Feature: Certmgr as an in-process supervisor

[andrewplunk]

Problem:
Currently it's difficult to use certmgr as an in-process supervisor.

Use case:
I am a go library that doesn't want to require my customers to configure Certmgr with cert.Spec JSON files, instead letting them pass in configuration via function parameters.

Potential Solution:

1. Remove the checked-in vendor directory. This causes type issues when using certmgr as a library.
2. Expose the svcmgr.Manager interface on Manager (either within the Manager struct or via a constructor). This will enable users of certmgr to pass in their own svcmgr.Manager implementations, enabling users to restart/reload their process as needed.
3. Don't require cert.Spec to exist on the filesystem. Currently the Load() function initializes the renew channel. This makes it impossible to configure certmgr without writing a Spec to the filesystem, which is cumbersome from a library perspective.

[kisom]

This is really interesting --- I'd never really considered the use case where certmgr was a library.

To address the points:

1. Easy enough. The only thing I really worry about it is dependencies disappearing from Github, but the risk is low because only the prometheus library and cobra/viper packages are the external dependencies.
2. This should also be relatively straightforward.
3. This could be done by having a different function to return an initialised manager.

letting them pass in configuration via function parameters.

What does that look like?

[cbroglie]

Could you just migrate to dep for 1?

[kisom]

@cbroglie Indeed.

[kisom]

@andrewplunk One thing that occurs to me, have you tried using the CFSSL transport package? certmgr is essentially a UI on top of this, so it might be useful, too.

[andrewplunk]

@kisom

letting them pass in configuration via function parameters.

What does that look like?
I would like my clients to provide my library with the CA label and auth key required to provision certs from the transport. I would then configure certmgr with my own svcmgr.Manager implementation to handle reloading the tls.GetClientCertificate/tls.GetCertificate's caches as necessary.

@andrewplunk One thing that occurs to me, have you tried using the CFSSL transport package? certmgr is essentially a UI on top of this, so it might be useful, too.

You're totally right I could build this on top of the CFSSL transport package. I will do so if you don't think that certmgr makes sense as a library.