Configurable Certificate Generation

[danehans]

Please describe the problem you have Currently, the contour-certgen is responsible for generating certificates used to secure Contour<>Envoy communication. Cert generation should be configurable, providing options for cert-gen, cert-manager, and contour-operator generated certs.

Additional Considerations:

• Most clusters don't have the necessary feature gate turned on, so the operator could delete the certgen job if it is successful.
• The operator generates certs and stores them in a secret that is referenced by contour/envoy
• Expose cert generation through the Contour API.
• Should the operator run contour certgen binary?

xref: https://github.com/projectcontour/contour-operator/pull/31

/cc @jpeach @stevesloka @Miciah

[Miciah]

The goal of v1alpha1 is for the operator to produce a deployment equivalent to what a user would get by applying https://github.com/projectcontour/contour/tree/main/examples/contour, so this issue is post-v1alpha1.

[danehans]

xref contour cert-manager docs: https://projectcontour.io/guides/cert-manager/

[Miciah]

I'd like to refer back to a comment from @stevesloka:

I think the operator should just create the certs without running a job, but that package isn't exposed in Contour so we need to do that work first. Duplicating the code doesn't seem like a good approach, but would unblock the operator work. I guess it could also call the contour binary like the certgen job as an another intermediate step.

https://github.com/projectcontour/contour-operator/pull/31#issuecomment-700952995

I think we also discussed something like this on one of the Project Contour Community Meeting calls. As I understand it, the suggestion here is to break the internal logic of certgen out into a library that the operator and certgen executables would share. Do I understand the suggestion correctly?

I cannot find any issue for breaking the certgen logic out into a library. Has anyone opened such an issue, or should one be opened under projectcontour/contour (or somewhere else)?

Lastly, certgen has been extended in the past to have some degree of compatibility with cert-manager; would it make sense to continue down this path, and extend the certgen library to support arbitrary platform-specific certificate management systems? So rather than having contour-operator provide a choice between certgen, cert-manager, serving cert signer, or what have you, instead contour-operator would use certgen, and certgen would have capabilities to work independently or to integrate with cert-manager/serving cert signer/whatever. Would this approach be acceptable?

[stevesloka]

I opened (https://github.com/projectcontour/contour/issues/3130) to track this work. I think exposing the cert-gen logic would allow the operator to generate certs dynamically without having to run the job.