feat: Add cert-manager integration with CertificateProvider interface #293
Description
What would you like to be added?
Ability to use cert-manager for certificate issuance (related issue #212), which would:
- Eliminate the need to deploy and manage Fabric CA servers
- Enable automatic certificate renewal
- Support various issuers (ACME/Let's Encrypt, external CAs, etc.)
Proposed Solution:
Introduce CertificateProvider Interface. Refactor existing code to use an interface-based architecture:
type CertificateProvider interface {
Enroll(ctx context.Context, req EnrollRequest) (*EnrollResponse, error)
Reenroll(ctx context.Context, req ReenrollRequest) (*EnrollResponse, error)
Register(ctx context.Context, req RegisterRequest) (*RegisterResponse, error)
Revoke(ctx context.Context, req RevokeRequest) error
GetCACertificate(ctx context.Context) (*x509.Certificate, error)
}Implementations:
FabricCAProvider- Wraps existing Fabric CA enrollment logicVaultProvider- Wraps existing Vault integration logicCertManager
┌─────────────────────────────────────────────────────────────┐
│ Controllers │
│ (Peer Controller, Orderer Controller) │
└─────────────────┬───────────────────────────────────────────┘
│
│ depends on
▼
┌─────────────────────────────────────────────────────────────┐
│ CertificateProvider Interface │
│ • Enroll(req EnrollRequest) → Certificate │
│ • Reenroll(req ReenrollRequest) → Certificate │
│ • Register(req RegisterRequest) → Credentials │
│ • Revoke(req RevokeRequest) → error │
└─────────────────┬───────────────────────────────────────────┘
│
│ implemented by
┌─────────┴─────────┬──────────────┐
│ │ │
▼ ▼ ▼
┌──────────────┐ ┌──────────────┐ ┌──────────────┐
│ FabricCA │ │ Vault │ │ CertManager │
│ Provider │ │ Provider │ │ Provider │
└──────────────┘ └──────────────┘ └──────────────┘
Why is this needed?
Currently, HLF-Operator supports two ways for peers and orderers to obtain certificates:
- FabricCA - Deploy Fabric CA server and enroll with it
- Vault - Use HashiCorp Vault's PKI backend
Additionally, the current certificate handling code has architectural issues:
- Tight coupling between controllers and certificate providers
- Code duplication across peer and orderer controllers
- Difficult to test (requires real CA infrastructure)
- Hard to extend with new certificate providers