mirror of
https://github.com/alibaba/higress.git
synced 2026-02-21 22:40:59 +08:00
353 lines
9.9 KiB
Go
353 lines
9.9 KiB
Go
// Copyright (c) 2022 Alibaba Group Holding Ltd.
|
|
//
|
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
|
// you may not use this file except in compliance with the License.
|
|
// You may obtain a copy of the License at
|
|
//
|
|
// http://www.apache.org/licenses/LICENSE-2.0
|
|
//
|
|
// Unless required by applicable law or agreed to in writing, software
|
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
// See the License for the specific language governing permissions and
|
|
// limitations under the License.
|
|
|
|
package cert
|
|
|
|
import (
|
|
"context"
|
|
"encoding/json"
|
|
"fmt"
|
|
"io/fs"
|
|
"path"
|
|
"strings"
|
|
"sync"
|
|
"time"
|
|
|
|
"github.com/caddyserver/certmagic"
|
|
v1 "k8s.io/api/core/v1"
|
|
"k8s.io/apimachinery/pkg/api/errors"
|
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
|
"k8s.io/client-go/kubernetes"
|
|
)
|
|
|
|
const (
|
|
CertificatesPrefix = "certificates"
|
|
ConfigmapStoreCertficatesPrefix = "higress-cert-store-certificates-"
|
|
ConfigmapStoreDefaultName = "higress-cert-store-default"
|
|
)
|
|
|
|
var _ certmagic.Storage = (*ConfigmapStorage)(nil)
|
|
|
|
type ConfigmapStorage struct {
|
|
namespace string
|
|
client kubernetes.Interface
|
|
mux sync.RWMutex
|
|
}
|
|
|
|
type HashValue struct {
|
|
K string `json:"k,omitempty"`
|
|
V []byte `json:"v,omitempty"`
|
|
}
|
|
|
|
func NewConfigmapStorage(namespace string, client kubernetes.Interface) (certmagic.Storage, error) {
|
|
storage := &ConfigmapStorage{
|
|
namespace: namespace,
|
|
client: client,
|
|
}
|
|
return storage, nil
|
|
}
|
|
|
|
// Exists returns true if key exists in s.
|
|
func (s *ConfigmapStorage) Exists(_ context.Context, key string) bool {
|
|
s.mux.RLock()
|
|
defer s.mux.RUnlock()
|
|
cm, err := s.getConfigmapStoreByKey(key)
|
|
if err != nil {
|
|
return false
|
|
}
|
|
if cm.Data == nil {
|
|
return false
|
|
}
|
|
|
|
hashKey := fastHash([]byte(key))
|
|
if _, ok := cm.Data[hashKey]; ok {
|
|
return true
|
|
}
|
|
return false
|
|
}
|
|
|
|
// Store saves value at key.
|
|
func (s *ConfigmapStorage) Store(_ context.Context, key string, value []byte) error {
|
|
s.mux.Lock()
|
|
defer s.mux.Unlock()
|
|
cm, err := s.getConfigmapStoreByKey(key)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
if cm.Data == nil {
|
|
cm.Data = make(map[string]string, 0)
|
|
}
|
|
|
|
hashKey := fastHash([]byte(key))
|
|
hashV := &HashValue{
|
|
K: key,
|
|
V: value,
|
|
}
|
|
bytes, err := json.Marshal(hashV)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
cm.Data[hashKey] = string(bytes)
|
|
return s.updateConfigmap(cm)
|
|
}
|
|
|
|
// Load retrieves the value at key.
|
|
func (s *ConfigmapStorage) Load(_ context.Context, key string) ([]byte, error) {
|
|
s.mux.RLock()
|
|
defer s.mux.RUnlock()
|
|
var value []byte
|
|
cm, err := s.getConfigmapStoreByKey(key)
|
|
if err != nil {
|
|
return value, err
|
|
}
|
|
if cm.Data == nil {
|
|
return value, fs.ErrNotExist
|
|
}
|
|
|
|
hashKey := fastHash([]byte(key))
|
|
if v, ok := cm.Data[hashKey]; ok {
|
|
hV := &HashValue{}
|
|
err = json.Unmarshal([]byte(v), hV)
|
|
if err != nil {
|
|
return value, err
|
|
}
|
|
return hV.V, nil
|
|
}
|
|
return value, fs.ErrNotExist
|
|
}
|
|
|
|
// Delete deletes the value at key.
|
|
func (s *ConfigmapStorage) Delete(_ context.Context, key string) error {
|
|
s.mux.Lock()
|
|
defer s.mux.Unlock()
|
|
cm, err := s.getConfigmapStoreByKey(key)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
if cm.Data == nil {
|
|
cm.Data = make(map[string]string, 0)
|
|
}
|
|
hashKey := fastHash([]byte(key))
|
|
delete(cm.Data, hashKey)
|
|
return s.updateConfigmap(cm)
|
|
}
|
|
|
|
// List returns all keys that match the prefix.
|
|
// If the prefix is "/certificates", it retrieves all ConfigMaps, otherwise only one.
|
|
func (s *ConfigmapStorage) List(ctx context.Context, prefix string, recursive bool) ([]string, error) {
|
|
s.mux.RLock()
|
|
defer s.mux.RUnlock()
|
|
var keys []string
|
|
var configmapKeys []string
|
|
visitedDirs := make(map[string]struct{})
|
|
|
|
// Check if the prefix corresponds to a specific key
|
|
hashPrefix := fastHash([]byte(prefix))
|
|
if strings.HasPrefix(prefix, CertificatesPrefix) {
|
|
// If the prefix is "certificates/", get all ConfigMaps and traverse each one
|
|
// List all ConfigMaps in the namespace with label higress.io/cert-https=true
|
|
configmaps, err := s.client.CoreV1().ConfigMaps(s.namespace).List(ctx, metav1.ListOptions{FieldSelector: "metadata.annotations['higress.io/cert-https'] == 'true'"})
|
|
if err != nil {
|
|
return keys, err
|
|
}
|
|
|
|
for _, cm := range configmaps.Items {
|
|
// Check if the ConfigMap name starts with the expected prefix
|
|
if strings.HasPrefix(cm.Name, ConfigmapStoreCertficatesPrefix) {
|
|
// Add the keys from Data field to the list
|
|
for _, v := range cm.Data {
|
|
// Unmarshal the value into hashValue struct
|
|
var hv HashValue
|
|
if err := json.Unmarshal([]byte(v), &hv); err != nil {
|
|
return nil, err
|
|
}
|
|
// Check if the key starts with the specified prefix
|
|
if strings.HasPrefix(hv.K, prefix) {
|
|
// Add the key to the list
|
|
configmapKeys = append(configmapKeys, hv.K)
|
|
}
|
|
}
|
|
}
|
|
}
|
|
} else {
|
|
// If not starting with "/certificates", get the specific ConfigMap
|
|
cm, err := s.getConfigmapStoreByKey(prefix)
|
|
if err != nil {
|
|
return keys, err
|
|
}
|
|
|
|
if _, ok := cm.Data[hashPrefix]; ok {
|
|
// The prefix corresponds to a specific key, add it to the list
|
|
configmapKeys = append(configmapKeys, prefix)
|
|
} else {
|
|
// The prefix is considered a directory
|
|
for _, v := range cm.Data {
|
|
// Unmarshal the value into hashValue struct
|
|
var hv HashValue
|
|
if err := json.Unmarshal([]byte(v), &hv); err != nil {
|
|
return nil, err
|
|
}
|
|
// Check if the key starts with the specified prefix
|
|
if strings.HasPrefix(hv.K, prefix) {
|
|
// Add the key to the list
|
|
configmapKeys = append(configmapKeys, hv.K)
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
// return all
|
|
if recursive {
|
|
return configmapKeys, nil
|
|
}
|
|
|
|
// only return sub dirs
|
|
for _, key := range configmapKeys {
|
|
subPath := strings.TrimPrefix(strings.ReplaceAll(key, prefix, ""), "/")
|
|
paths := strings.Split(subPath, "/")
|
|
if len(paths) > 0 {
|
|
subDir := path.Join(prefix, paths[0])
|
|
if _, ok := visitedDirs[subDir]; !ok {
|
|
keys = append(keys, subDir)
|
|
}
|
|
visitedDirs[subDir] = struct{}{}
|
|
}
|
|
}
|
|
|
|
return keys, nil
|
|
}
|
|
|
|
// Stat returns information about key. only support for no certificates path
|
|
func (s *ConfigmapStorage) Stat(_ context.Context, key string) (certmagic.KeyInfo, error) {
|
|
s.mux.RLock()
|
|
defer s.mux.RUnlock()
|
|
// Create a new KeyInfo struct
|
|
info := certmagic.KeyInfo{}
|
|
|
|
// Get the ConfigMap containing the keys
|
|
cm, err := s.getConfigmapStoreByKey(key)
|
|
if err != nil {
|
|
return info, err
|
|
}
|
|
|
|
// Check if the key exists in the ConfigMap
|
|
hashKey := fastHash([]byte(key))
|
|
if data, ok := cm.Data[hashKey]; ok {
|
|
// The key exists, populate the KeyInfo struct
|
|
info.Key = key
|
|
info.Modified = time.Now() // Since we're not tracking modification time in ConfigMap
|
|
info.Size = int64(len(data))
|
|
info.IsTerminal = true
|
|
} else {
|
|
// Check if there are other keys with the same prefix
|
|
prefixKeys := make([]string, 0)
|
|
for _, v := range cm.Data {
|
|
var hv HashValue
|
|
if err := json.Unmarshal([]byte(v), &hv); err != nil {
|
|
return info, err
|
|
}
|
|
// Check if the key starts with the specified prefix
|
|
if strings.HasPrefix(hv.K, key) {
|
|
// Add the key to the list
|
|
prefixKeys = append(prefixKeys, hv.K)
|
|
}
|
|
}
|
|
// If there are multiple keys with the same prefix, then it's not a terminal node
|
|
if len(prefixKeys) > 0 {
|
|
info.Key = key
|
|
info.IsTerminal = false
|
|
} else {
|
|
return info, fmt.Errorf("prefix '%s' is not existed", key)
|
|
}
|
|
}
|
|
return info, nil
|
|
}
|
|
|
|
// Lock obtains a lock named by the given name. It blocks
|
|
// until the lock can be obtained or an error is returned.
|
|
func (s *ConfigmapStorage) Lock(ctx context.Context, name string) error {
|
|
return nil
|
|
}
|
|
|
|
// Unlock releases the lock for name.
|
|
func (s *ConfigmapStorage) Unlock(_ context.Context, name string) error {
|
|
return nil
|
|
}
|
|
|
|
func (s *ConfigmapStorage) String() string {
|
|
return "ConfigmapStorage"
|
|
}
|
|
|
|
// getConfigmapStoreNameByKey determines the storage name for a given key.
|
|
// It checks if the key starts with 'certificates/' and if so, the key pattern should match one of the following:
|
|
// 'certificates/<issuerKey>/<domain>/<domain>.json',
|
|
// 'certificates/<issuerKey>/<domain>/<domain>.crt',
|
|
// or 'certificates/<issuerKey>/<domain>/<domain>.key'.
|
|
// It then returns the corresponding ConfigMap name.
|
|
// If the key does not start with 'certificates/', it returns the default store name.
|
|
//
|
|
// Parameters:
|
|
//
|
|
// key - The configuration map key that needs to be mapped to a storage name.
|
|
//
|
|
// Returns:
|
|
//
|
|
// string - The calculated or default storage name based on the key.
|
|
func (s *ConfigmapStorage) getConfigmapStoreNameByKey(key string) string {
|
|
if strings.HasPrefix(key, "certificates/") {
|
|
parts := strings.Split(key, "/")
|
|
if len(parts) >= 4 && parts[0] == "certificates" {
|
|
domain := parts[2]
|
|
issuerKey := parts[1]
|
|
return ConfigmapStoreCertficatesPrefix + fastHash([]byte(issuerKey+domain))
|
|
}
|
|
}
|
|
return ConfigmapStoreDefaultName
|
|
}
|
|
|
|
func (s *ConfigmapStorage) getConfigmapStoreByKey(key string) (*v1.ConfigMap, error) {
|
|
configmapName := s.getConfigmapStoreNameByKey(key)
|
|
cm, err := s.client.CoreV1().ConfigMaps(s.namespace).Get(context.Background(), configmapName, metav1.GetOptions{})
|
|
if err != nil {
|
|
if errors.IsNotFound(err) {
|
|
// Save default ConfigMap
|
|
cm = &v1.ConfigMap{
|
|
ObjectMeta: metav1.ObjectMeta{
|
|
Namespace: s.namespace,
|
|
Name: configmapName,
|
|
Annotations: map[string]string{"higress.io/cert-https": "true"},
|
|
},
|
|
}
|
|
_, err = s.client.CoreV1().ConfigMaps(s.namespace).Create(context.Background(), cm, metav1.CreateOptions{})
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
} else {
|
|
return nil, err
|
|
}
|
|
}
|
|
return cm, nil
|
|
}
|
|
|
|
// updateConfigmap adds or updates the annotation higress.io/cert-https to true.
|
|
func (s *ConfigmapStorage) updateConfigmap(configmap *v1.ConfigMap) error {
|
|
if configmap.ObjectMeta.Annotations == nil {
|
|
configmap.ObjectMeta.Annotations = make(map[string]string)
|
|
}
|
|
configmap.ObjectMeta.Annotations["higress.io/cert-https"] = "true"
|
|
|
|
_, err := s.client.CoreV1().ConfigMaps(configmap.Namespace).Update(context.Background(), configmap, metav1.UpdateOptions{})
|
|
return err
|
|
}
|