to use [`Self::add_volumes_and_mounts`], this function returns you the
/// volumes and mounts in case you need to add them by yourself.
pub fn volumes_and_mounts(
&self,
) -> Result<(Vec<Volume>, Vec<VolumeMount>), TlsClientDetailsError> {
let mut volumes = Vec::new();
let mut mounts = Vec::new();
if let Some(secret_class) = self.tls_ca_cert_secret_class() {
let volume_name = format!("{secret_class}-ca-cert");
let secret_class_volume = SecretClassVolume::new(secret_class.clone(), None);
let volume = secret_class_volume
.to_volume(&volume_name)
.context(SecretClassVolumeSnafu)?;
volumes.push(volume);
mounts.push(
VolumeMountBuilder::new(volume_name, format!("{SECRET_BASE_PATH}/{secret_class}"))
.build(),
);
}
Ok((volumes, mounts))
}
/// Whether TLS is configured
pub const fn uses_tls(&self) -> bool {
self.tls.is_some()
}
/// Whether TLS verification is configured. Returns `false` if TLS itself isn't configured
pub fn uses_tls_verification(&self) -> bool {
self.tls
.as_ref()
.map(|tls| tls.verification != TlsVerification::None {})
.unwrap_or_default()
}
/// Returns the path of the ca.crt that should be used to verify the LDAP server certificate
/// if TLS verification with a CA cert from a SecretClass is configured.
pub fn tls_ca_cert_mount_path(&self) -> Option<String> {
self.tls_ca_cert_secret_class()
.map(|secret_class| format!("{SECRET_BASE_PATH}/{secret_class}/ca.crt"))
}
/// Extracts the SecretClass that provides the CA cert used to verify the server certificate.
pub(crate) fn tls_ca_cert_secret_class(&self) -> Option<String> {
if let Some(Tls {
verification:
TlsVerification::Server(TlsServerVerification {
ca_cert: CaCert::SecretClass(secret_class),
}),
}) = &self.tls
{
Some(secret_class.to_owned())
} else {
None
}
}
}
#[derive(
Clone, Debug, Deserialize, Eq, Hash, JsonSchema, Ord, PartialEq, PartialOrd, Serialize,
)]
#[serde(rename_all = "camelCase")]
pub struct Tls {
/// The verification method used to verify the certificates of the server and/or the client.
pub verification: TlsVerification,
}
#[derive(
Clone, Debug, Deserialize, Eq, Hash, JsonSchema, Ord, PartialEq, PartialOrd, Serialize,
)]
#[serde(rename_all = "camelCase")]
pub enum TlsVerification {
/// Use TLS but don't verify certificates.
None {},
/// Use TLS and a CA certificate to verify the server.
Server(TlsServerVerification),
}
#[derive(
Clone, Debug, Deserialize, Eq, Hash, JsonSchema, Ord, PartialEq, PartialOrd, Serialize,
)]
#[serde(rename_all = "camelCase")]
pub struct TlsServerVerification {
/// CA cert to verify the server.
pub ca_cert: CaCert,
}
#[derive(
Clone, Debug, Deserialize, Eq, Hash, JsonSchema, Ord, PartialEq, PartialOrd, Serialize,
)]
#[serde(rename_all = "camelCase")]
pub enum CaCert {
/// Use TLS and the CA certificates trusted by the common web browsers to verify the server.
/// This can be useful when you e.g. use public AWS S3 or other public available services.
WebPki {},
/// Name of the [SecretClass](DOCS_BASE_URL_PLACEHOLDER/secret-operator/secretclass) which will provide the CA certificate.
/// Note that a SecretClass does not need to have a key but can also work with just a CA certificate,
/// so if you got provided with a CA cert but don't have access to the key you can still use this method.
SecretClass(String),
}