From 46dc4771d1ef1c1de0238486beff2123c2ce457d Mon Sep 17 00:00:00 2001
From: Chance Zibolski <chance.zibolski@gmail.com>
Date: Fri, 12 Apr 2024 11:07:01 -0700
Subject: [PATCH] Add support for generating Hubble metrics certificates

Signed-off-by: Chance Zibolski <chance.zibolski@gmail.com>
---
 cmd/certgen.go                | 31 ++++++++++++++++++++++++++++
 internal/defaults/defaults.go | 16 +++++++++++++++
 internal/option/config.go     | 38 +++++++++++++++++++++++++++++++++++
 3 files changed, 85 insertions(+)

diff --git a/cmd/certgen.go b/cmd/certgen.go
index 601b6498..6b3c0774 100644
--- a/cmd/certgen.go
+++ b/cmd/certgen.go
@@ -87,6 +87,12 @@ func New() (*cobra.Command, error) {
 	flags.String(option.HubbleServerCertSecretName, defaults.HubbleServerCertSecretName, "Name of the K8s Secret where the Hubble server cert and key are stored in")
 	flags.String(option.HubbleServerCertSecretNamespace, "", "Overwrites the namespace of the K8s Secret where the Hubble server cert and key are stored in")
 
+	flags.Bool(option.HubbleMetricsServerCertGenerate, defaults.HubbleMetricsServerCertGenerate, "Generate and store Hubble metrics server certificate")
+	flags.String(option.HubbleMetricsServerCertCommonName, defaults.HubbleMetricsServerCertCommonName, "Hubble metrics server certificate common name")
+	flags.Duration(option.HubbleMetricsServerCertValidityDuration, defaults.HubbleMetricsServerCertValidityDuration, "Hubble metrics server certificate validity duration")
+	flags.String(option.HubbleMetricsServerCertSecretName, defaults.HubbleMetricsServerCertSecretName, "Name of the K8s Secret where the Hubble metrics server cert and key are stored in")
+	flags.String(option.HubbleMetricsServerCertSecretNamespace, "", "Overwrites the namespace of the K8s Secret where the Hubble metrics server cert and key are stored in")
+
 	// Extenal Workload certs
 	flags.String(option.CiliumNamespace, defaults.CiliumNamespace, "Namespace where the cert secrets and configmaps are stored in")
 
@@ -213,6 +219,22 @@ func generateCertificates() error {
 		}
 	}
 
+	var hubbleMetricsServerCert *generate.Cert
+	if option.Config.HubbleMetricsServerCertGenerate {
+		log.Info("Generating server certificates for Hubble")
+		hubbleMetricsServerCert = generate.NewCert(
+			option.Config.HubbleMetricsServerCertCommonName,
+			option.Config.HubbleMetricsServerCertValidityDuration,
+			defaults.HubbleMetricsServerCertUsage,
+			option.Config.HubbleMetricsServerCertSecretName,
+			option.Config.HubbleMetricsServerCertSecretNamespace,
+		)
+		err := hubbleMetricsServerCert.Generate(ciliumCA)
+		if err != nil {
+			return fmt.Errorf("failed to generate Hubble server cert: %w", err)
+		}
+	}
+
 	var hubbleRelayClientCert *generate.Cert
 	if option.Config.HubbleRelayClientCertGenerate {
 		log.Info("Generating client certificates for Hubble Relay")
@@ -323,6 +345,15 @@ func generateCertificates() error {
 		count++
 	}
 
+	if option.Config.HubbleMetricsServerCertGenerate {
+		ctx, cancel := context.WithTimeout(context.Background(), option.Config.K8sRequestTimeout)
+		defer cancel()
+		if err := hubbleMetricsServerCert.StoreAsSecret(ctx, k8sClient); err != nil {
+			return fmt.Errorf("failed to create secret for Hubble server cert: %w", err)
+		}
+		count++
+	}
+
 	if option.Config.HubbleRelayClientCertGenerate {
 		ctx, cancel := context.WithTimeout(context.Background(), option.Config.K8sRequestTimeout)
 		defer cancel()
diff --git a/internal/defaults/defaults.go b/internal/defaults/defaults.go
index dbfdf77a..d10c2812 100644
--- a/internal/defaults/defaults.go
+++ b/internal/defaults/defaults.go
@@ -46,6 +46,19 @@ const (
 	// server certificate is written to.
 	HubbleServerCertSecretName = "hubble-server-certs" //#nosec
 
+	// HubbleMetricsServerCertGenerate can be set to true to generate and store a
+	// Hubble metrics server TLS certificate.
+	HubbleMetricsServerCertGenerate = false
+	// HubbleMetricsServerCertCommonName is the Hubble metrics server x509 certificate CN
+	// value (also used as DNS SAN).
+	HubbleMetricsServerCertCommonName = "default.hubble-metrics.cilium.io"
+	// HubbleMetricsServerCertValidityDuration represent how much time the Hubble
+	// server certificate generated by certgen is valid.
+	HubbleMetricsServerCertValidityDuration = 3 * 365 * 24 * time.Hour
+	// HubbleMetricsServerCertSecretName is the Kubernetes Secret in which the Hubble
+	// server certificate is written to.
+	HubbleMetricsServerCertSecretName = "hubble-metrics-server-certs" //#nosec
+
 	// HubbleRelayServerCertGenerate can be set to true to generate and store a
 	// Hubble Relay server TLS certificate.
 	HubbleRelayServerCertGenerate = false
@@ -130,6 +143,9 @@ var (
 	// HubbleServerCertUsage are the key usages for the Hubble server x509
 	// certificate.
 	HubbleServerCertUsage = []string{"signing", "key encipherment", "server auth"}
+	// HubbleMetricsServerCertUsage are the key usages for the Hubble metrics
+	// server x509 certificate.
+	HubbleMetricsServerCertUsage = []string{"signing", "key encipherment", "server auth"}
 	// HubbleRelayServerCertUsage are the key usages for the Hubble Relay
 	// server x509 certificate.
 	HubbleRelayServerCertUsage = []string{"signing", "key encipherment", "server auth"}
diff --git a/internal/option/config.go b/internal/option/config.go
index 180697a3..a51af736 100644
--- a/internal/option/config.go
+++ b/internal/option/config.go
@@ -69,6 +69,22 @@ const (
 	// Hubble server certificate Secret will be stored.
 	HubbleServerCertSecretNamespace = "hubble-server-cert-secret-namespace" //#nosec
 
+	// HubbleMetricsServerCertGenerate can be set to true to generate and store a
+	// Hubble metrics server TLS certificate.
+	HubbleMetricsServerCertGenerate = "hubble-metrics-server-cert-generate"
+	// HubbleMetricsServerCertCommonName is the Hubble metrics server x509 certificate CN
+	// value (also used as DNS SAN).
+	HubbleMetricsServerCertCommonName = "hubble-metrics-server-cert-common-name"
+	// HubbleMetricsServerCertValidityDuration represent how much time the Hubble
+	// server certificate generated by certgen is valid.
+	HubbleMetricsServerCertValidityDuration = "hubble-metrics-server-cert-validity-duration"
+	// HubbleMetricsServerCertSecretName is the Kubernetes Secret in which the Hubble
+	// server certificate is written to.
+	HubbleMetricsServerCertSecretName = "hubble-metrics-server-cert-secret-name" //#nosec
+	// HubbleMetricsServerCertSecretNamespace is the Kubernetes Namespace in which the
+	// Hubble metrics server certificate Secret will be stored.
+	HubbleMetricsServerCertSecretNamespace = "hubble-metrics-server-cert-secret-namespace" //#nosec
+
 	// HubbleRelayServerCertGenerate can be set to true to generate and store a
 	// Hubble Relay server TLS certificate.
 	HubbleRelayServerCertGenerate = "hubble-relay-server-cert-generate"
@@ -249,6 +265,22 @@ type CertGenConfig struct {
 	// Hubble server certificate Secret will be stored.
 	HubbleServerCertSecretNamespace string
 
+	// HubbleMetricsServerCertGenerate can be set to true to generate and store a
+	// Hubble metrics server TLS certificate.
+	HubbleMetricsServerCertGenerate bool
+	// HubbleMetricsServerCertCommonName is the Hubble metrics server x509 certificate CN
+	// value (also used as DNS SAN).
+	HubbleMetricsServerCertCommonName string
+	// HubbleMetricsServerCertValidityDuration represent how much time the Hubble
+	// server certificate generated by certgen is valid.
+	HubbleMetricsServerCertValidityDuration time.Duration
+	// HubbleMetricsServerCertSecretName is the Kubernetes Secret in which the Hubble
+	// server certificate is written to.
+	HubbleMetricsServerCertSecretName string
+	// HubbleMetricsServerCertSecretNamespace is the Kubernetes Namespace in which the
+	// Hubble metrics server certificate Secret will be stored.
+	HubbleMetricsServerCertSecretNamespace string
+
 	// ClustermeshApiserverServerCertGenerate can be set to true to generate
 	// and store a new Clustermesh API server TLS certificate.
 	ClustermeshApiserverServerCertGenerate bool
@@ -349,6 +381,12 @@ func (c *CertGenConfig) PopulateFrom(vp *viper.Viper) {
 	c.HubbleServerCertSecretName = vp.GetString(HubbleServerCertSecretName)
 	c.HubbleServerCertSecretNamespace = getStringWithFallback(vp, HubbleServerCertSecretNamespace, CiliumNamespace)
 
+	c.HubbleMetricsServerCertGenerate = vp.GetBool(HubbleMetricsServerCertGenerate)
+	c.HubbleMetricsServerCertCommonName = vp.GetString(HubbleMetricsServerCertCommonName)
+	c.HubbleMetricsServerCertValidityDuration = vp.GetDuration(HubbleMetricsServerCertValidityDuration)
+	c.HubbleMetricsServerCertSecretName = vp.GetString(HubbleMetricsServerCertSecretName)
+	c.HubbleMetricsServerCertSecretNamespace = getStringWithFallback(vp, HubbleMetricsServerCertSecretNamespace, CiliumNamespace)
+
 	c.CiliumNamespace = vp.GetString(CiliumNamespace)
 
 	c.ClustermeshApiserverServerCertGenerate = vp.GetBool(ClustermeshApiserverServerCertGenerate)