dynamiccert: split into serving cert and CA providers

Signed-off-by: Monis Khan <mok@vmware.com>

internal/controller/apicerts/certs_observer.go

@@ -18,14 +18,14 @@ import (
 type certsObserverController struct {
 	namespace               string
 	certsSecretResourceName string
-	dynamicCertProvider     dynamiccert.Provider
+	dynamicCertProvider     dynamiccert.Private
 	secretInformer          corev1informers.SecretInformer
 }
 
 func NewCertsObserverController(
 	namespace string,
 	certsSecretResourceName string,
-	dynamicCertProvider dynamiccert.Provider,
+	dynamicCertProvider dynamiccert.Private,
 	secretInformer corev1informers.SecretInformer,
 	withInformer pinnipedcontroller.WithInformerOptionFunc,
 ) controllerlib.Controller {

internal/controller/apicerts/certs_observer_test.go

@@ -17,6 +17,7 @@ import (
 	kubeinformers "k8s.io/client-go/informers"
 	kubernetesfake "k8s.io/client-go/kubernetes/fake"
 
+	"go.pinniped.dev/internal/certauthority"
 	"go.pinniped.dev/internal/controllerlib"
 	"go.pinniped.dev/internal/dynamiccert"
 	"go.pinniped.dev/internal/testutil"
@@ -109,7 +110,7 @@ func TestObserverControllerSync(t *testing.T) {
 		var cancelContext context.Context
 		var cancelContextCancelFunc context.CancelFunc
 		var syncContext *controllerlib.Context
-		var dynamicCertProvider dynamiccert.Provider
+		var dynamicCertProvider dynamiccert.Private
 
 		// Defer starting the informers until the last possible moment so that the
 		// nested Before's can keep adding things to the informer caches.
@@ -145,7 +146,7 @@ func TestObserverControllerSync(t *testing.T) {
 
 			kubeInformerClient = kubernetesfake.NewSimpleClientset()
 			kubeInformers = kubeinformers.NewSharedInformerFactory(kubeInformerClient, 0)
-			dynamicCertProvider = dynamiccert.New(name)
+			dynamicCertProvider = dynamiccert.NewServingCert(name)
 		})
 
 		it.After(func() {
@@ -163,12 +164,18 @@ func TestObserverControllerSync(t *testing.T) {
 				err := kubeInformerClient.Tracker().Add(unrelatedSecret)
 				r.NoError(err)
 
-				crt, key, err := testutil.CreateCertificate(
+				caCrt, caKey, err := testutil.CreateCertificate(
 					time.Now().Add(-time.Hour),
 					time.Now().Add(time.Hour),
 				)
 				require.NoError(t, err)
 
+				ca, err := certauthority.Load(string(caCrt), string(caKey))
+				require.NoError(t, err)
+
+				crt, key, err := ca.IssueServerCertPEM(nil, nil, time.Hour)
+				require.NoError(t, err)
+
 				err = dynamicCertProvider.SetCertKeyContent(crt, key)
 				r.NoError(err)
 			})
@@ -186,12 +193,18 @@ func TestObserverControllerSync(t *testing.T) {
 
 		when("there is a serving cert Secret with the expected keys already in the installation namespace", func() {
 			it.Before(func() {
-				crt, key, err := testutil.CreateCertificate(
+				caCrt, caKey, err := testutil.CreateCertificate(
 					time.Now().Add(-time.Hour),
 					time.Now().Add(time.Hour),
 				)
 				require.NoError(t, err)
 
+				ca, err := certauthority.Load(string(caCrt), string(caKey))
+				require.NoError(t, err)
+
+				crt, key, err := ca.IssueServerCertPEM(nil, nil, time.Hour)
+				require.NoError(t, err)
+
 				apiServingCertSecret := &corev1.Secret{
 					ObjectMeta: metav1.ObjectMeta{
 						Name:      certsSecretResourceName,

internal/controller/impersonatorconfig/impersonator_config.go

@@ -72,7 +72,7 @@ type impersonatorConfigController struct {
 	hasControlPlaneNodes              *bool
 	serverStopCh                      chan struct{}
 	errorCh                           chan error
-	tlsServingCertDynamicCertProvider dynamiccert.Provider
+	tlsServingCertDynamicCertProvider dynamiccert.Private
 }
 
 func NewImpersonatorConfigController(
@@ -116,7 +116,7 @@ func NewImpersonatorConfigController(
 				clock:                             clock,
 				impersonationSigningCertProvider:  impersonationSigningCertProvider,
 				impersonatorFunc:                  impersonatorFunc,
-				tlsServingCertDynamicCertProvider: dynamiccert.New("impersonation-proxy-serving-cert"),
+				tlsServingCertDynamicCertProvider: dynamiccert.NewServingCert("impersonation-proxy-serving-cert"),
 			},
 		},
 		withInformer(

internal/controller/impersonatorconfig/impersonator_config_test.go

@@ -974,7 +974,7 @@ func TestImpersonatorConfigControllerSync(t *testing.T) {
 			kubeAPIClient = kubernetesfake.NewSimpleClientset()
 			pinnipedAPIClient = pinnipedfake.NewSimpleClientset()
 			frozenNow = time.Date(2021, time.March, 2, 7, 42, 0, 0, time.Local)
-			signingCertProvider = dynamiccert.New(name)
+			signingCertProvider = dynamiccert.NewCA(name)
 
 			ca := newCA()
 			signingCACertPEM = ca.Bundle()

internal/controller/kubecertagent/execer.go

@@ -33,7 +33,7 @@ type execerController struct {
 	credentialIssuerLocationConfig *CredentialIssuerLocationConfig
 	credentialIssuerLabels         map[string]string
 	discoveryURLOverride           *string
-	dynamicCertProvider            dynamiccert.Provider
+	dynamicCertProvider            dynamiccert.Private
 	podCommandExecutor             PodCommandExecutor
 	clock                          clock.Clock
 	pinnipedAPIClient              pinnipedclientset.Interface
@@ -51,7 +51,7 @@ func NewExecerController(
 	credentialIssuerLocationConfig *CredentialIssuerLocationConfig,
 	credentialIssuerLabels map[string]string,
 	discoveryURLOverride *string,
-	dynamicCertProvider dynamiccert.Provider,
+	dynamicCertProvider dynamiccert.Private,
 	podCommandExecutor PodCommandExecutor,
 	pinnipedAPIClient pinnipedclientset.Interface,
 	clock clock.Clock,

internal/controller/kubecertagent/execer_test.go

@@ -243,7 +243,7 @@ func TestManagerControllerSync(t *testing.T) {
 			kubeInformerFactory = kubeinformers.NewSharedInformerFactory(kubeClientset, 0)
 			fakeExecutor = &fakePodExecutor{r: r}
 			frozenNow = time.Date(2020, time.September, 23, 7, 42, 0, 0, time.Local)
-			dynamicCertProvider = dynamiccert.New(name)
+			dynamicCertProvider = dynamiccert.NewCA(name)
 			err = dynamicCertProvider.SetCertKeyContent([]byte(defaultDynamicCertProviderCert), []byte(defaultDynamicCertProviderKey))
 			r.NoError(err)