feat(signer): embed CA certificates

Some applications require a CA certificate to serve a certificate signed
by an untrusted root. To support these applications begin populating the
"ca.crt" field on managed Secret resources.

This changeset embeds the current Origin CA root certificates, while
waiting for them to be surfaced via the Cloudflare API. A future change
will migrate to using those returned CAs.

Bug: #70

pkgs/controllers/certificates/origin_ca_ecc_root.pem

@@ -0,0 +1,16 @@
+-----BEGIN CERTIFICATE-----
+MIICiTCCAi6gAwIBAgIUXZP3MWb8MKwBE1Qbawsp1sfA/Y4wCgYIKoZIzj0EAwIw
+gY8xCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T
+YW4gRnJhbmNpc2NvMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMTgwNgYDVQQL
+Ey9DbG91ZEZsYXJlIE9yaWdpbiBTU0wgRUNDIENlcnRpZmljYXRlIEF1dGhvcml0
+eTAeFw0xOTA4MjMyMTA4MDBaFw0yOTA4MTUxNzAwMDBaMIGPMQswCQYDVQQGEwJV
+UzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEZ
+MBcGA1UEChMQQ2xvdWRGbGFyZSwgSW5jLjE4MDYGA1UECxMvQ2xvdWRGbGFyZSBP
+cmlnaW4gU1NMIEVDQyBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwWTATBgcqhkjOPQIB
+BggqhkjOPQMBBwNCAASR+sGALuaGshnUbcxKry+0LEXZ4NY6JUAtSeA6g87K3jaA
+xpIg9G50PokpfWkhbarLfpcZu0UAoYy2su0EhN7wo2YwZDAOBgNVHQ8BAf8EBAMC
+AQYwEgYDVR0TAQH/BAgwBgEB/wIBAjAdBgNVHQ4EFgQUhTBdOypw1O3VkmcH/es5
+tBoOOKcwHwYDVR0jBBgwFoAUhTBdOypw1O3VkmcH/es5tBoOOKcwCgYIKoZIzj0E
+AwIDSQAwRgIhAKilfntP2ILGZjwajktkBtXE1pB4Y/fjAfLkIRUzrI15AiEA5UCL
+XYZZ9m2c3fKwIenMMojL1eqydsgqj/wK4p5kagQ=
+-----END CERTIFICATE-----

pkgs/controllers/certificates/origin_ca_rsa_root.pem

@@ -0,0 +1,24 @@
+-----BEGIN CERTIFICATE-----
+MIIEADCCAuigAwIBAgIID+rOSdTGfGcwDQYJKoZIhvcNAQELBQAwgYsxCzAJBgNV
+BAYTAlVTMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMTQwMgYDVQQLEytDbG91
+ZEZsYXJlIE9yaWdpbiBTU0wgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MRYwFAYDVQQH
+Ew1TYW4gRnJhbmNpc2NvMRMwEQYDVQQIEwpDYWxpZm9ybmlhMB4XDTE5MDgyMzIx
+MDgwMFoXDTI5MDgxNTE3MDAwMFowgYsxCzAJBgNVBAYTAlVTMRkwFwYDVQQKExBD
+bG91ZEZsYXJlLCBJbmMuMTQwMgYDVQQLEytDbG91ZEZsYXJlIE9yaWdpbiBTU0wg
+Q2VydGlmaWNhdGUgQXV0aG9yaXR5MRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMRMw
+EQYDVQQIEwpDYWxpZm9ybmlhMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
+AQEAwEiVZ/UoQpHmFsHvk5isBxRehukP8DG9JhFev3WZtG76WoTthvLJFRKFCHXm
+V6Z5/66Z4S09mgsUuFwvJzMnE6Ej6yIsYNCb9r9QORa8BdhrkNn6kdTly3mdnykb
+OomnwbUfLlExVgNdlP0XoRoeMwbQ4598foiHblO2B/LKuNfJzAMfS7oZe34b+vLB
+yrP/1bgCSLdc1AxQc1AC0EsQQhgcyTJNgnG4va1c7ogPlwKyhbDyZ4e59N5lbYPJ
+SmXI/cAe3jXj1FBLJZkwnoDKe0v13xeF+nF32smSH0qB7aJX2tBMW4TWtFPmzs5I
+lwrFSySWAdwYdgxw180yKU0dvwIDAQABo2YwZDAOBgNVHQ8BAf8EBAMCAQYwEgYD
+VR0TAQH/BAgwBgEB/wIBAjAdBgNVHQ4EFgQUJOhTV118NECHqeuU27rhFnj8KaQw
+HwYDVR0jBBgwFoAUJOhTV118NECHqeuU27rhFnj8KaQwDQYJKoZIhvcNAQELBQAD
+ggEBAHwOf9Ur1l0Ar5vFE6PNrZWrDfQIMyEfdgSKofCdTckbqXNTiXdgbHs+TWoQ
+wAB0pfJDAHJDXOTCWRyTeXOseeOi5Btj5CnEuw3P0oXqdqevM1/+uWp0CM35zgZ8
+VD4aITxity0djzE6Qnx3Syzz+ZkoBgTnNum7d9A66/V636x4vTeqbZFBr9erJzgz
+hhurjcoacvRNhnjtDRM0dPeiCJ50CP3wEYuvUzDHUaowOsnLCjQIkWbR7Ni6KEIk
+MOz2U0OBSif3FTkhCgZWQKOOLo1P42jHC3ssUZAtVNXrCk3fw9/E15k8NPkBazZ6
+0iykLhH1trywrKRMVw67F44IE8Y=
+-----END CERTIFICATE-----

pkgs/controllers/signer.go

@@ -2,6 +2,7 @@ package controllers
 
 import (
 	"context"
+	"embed"
 	"errors"
 	"fmt"
 	"math"
@@ -18,6 +19,14 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/manager"
 )
 
+//go:embed certificates
+var certificateFS embed.FS
+
+var (
+	rsaCAPEM = MustReadFile("certificates/origin_ca_rsa_root.pem", certificateFS)
+	eccCAPEM = MustReadFile("certificates/origin_ca_ecc_root.pem", certificateFS)
+)
+
 //go:generate controller-gen rbac:roleName=originissuer-control paths=./. output:rbac:artifacts:config=../../deploy/rbac
 
 // +kubebuilder:rbac:groups=cert-manager.io,resources=certificaterequests,verbs=get;list;watch
@@ -130,11 +139,14 @@ func (s *Signer) Sign(ctx context.Context, req signer.CertificateRequestObject,
 	}
 
 	var reqType string
+	var caPEM []byte
 	switch iss.GetRequestType() {
 	case v1.RequestTypeOriginECC:
 		reqType = "origin-ecc"
+		caPEM = eccCAPEM
 	case v1.RequestTypeOriginRSA:
 		reqType = "origin-rsa"
+		caPEM = rsaCAPEM
 	}
 
 	resp, err := client.Sign(ctx, &cfapi.SignRequest{
@@ -154,6 +166,7 @@ func (s *Signer) Sign(ctx context.Context, req signer.CertificateRequestObject,
 
 	return signer.PEMBundle{
 		ChainPEM: []byte(resp.Certificate),
+		CAPEM:    caPEM,
 	}, nil
 }
 
@@ -174,3 +187,11 @@ func closest(of int, valid []int) int {
 
 	return closest
 }
+
+func MustReadFile(filename string, fs embed.FS) []byte {
+	b, err := fs.ReadFile(filename)
+	if err != nil {
+		panic(err)
+	}
+	return b
+}

pkgs/controllers/signer_e2e_test.go

@@ -149,6 +149,7 @@ func TestOriginIssuerCertificateRequestE2E(t *testing.T) {
 	}
 	assert.NilError(t, c.Get(ctx, namespacedName, cr))
 	golden.AssertBytes(t, cr.Status.Certificate, "certificate.golden")
+	assert.DeepEqual(t, cr.Status.CA, eccCAPEM)
 }
 
 func envtestConfig(t *testing.T) *rest.Config {

pkgs/controllers/signer_test.go

@@ -88,6 +88,7 @@ func TestCertificateRequestReconcile(t *testing.T) {
 			recorder: RecorderMust(t, "testdata/working"),
 			expected: signer.PEMBundle{
 				ChainPEM: golden.Get(t, "certificate.golden"),
+				CAPEM:    eccCAPEM,
 			},
 		},
 		{
@@ -136,6 +137,7 @@ func TestCertificateRequestReconcile(t *testing.T) {
 			recorder: RecorderMust(t, "testdata/working"),
 			expected: signer.PEMBundle{
 				ChainPEM: golden.Get(t, "certificate.golden"),
+				CAPEM:    eccCAPEM,
 			},
 		},
 		{
@@ -185,6 +187,7 @@ func TestCertificateRequestReconcile(t *testing.T) {
 			recorder: RecorderMust(t, "testdata/working"),
 			expected: signer.PEMBundle{
 				ChainPEM: golden.Get(t, "certificate.golden"),
+				CAPEM:    eccCAPEM,
 			},
 		},
 		{
@@ -233,6 +236,7 @@ func TestCertificateRequestReconcile(t *testing.T) {
 			recorder: RecorderMust(t, "testdata/working"),
 			expected: signer.PEMBundle{
 				ChainPEM: golden.Get(t, "certificate.golden"),
+				CAPEM:    eccCAPEM,
 			},
 		},
 		{