feat(certs): add support for wildcard certificates and domains with new cert cli commands

Add support for wildcard certificates that also contain SAN, and wildcard domains. The certificate domain model records far more information now.

New CLI commands added: `certs:info`, `certs:attach`, and `certs:detach`

* `certs:list` output has drastically changed to account for all the new pretty information.
* `certs:create` dropped `--san` and `--common-name` as those are automagically discovered by the API. It also now requires a `name` to identify a certificate which is then used in other commands.
* `certs:attach` and `certs:detach` are used to tie a single certificate to one or more domains. No need to duplicate a certificate to achieve that.

Certificates are stores in k8s as secrets with the certificate name, which get attached to the given application namespace they are in (via `attach`) and router can query for a domain to certificate name mapping

Author: helgi

.travis.yml

@@ -35,7 +35,7 @@ install:
   - make prep-bintray-json
 script:
   - make test
-  - make -C client/ build test
+  - make -C client/ bootstrap build test
   - mv client/deis client/deis-linux-amd64
   - GOOS=darwin GOARCH=amd64 make -C client build
   - mv client/deis client/deis-darwin-amd64

client/Makefile

@@ -3,7 +3,7 @@ export GO15VENDOREXPERIMENT=1
 # the filepath to this repository, relative to $GOPATH/src
 repo_path = github.com/deis/workflow/client
 
-DEV_ENV_IMAGE := quay.io/deis/go-dev:0.4.0
+DEV_ENV_IMAGE := quay.io/deis/go-dev:0.5.0
 DEV_ENV_WORK_DIR := /go/src/${repo_path}
 DEV_ENV_PREFIX := docker run --rm -e GO15VENDOREXPERIMENT=1 -e CGO_ENABLED=0 -v ${CURDIR}:${DEV_ENV_WORK_DIR} -w ${DEV_ENV_WORK_DIR}
 DEV_ENV_CMD := ${DEV_ENV_PREFIX} ${DEV_ENV_IMAGE}

client/cmd/certs.go

@@ -3,9 +3,11 @@ package cmd
 import (
 	"fmt"
 	"io/ioutil"
+	"os"
 	"strings"
+	"time"
 
-	"github.com/deis/pkg/prettyprint"
+	"github.com/olekukonko/tablewriter"
 
 	"github.com/deis/workflow/client/controller/client"
 	"github.com/deis/workflow/client/controller/models/certs"
@@ -34,45 +36,67 @@ func CertsList(results int) error {
 		return nil
 	}
 
-	certMap := make(map[string]string)
-	nameMax := 0
-	expiresMax := 0
+	table := tablewriter.NewWriter(os.Stdout)
+	table.SetAlignment(tablewriter.ALIGN_LEFT)
+	table.SetBorder(false)
+	table.SetAutoFormatHeaders(false)
+	table.SetHeaderLine(true)
+	table.SetHeader([]string{"Name", "Common Name", "SubjectAltName", "Expires", "Fingerprint", "Domains", "Updated", "Created"})
 	for _, cert := range certList {
-		certMap[cert.Name] = cert.Expires
-
-		if len(cert.Name) > nameMax {
-			nameMax = len(cert.Name)
-		}
-		if len(cert.Expires) > nameMax {
-			expiresMax = len(cert.Expires)
+		domains := strings.Join(cert.Domains[:], ",")
+		san := strings.Join(cert.SubjectAltName[:], ",")
+
+		// Make dates more readable
+		now := time.Now()
+		expires := cert.Expires.Time.Format("2 Jan 2006")
+		created := cert.Created.Time.Format("2 Jan 2006")
+		updated := cert.Updated.Time.Format("2 Jan 2006")
+
+		if cert.Expires.Time.Before(now) {
+			expires += " (expired)"
+		} else {
+			// Ghetto solution
+			expires += " (in"
+			year := cert.Expires.Time.Year() - now.Year()
+			month := cert.Expires.Time.Month() - now.Month()
+			day := cert.Expires.Time.Day() - now.Day()
+
+			if year > 0 {
+				expires += fmt.Sprintf(" %d year", year)
+				if year > 1 {
+					expires += "s"
+				}
+			} else if month > 0 {
+				expires += fmt.Sprintf(" %d month", month)
+				if month > 1 {
+					expires += "s"
+				}
+			} else if day != 0 {
+				// special handling on negative days
+				if day < 0 {
+					day *= -1
+				}
+
+				expires += fmt.Sprintf(" %d day", day)
+				if day > 1 {
+					expires += "s"
+				}
+			}
+			expires += ")"
 		}
-	}
 
-	nameHeader := "Common Name"
-	expiresHeader := "Expires"
-	tabSpaces := 5
-	bufferSpaces := tabSpaces
+		// show a shorter version of the fingerprint
+		fingerprint := cert.Fingerprint[:5] + "[...]" + cert.Fingerprint[len(cert.Fingerprint)-5:]
 
-	if nameMax < len(nameHeader) {
-		tabSpaces += len(nameHeader) - nameMax
-		nameMax = len(nameHeader)
-	} else {
-		bufferSpaces += nameMax - len(nameHeader)
+		table.Append([]string{cert.Name, cert.CommonName, san, expires, fingerprint, domains, updated, created})
 	}
+	table.Render()
 
-	if expiresMax < len(expiresHeader) {
-		expiresMax = len(expiresHeader)
-	}
-
-	fmt.Printf("%s%s%s\n", nameHeader, strings.Repeat(" ", bufferSpaces), expiresHeader)
-	fmt.Printf("%s%s%s\n", strings.Repeat("-", nameMax), strings.Repeat(" ", 5),
-		strings.Repeat("-", expiresMax))
-	fmt.Print(prettyprint.PrettyTabs(certMap, tabSpaces))
 	return nil
 }
 
 // CertAdd adds a cert to the controller.
-func CertAdd(cert, key, commonName, sans string) error {
+func CertAdd(cert string, key string, name string) error {
 	c, err := client.New()
 
 	if err != nil {
@@ -81,7 +105,7 @@ func CertAdd(cert, key, commonName, sans string) error {
 
 	fmt.Print("Adding SSL endpoint... ")
 	quit := progress()
-	err = processCertsAdd(c, cert, key, commonName, sans)
+	err = doCertAdd(c, cert, key, name)
 	quit <- true
 	<-quit
 
@@ -93,48 +117,117 @@ func CertAdd(cert, key, commonName, sans string) error {
 	return nil
 }
 
-func processCertsAdd(c *client.Client, cert, key, commonName, sans string) error {
-	if sans != "" {
-		for _, san := range strings.Split(sans, ",") {
-			if err := doCertAdd(c, cert, key, san); err != nil {
-				return err
-			}
-		}
-		return nil
+func doCertAdd(c *client.Client, cert string, key string, name string) error {
+	certFile, err := ioutil.ReadFile(cert)
+	if err != nil {
+		return err
+	}
+
+	keyFile, err := ioutil.ReadFile(key)
+	if err != nil {
+		return err
 	}
 
-	return doCertAdd(c, cert, key, commonName)
+	_, err = certs.New(c, string(certFile), string(keyFile), name)
+	return err
 }
 
-func doCertAdd(c *client.Client, cert string, key string, commonName string) error {
-	certFile, err := ioutil.ReadFile(cert)
+// CertRemove deletes a cert from the controller.
+func CertRemove(name string) error {
+	c, err := client.New()
+	if err != nil {
+		return err
+	}
 
+	fmt.Printf("Removing %s... ", name)
+	quit := progress()
+
+	certs.Delete(c, name)
+
+	quit <- true
+	<-quit
+
+	if err == nil {
+		fmt.Println("done")
+	}
+
+	return err
+}
+
+// CertInfo gets info about certficiate
+func CertInfo(name string) error {
+	c, err := client.New()
 	if err != nil {
 		return err
 	}
 
-	keyFile, err := ioutil.ReadFile(key)
+	cert, err := certs.Get(c, name)
+	if err != nil {
+		return err
+	}
+
+	domains := strings.Join(cert.Domains[:], ",")
+	if domains == "" {
+		domains = "No connected domains"
+	}
+
+	san := strings.Join(cert.SubjectAltName[:], ",")
+	if san == "" {
+		san = "N/A"
+	}
+
+	fmt.Printf("=== %s Certificate\n", cert.Name)
+	fmt.Println("Common Name(s):    ", cert.CommonName)
+	fmt.Println("Expires At:        ", cert.Expires)
+	fmt.Println("Starts At:         ", cert.Starts)
+	fmt.Println("Fingerprint:       ", cert.Fingerprint)
+	fmt.Println("Subject Alt Name:  ", san)
+	fmt.Println("Issuer:            ", cert.Issuer)
+	fmt.Println("Subject:           ", cert.Subject)
+	fmt.Println()
+	fmt.Println("Connected Domains: ", domains)
+	fmt.Println("Owner:             ", cert.Owner)
+	fmt.Println("Created:           ", cert.Created)
+	fmt.Println("Updated:           ", cert.Updated)
+
+	return nil
+}
+
+// CertAttach attaches a certificate to a domain
+func CertAttach(name string, domain string) error {
+	c, err := client.New()
 
 	if err != nil {
 		return err
 	}
 
-	_, err = certs.New(c, string(certFile), string(keyFile), commonName)
+	fmt.Printf("Attaching certificate %s to domain %s... ", name, domain)
+	quit := progress()
+
+	certs.Attach(c, name, domain)
+
+	quit <- true
+	<-quit
+
+	if err == nil {
+		fmt.Println("done")
+	}
+
 	return err
 }
 
-// CertRemove deletes a cert from the controller.
-func CertRemove(commonName string) error {
+// CertDetach detaches a certificate from a domain
+func CertDetach(name string, domain string) error {
 	c, err := client.New()
 
 	if err != nil {
 		return err
 	}
 
-	fmt.Printf("Removing %s... ", commonName)
+	fmt.Printf("Detaching certificate %s from domain %s... ", name, domain)
 	quit := progress()
 
-	certs.Delete(c, commonName)
+	certs.Detach(c, name, domain)
 
 	quit <- true
 	<-quit

client/controller/api/certs.go

@@ -1,20 +1,34 @@
 package api
 
+import "github.com/deis/pkg/time"
+
 // Cert is the definition of the cert object.
 // Some fields are omtempty because they are only
 // returned when creating or getting a cert.
 type Cert struct {
-	Updated string `json:"updated,omitempty"`
-	Created string `json:"created,omitempty"`
-	Name    string `json:"common_name"`
-	Expires string `json:"expires"`
-	Owner   string `json:"owner,omitempty"`
-	ID      int    `json:"id,omitempty"`
+	Updated        time.Time `json:"updated,omitempty"`
+	Created        time.Time `json:"created,omitempty"`
+	Name           string    `json:"name"`
+	CommonName     string    `json:"common_name"`
+	Expires        time.Time `json:"expires"`
+	Starts         time.Time `json:"starts"`
+	Fingerprint    string    `json:"fingerprint"`
+	Issuer         string    `json:"issuer"`
+	Subject        string    `json:"subject"`
+	SubjectAltName []string  `json:"san,omitempty"`
+	Domains        []string  `json:"domains,omitempty"`
+	Owner          string    `json:"owner,omitempty"`
+	ID             int       `json:"id,omitempty"`
 }
 
-// CertCreateRequest is the definition of POST /v2/certs/.
+// CertCreateRequest is the definition of POST and PUT to /v2/certs/
 type CertCreateRequest struct {
 	Certificate string `json:"certificate"`
 	Key         string `json:"key"`
-	Name        string `json:"common_name,omitempty"`
+	Name        string `json:"name"`
+}
+
+// CertAttachRequest is the defintion of post to /v2/certs/<cert>/domain
+type CertAttachRequest struct {
+	Domain string `json:"domain"`
 }

client/controller/models/certs/certs.go

@@ -24,17 +24,15 @@ func List(c *client.Client, results int) ([]api.Cert, int, error) {
 	return res, count, nil
 }
 
-// New creates a new cert.
-func New(c *client.Client, cert string, key string, commonName string) (api.Cert, error) {
-	req := api.CertCreateRequest{Certificate: cert, Key: key, Name: commonName}
+// New creates a cert.
+func New(c *client.Client, cert string, key string, name string) (api.Cert, error) {
+	req := api.CertCreateRequest{Certificate: cert, Key: key, Name: name}
 	reqBody, err := json.Marshal(req)
-
 	if err != nil {
 		return api.Cert{}, err
 	}
 
 	resBody, err := c.BasicRequest("POST", "/v2/certs/", reqBody)
-
 	if err != nil {
 		return api.Cert{}, err
 	}
@@ -47,10 +45,45 @@ func New(c *client.Client, cert string, key string, commonName string) (api.Cert
 	return resCert, nil
 }
 
+// Get information for a certificate
+func Get(c *client.Client, name string) (api.Cert, error) {
+	url := fmt.Sprintf("/v2/certs/%s", name)
+	body, err := c.BasicRequest("GET", url, nil)
+	if err != nil {
+		return api.Cert{}, err
+	}
+
+	res := api.Cert{}
+	if err = json.Unmarshal([]byte(body), &res); err != nil {
+		return api.Cert{}, err
+	}
+
+	return res, nil
+}
+
 // Delete removes a cert.
-func Delete(c *client.Client, commonName string) error {
-	u := fmt.Sprintf("/v2/certs/%s", commonName)
+func Delete(c *client.Client, name string) error {
+	url := fmt.Sprintf("/v2/certs/%s", name)
+	_, err := c.BasicRequest("DELETE", url, nil)
+	return err
+}
+
+// Attach a certificate to a domain
+func Attach(c *client.Client, name string, domain string) error {
+	req := api.CertAttachRequest{Domain: domain}
+	reqBody, err := json.Marshal(req)
+	if err != nil {
+		return err
+	}
+
+	url := fmt.Sprintf("/v2/certs/%s/domain/", name)
+	_, err = c.BasicRequest("POST", url, reqBody)
+	return err
+}
 
-	_, err := c.BasicRequest("DELETE", u, nil)
+// Detach a certificate from a domain
+func Detach(c *client.Client, name string, domain string) error {
+	url := fmt.Sprintf("/v2/certs/%s/domain/%s", name, domain)
+	_, err := c.BasicRequest("DELETE", url, nil)
 	return err
 }