Generate secrets on Clusters

[tejal29]

When we install kritis, we need to generate tls secrets.

We also need to do the same when user wants to deploy a new Attestation Authority.

One example of doing this:

1. Write a controller which will generate a pair of secrets. https://github.com/mittwald/kubernetes-secret-generator

2. Ask users to generate the secrets and then they would need to copy paste the secret.

This a tracking ticket for that.

[tejal29]

We are using helm plugin certgen to create tls secrets.

For AttestatoionAuthority we can write a controller to create a secret if it does not exits. The sample code is https://github.com/tejal29/kritis/blob/attestation_lib/pkg/kritis/attestation/attestation_test.go#L59

[tejal29]

The flow would be, For the given AttestationAuthority:

apiVersion: kritis.grafeas.io/v1beta1
kind: AttestationAuthority
metadata:
  name: qa-attestor
spec:
    noteReference: v1alpha1/projects/image-signing
    privateKeySecretName: foo

1. Check if the secret "foo" exists in the given namesapce.
2. If it does not exist, a. The controller will generate the private and public key pair. b. Create a Kubernetes Secret ( See https://github.com/kubernetes/sample-controller/blob/master/controller.go#L389 code for reference) c. Update the AttestationAuthority with generated public key. ( There is also some sample code on how to update a KO in the above repo)
3. If the secret exists, do nothing :)

[aaron-prindle]

This is handled by the preinstall pod now: https://github.com/grafeas/kritis/pull/124. closing