[OOM-K8S-CERT-EXTERNAL-PROVIDER] Add health check of CMPv2 provisioner (cert-service-api)

Issue-ID: OOM-2559 Signed-off-by: Jan Malkiewicz <jan.malkiewicz@nokia.com> Change-Id: I81d4dcfcb10f71182ea667770bafb9556817b793
author: Jan Malkiewicz <jan.malkiewicz@nokia.com> 2020-10-23 09:46:13 +0200
committer: Jan Malkiewicz <jan.malkiewicz@nokia.com> 2020-10-26 08:57:00 +0100
commit: a7bb3d59e71f7f7980f8b7db400df94cabd92c0a (patch)
tree: 75891dbe1512a6d035e054f4b88104f26778beea
parent: ee23e5f54f96807b1f1fff0b45238a247d3dd8e0 (diff)
13 files changed, 204 insertions, 64 deletions
diff --git a/certServiceK8sExternalProvider/deploy/configuration.yaml b/certServiceK8sExternalProvider/deploy/configuration.yaml
index 4a0f2dc6..5764a52a 100644
--- a/certServiceK8sExternalProvider/deploy/configuration.yaml
+++ b/certServiceK8sExternalProvider/deploy/configuration.yaml
@@ -28,7 +28,9 @@ metadata:
   name: cmpv2-issuer
   namespace: onap
 spec:
-  url: https://oom-cert-service:8443/v1/certificate/
+  url: https://oom-cert-service:8443
+  healthEndpoint: actuator/health
+  certEndpoint: v1/certificate
   caName: RA
   certSecretRef:
     name: cmpv2-issuer-secret
diff --git a/certServiceK8sExternalProvider/deploy/crd.yaml b/certServiceK8sExternalProvider/deploy/crd.yaml
index cc884388..b14d8063 100644
--- a/certServiceK8sExternalProvider/deploy/crd.yaml
+++ b/certServiceK8sExternalProvider/deploy/crd.yaml
@@ -60,6 +60,12 @@ spec:
                 url:
                   description: URL to CertService API.
                   type: string
+                healthEndpoint:
+                  description: Path of health check endpoint.
+                  type: string
+                certEndpoint:
+                  description: Path of cerfificate signing enpoint.
+                  type: string
                 caName:
                   description: Name of the external CA server configured on CertService API side.
                   type: string
@@ -91,6 +97,8 @@ spec:
                   type: object
               required:
                 - url
+                - healthEndpoint
+                - certEndpoint
                 - caName
                 - certSecretRef
               type: object
diff --git a/certServiceK8sExternalProvider/src/certserviceclient/cert_service_client.go b/certServiceK8sExternalProvider/src/certserviceclient/cert_service_client.go
index 870a3eda..15b90624 100644
--- a/certServiceK8sExternalProvider/src/certserviceclient/cert_service_client.go
+++ b/certServiceK8sExternalProvider/src/certserviceclient/cert_service_client.go
@@ -23,6 +23,7 @@ package certserviceclient
 import (
 	"encoding/base64"
 	"encoding/json"
+	"fmt"
 	"net/http"
 )
 
@@ -33,9 +34,11 @@ const (
 
 type CertServiceClient interface {
 	GetCertificates(csr []byte, key []byte) (*CertificatesResponse, error)
+	CheckHealth() error
 }
 
 type CertServiceClientImpl struct {
+	healthUrl string
 	certificationUrl string
 	httpClient       HTTPClient
 }
@@ -49,6 +52,25 @@ type CertificatesResponse struct {
 	TrustedCertificates []string `json:"trustedCertificates"`
 }
 
+func (client *CertServiceClientImpl) CheckHealth() error {
+	request, err := http.NewRequest("GET", client.healthUrl, nil)
+	if err != nil {
+		return err
+	}
+
+	response, err := client.httpClient.Do(request)
+	if err != nil {
+		return err
+	}
+
+	if response.StatusCode != 200 {
+		return fmt.Errorf("health check retured status code [%d]", response.StatusCode)
+	}
+
+	return nil
+}
+
+
 func (client *CertServiceClientImpl) GetCertificates(csr []byte, key []byte) (*CertificatesResponse, error) {
 
 	request, err := http.NewRequest("GET", client.certificationUrl, nil)
diff --git a/certServiceK8sExternalProvider/src/certserviceclient/cert_service_client_factory.go b/certServiceK8sExternalProvider/src/certserviceclient/cert_service_client_factory.go
index 198f2294..2c04b908 100644
--- a/certServiceK8sExternalProvider/src/certserviceclient/cert_service_client_factory.go
+++ b/certServiceK8sExternalProvider/src/certserviceclient/cert_service_client_factory.go
@@ -29,7 +29,8 @@ import (
 	"path"
 )
 
-func CreateCertServiceClient(baseUrl string, caName string, keyPemBase64 []byte, certPemBase64 []byte, cacertPemBase64 []byte) (*CertServiceClientImpl, error) {
+func CreateCertServiceClient(baseUrl string, healthEndpoint string, certEndpoint string, caName string,
+	keyPemBase64 []byte, certPemBase64 []byte, cacertPemBase64 []byte) (*CertServiceClientImpl, error) {
 	cert, err := tls.X509KeyPair(certPemBase64, keyPemBase64)
 	if err != nil {
 		return nil, err
@@ -48,27 +49,48 @@ func CreateCertServiceClient(baseUrl string, caName string, keyPemBase64 []byte,
 			},
 		},
 	}
-	certificationUrl, err := parseUrl(baseUrl, caName)
+	healthUrl, certificationUrl, err := validateAndParseUrls(baseUrl, healthEndpoint, certEndpoint, caName)
 	if err != nil {
 		return nil, err
 	}
 	client := CertServiceClientImpl{
-		certificationUrl: certificationUrl.String(),
+		healthUrl: healthUrl,
+		certificationUrl: certificationUrl,
 		httpClient:       httpClient,
 	}
 
 	return &client, nil
 }
 
-func parseUrl(baseUrl string, caName string) (*url.URL, error) {
-	parsedUrl, err := url.Parse(baseUrl)
-	if err != nil {
-		return nil, err
+func validateAndParseUrls(baseUrl string, healthEndpoint string, certEndpoint string, caName string) (string, string, error) {
+	if err := validateUrls(baseUrl, healthEndpoint, certEndpoint, caName); err != nil {
+		return "", "", err
+	}
+
+	certUrl, _ := url.Parse(baseUrl)
+	healthUrl, _ := url.Parse(baseUrl)
+
+	certUrl.Path = path.Join(certEndpoint, caName)
+	healthUrl.Path = path.Join(healthEndpoint)
+
+	return healthUrl.String(), certUrl.String(), nil
+}
+
+func validateUrls(baseUrl string, healthEndpoint string, certEndpoint string, caName string) error {
+	if _, err := url.Parse(baseUrl); err != nil {
+		return err
 	}
 	if caName == "" {
-		return nil, fmt.Errorf("caName cannot be empty")
+		return fmt.Errorf("caName cannot be empty")
 	}
-
-	parsedUrl.Path = path.Join(parsedUrl.Path, caName)
-	return parsedUrl, nil
+	if _, err := url.Parse(caName); err != nil {
+		return err
+	}
+	if _, err := url.Parse(healthEndpoint); err != nil {
+		return err
+	}
+	if _, err := url.Parse(certEndpoint); err != nil {
+		return err
+	}
+	return nil
 }
diff --git a/certServiceK8sExternalProvider/src/certserviceclient/cert_service_client_factory_test.go b/certServiceK8sExternalProvider/src/certserviceclient/cert_service_client_factory_test.go
index 50a6d796..5d255a62 100644
--- a/certServiceK8sExternalProvider/src/certserviceclient/cert_service_client_factory_test.go
+++ b/certServiceK8sExternalProvider/src/certserviceclient/cert_service_client_factory_test.go
@@ -29,42 +29,70 @@ import (
 )
 
 const (
-	validUrl                 = "https://oom-cert-service:8443/v1/certificate/"
-	validUrl2                = "https://oom-cert-service:8443/v1/certificate"
-	invalidUrl               = "https://oom-cert  service:8443/v1/certificate"
+	validUrl                 = "https://oom-cert-service:8443/"
+	validUrl2                = "https://oom-cert-service:8443"
+	invalidUrl               = "https://oom-cert  service:8443/"
+	healthEndpoint           = "actuator/health"
+	healthEndpointInvalid    = ":/actuator/health"
+	certEndpoint             = "v1/certificate"
+	certEndpointInvalid      = ":/v1/certificate"
 	caName                   = "RA"
+	caNameInvalid            = ":/RA"
 	expectedCertificationUrl = "https://oom-cert-service:8443/v1/certificate/RA"
+	expectedHealthCheckUrl   = "https://oom-cert-service:8443/actuator/health"
 )
 
 func Test_shouldCreateCertServiceClient(t *testing.T) {
-	shouldCreateCertServiceClientWithExpectedUrl(t, expectedCertificationUrl, validUrl)
-	shouldCreateCertServiceClientWithExpectedUrl(t, expectedCertificationUrl, validUrl2)
+	shouldCreateCertServiceClientWithExpectedUrl(t, validUrl)
+	shouldCreateCertServiceClientWithExpectedUrl(t, validUrl2)
 }
 
-func shouldCreateCertServiceClientWithExpectedUrl(t *testing.T, expectedCertificationUrl string, baseUrl string) {
-	client, err := CreateCertServiceClient(baseUrl, caName, testdata.KeyBytes, testdata.CertBytes, testdata.CacertBytes)
+func shouldCreateCertServiceClientWithExpectedUrl(t *testing.T, baseUrl string) {
+	client, err := CreateCertServiceClient(baseUrl, healthEndpoint, certEndpoint, caName, testdata.KeyBytes, testdata.CertBytes, testdata.CacertBytes)
 
 	assert.NotNil(t, client)
 	assert.Nil(t, err)
 	assert.Equal(t, expectedCertificationUrl, client.certificationUrl)
+	assert.Equal(t, expectedHealthCheckUrl, client.healthUrl)
+}
+
+func Test_shouldReturnError_whenCaNameInvalid(t *testing.T) {
+	client, err := CreateCertServiceClient(validUrl, healthEndpoint, certEndpoint, caNameInvalid, testdata.KeyBytes, testdata.CertBytes, testdata.CacertBytes)
+
+	assert.Nil(t, client)
+	assert.Error(t, err)
+}
+
+func Test_shouldReturnError_whenHealthEndpointInvalid(t *testing.T) {
+	client, err := CreateCertServiceClient(validUrl, healthEndpointInvalid, certEndpoint, caName, testdata.KeyBytes, testdata.CertBytes, testdata.CacertBytes)
+
+	assert.Nil(t, client)
+	assert.Error(t, err)
+}
+
+func Test_shouldReturnError_whenCertEndpointInvalid(t *testing.T) {
+	client, err := CreateCertServiceClient(validUrl, healthEndpoint, certEndpointInvalid, caName, testdata.KeyBytes, testdata.CertBytes, testdata.CacertBytes)
+
+	assert.Nil(t, client)
+	assert.Error(t, err)
 }
 
 func Test_shouldReturnError_whenUrlInvalid(t *testing.T) {
-	client, err := CreateCertServiceClient(invalidUrl, caName, testdata.KeyBytes, testdata.CertBytes, testdata.CacertBytes)
+	client, err := CreateCertServiceClient(invalidUrl, healthEndpoint, certEndpoint, caName, testdata.KeyBytes, testdata.CertBytes, testdata.CacertBytes)
 
 	assert.Nil(t, client)
 	assert.Error(t, err)
 }
 
 func Test_shouldReturnError_whenCanameEmpty(t *testing.T) {
-	client, err := CreateCertServiceClient(validUrl, "", testdata.KeyBytes, testdata.CertBytes, testdata.CacertBytes)
+	client, err := CreateCertServiceClient(validUrl, healthEndpoint, certEndpoint, "", testdata.KeyBytes, testdata.CertBytes, testdata.CacertBytes)
 
 	assert.Nil(t, client)
 	assert.Error(t, err)
 }
 
 func Test_shouldReturnError_whenKeyNotMatchingCert(t *testing.T) {
-	client, err := CreateCertServiceClient(validUrl, caName, testdata.NotMatchingKeyBytes, testdata.CertBytes, testdata.CacertBytes)
+	client, err := CreateCertServiceClient(validUrl, healthEndpoint, certEndpoint, caName, testdata.NotMatchingKeyBytes, testdata.CertBytes, testdata.CacertBytes)
 
 	assert.Nil(t, client)
 	assert.Error(t, err)
@@ -72,7 +100,7 @@ func Test_shouldReturnError_whenKeyNotMatchingCert(t *testing.T) {
 
 func Test_shouldReturnError_whenKeyInvalid(t *testing.T) {
 	//Cert used as key
-	client, err := CreateCertServiceClient(validUrl, caName, testdata.CertBytes, testdata.CertBytes, testdata.CacertBytes)
+	client, err := CreateCertServiceClient(validUrl, healthEndpoint, certEndpoint, caName, testdata.CertBytes, testdata.CertBytes, testdata.CacertBytes)
 
 	assert.Nil(t, client)
 	assert.Error(t, err)
@@ -80,7 +108,7 @@ func Test_shouldReturnError_whenKeyInvalid(t *testing.T) {
 
 func Test_shouldReturnError_whenCertInvalid(t *testing.T) {
 	//Cacert used as cert
-	client, err := CreateCertServiceClient(validUrl, caName, testdata.KeyBytes, testdata.CacertBytes, testdata.CacertBytes)
+	client, err := CreateCertServiceClient(validUrl, healthEndpoint, certEndpoint, caName, testdata.KeyBytes, testdata.CacertBytes, testdata.CacertBytes)
 
 	assert.Nil(t, client)
 	assert.Error(t, err)
@@ -88,7 +116,7 @@ func Test_shouldReturnError_whenCertInvalid(t *testing.T) {
 
 func Test_shouldReturnError_whenCacertInvalid(t *testing.T) {
 	//Key used as cacert
-	client, err := CreateCertServiceClient(validUrl, caName, testdata.KeyBytes, testdata.CertBytes, testdata.KeyBytes)
+	client, err := CreateCertServiceClient(validUrl, healthEndpoint, certEndpoint, caName, testdata.KeyBytes, testdata.CertBytes, testdata.KeyBytes)
 
 	assert.Nil(t, client)
 	assert.Error(t, err)
diff --git a/certServiceK8sExternalProvider/src/certserviceclient/cert_service_client_test.go b/certServiceK8sExternalProvider/src/certserviceclient/cert_service_client_test.go
index 1e15d43e..06fc4792 100644
--- a/certServiceK8sExternalProvider/src/certserviceclient/cert_service_client_test.go
+++ b/certServiceK8sExternalProvider/src/certserviceclient/cert_service_client_test.go
@@ -37,7 +37,7 @@ const (
 )
 
 
-func Test_shouldParseCertificateResponseCorrectly(t *testing.T) {
+func Test_GetCertificates_shouldParseCertificateResponseCorrectly(t *testing.T) {
 	responseJson := `{"certificateChain": ["cert-0", "cert-1"], "trustedCertificates": ["trusted-cert-0", "trusted-cert-1"]}`
 	responseJsonReader := ioutil.NopCloser(bytes.NewReader([]byte(responseJson)))
 	client := CertServiceClientImpl{
@@ -56,7 +56,7 @@ func Test_shouldParseCertificateResponseCorrectly(t *testing.T) {
 	assert.ElementsMatch(t, []string{"trusted-cert-0", "trusted-cert-1"}, response.TrustedCertificates)
 }
 
-func Test_shouldReturnError_whenResponseIsNotJson(t *testing.T) {
+func Test_GetCertificates_shouldReturnError_whenResponseIsNotJson(t *testing.T) {
 	responseJson := `not a json`
 	responseJsonReader := ioutil.NopCloser(bytes.NewReader([]byte(responseJson)))
 	client := CertServiceClientImpl{
@@ -76,7 +76,7 @@ func Test_shouldReturnError_whenResponseIsNotJson(t *testing.T) {
 	assert.Error(t, err)
 }
 
-func Test_shouldReturnError_whenHttpClientReturnsError(t *testing.T) {
+func Test_GetCertificates_shouldReturnError_whenHttpClientReturnsError(t *testing.T) {
 	client := CertServiceClientImpl{
 		certificationUrl: certificationUrl,
 		httpClient:       &httpClientMock{
@@ -91,6 +91,57 @@ func Test_shouldReturnError_whenHttpClientReturnsError(t *testing.T) {
 	assert.Error(t, err)
 }
 
+func Test_CheckHealth_shouldReturnNil_whenHttpClientReturnsStatusCode200(t *testing.T) {
+	client := CertServiceClientImpl{
+		certificationUrl: certificationUrl,
+		httpClient:       &httpClientMock{
+			DoFunc: func(req *http.Request) (response *http.Response, e error) {
+				mockedResponse := &http.Response{
+					Body: nil,
+					StatusCode: 200,
+				}
+				return mockedResponse, nil
+			},
+		},
+	}
+
+	err := client.CheckHealth()
+
+	assert.Nil(t, err)
+}
+
+func Test_CheckHealth_shouldReturnError_whenHttpClientReturnsStatusCode404(t *testing.T) {
+	client := CertServiceClientImpl{
+		certificationUrl: certificationUrl,
+		httpClient:       &httpClientMock{
+			DoFunc: func(req *http.Request) (response *http.Response, e error) {
+				mockedResponse := &http.Response{
+					Body: nil,
+					StatusCode: 404,
+				}
+				return mockedResponse, nil
+			},
+		},
+	}
+
+	err := client.CheckHealth()
+
+	assert.Error(t, err)
+}
+
+func Test_CheckHealth_shouldReturnError_whenHttpClientReturnsError(t *testing.T) {
+	client := CertServiceClientImpl{
+		certificationUrl: certificationUrl,
+		httpClient:       &httpClientMock{
+			DoFunc: func(req *http.Request) (response *http.Response, err error) {
+				return nil, fmt.Errorf("mock error")
+			},
+		},
+	}
+	err := client.CheckHealth()
+
+	assert.Error(t, err)
+}
 
 type httpClientMock struct {
 	DoFunc func(*http.Request) (*http.Response, error)
diff --git a/certServiceK8sExternalProvider/src/cmpv2api/cmpv2_issuer_crd_schema.go b/certServiceK8sExternalProvider/src/cmpv2api/cmpv2_issuer_crd_schema.go
index f26dc876..73392060 100644
--- a/certServiceK8sExternalProvider/src/cmpv2api/cmpv2_issuer_crd_schema.go
+++ b/certServiceK8sExternalProvider/src/cmpv2api/cmpv2_issuer_crd_schema.go
@@ -37,6 +37,10 @@ func init() {
 type CMPv2IssuerSpec struct {
 	// URL is the base URL for the CertService certificates instance.
 	URL string `json:"url"`
+	// Path to health check endpoint.
+	HealthEndpoint string `json:"healthEndpoint"`
+	// Path to certificate signing endpoint.
+	CertEndpoint string `json:"certEndpoint"`
 	// CaName is the name of the external CA server
 	CaName string `json:"caName"`
 	// KeyRef is a reference to a Secret containing the provisioner
diff --git a/certServiceK8sExternalProvider/src/cmpv2controller/certificate_request_controller.go b/certServiceK8sExternalProvider/src/cmpv2controller/certificate_request_controller.go
index d526bbc8..136d3eb4 100644
--- a/certServiceK8sExternalProvider/src/cmpv2controller/certificate_request_controller.go
+++ b/certServiceK8sExternalProvider/src/cmpv2controller/certificate_request_controller.go
@@ -65,6 +65,7 @@ func (controller *CertificateRequestController) Reconcile(k8sRequest ctrl.Reques
 
 	// 1. Fetch the CertificateRequest resource being reconciled.
 	certificateRequest := new(cmapi.CertificateRequest)
+	log.Info("Registered new certificate sign request: ", "cert-name", certificateRequest.Name)
 	if err := controller.Client.Get(ctx, k8sRequest.NamespacedName, certificateRequest); err != nil {
 		err = handleErrorResourceNotFound(log, err)
 		return ctrl.Result{}, err
@@ -72,7 +73,7 @@ func (controller *CertificateRequestController) Reconcile(k8sRequest ctrl.Reques
 
 	// 2. Check if CertificateRequest is meant for CMPv2Issuer (if not ignore)
 	if !isCMPv2CertificateRequest(certificateRequest) {
-		log.V(4).Info("Certificate request is not meant for CMPv2Issuer (ignoring)",
+		log.Info("Certificate request is not meant for CMPv2Issuer (ignoring)",
 			"group", certificateRequest.Spec.IssuerRef.Group,
 			"kind", certificateRequest.Spec.IssuerRef.Kind)
 		return ctrl.Result{}, nil
@@ -81,7 +82,7 @@ func (controller *CertificateRequestController) Reconcile(k8sRequest ctrl.Reques
 	// 3. If the certificate data is already set then we skip this request as it
 	// has already been completed in the past.
 	if len(certificateRequest.Status.Certificate) > 0 {
-		log.V(4).Info("Existing certificate data found in status, skipping already completed CertificateRequest")
+		log.Info("Existing certificate data found in status, skipping already completed CertificateRequest")
 		return ctrl.Result{}, nil
 	}
 
diff --git a/certServiceK8sExternalProvider/src/cmpv2controller/cmpv2_issuer_controller.go b/certServiceK8sExternalProvider/src/cmpv2controller/cmpv2_issuer_controller.go
index 1b4e5312..c6e0e1da 100644
--- a/certServiceK8sExternalProvider/src/cmpv2controller/cmpv2_issuer_controller.go
+++ b/certServiceK8sExternalProvider/src/cmpv2controller/cmpv2_issuer_controller.go
@@ -83,7 +83,7 @@ func (controller *CMPv2IssuerController) Reconcile(req ctrl.Request) (ctrl.Resul
 		return ctrl.Result{}, err
 	}
 
-	// 4. Create CMPv2 provisioner and store the instance for further use
+	// 4. Create CMPv2 provisioner
 	provisioner, err := provisioners.CreateProvisioner(issuer, secret)
 	if err != nil {
 		log.Error(err, "failed to initialize provisioner")
@@ -91,9 +91,14 @@ func (controller *CMPv2IssuerController) Reconcile(req ctrl.Request) (ctrl.Resul
 		handleErrorProvisionerInitialization(ctx, log, err, statusUpdater)
 		return ctrl.Result{}, err
 	}
+
+	// 5. Check health of the provisioner and store the instance for further use
+	if err := provisioner.CheckHealth(); err != nil {
+		return ctrl.Result{}, err
+	}
 	provisioners.Store(req.NamespacedName, provisioner)
 
-	// 5. Update the status of CMPv2Issuer to 'Validated'
+	// 6. Update the status of CMPv2Issuer to 'Validated'
 	if err := updateCMPv2IssuerStatusToVerified(statusUpdater, ctx, log); err != nil {
 		handleErrorUpdatingCMPv2IssuerStatus(log, err)
 		return ctrl.Result{}, err
diff --git a/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner.go b/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner.go
index 67d719cc..c0304d7d 100644
--- a/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner.go
+++ b/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner.go
@@ -29,7 +29,6 @@ import (
 	"bytes"
 	"context"
 	"crypto/x509"
-	"encoding/base64"
 	"encoding/pem"
 	"fmt"
 	"sync"
@@ -47,6 +46,8 @@ var collection = new(sync.Map)
 type CertServiceCA struct {
 	name              string
 	url               string
+	healthEndpoint    string
+	certEndpoint      string
 	caName            string
 	certServiceClient certserviceclient.CertServiceClient
 }
@@ -57,14 +58,22 @@ func New(cmpv2Issuer *cmpv2api.CMPv2Issuer, certServiceClient certserviceclient.
 	ca.name = cmpv2Issuer.Name
 	ca.url = cmpv2Issuer.Spec.URL
 	ca.caName = cmpv2Issuer.Spec.CaName
+	ca.healthEndpoint = cmpv2Issuer.Spec.HealthEndpoint
+	ca.certEndpoint = cmpv2Issuer.Spec.CertEndpoint
 	ca.certServiceClient = certServiceClient
 
 	log := ctrl.Log.WithName("cmpv2-provisioner")
-	log.Info("Configuring CA: ", "name", ca.name, "url", ca.url, "caName", ca.caName)
+	log.Info("Configuring CA: ", "name", ca.name, "url", ca.url, "caName", ca.caName, "healthEndpoint", ca.healthEndpoint, "certEndpoint", ca.certEndpoint)
 
 	return &ca, nil
 }
 
+func (ca *CertServiceCA) CheckHealth() error {
+	log := ctrl.Log.WithName("cmpv2-provisioner")
+	log.Info("Checking health of CMPv2 issuer: ", "name", ca.name)
+	return ca.certServiceClient.CheckHealth()
+}
+
 func Load(namespacedName types.NamespacedName) (*CertServiceCA, bool) {
 	provisioner, ok := collection.Load(namespacedName)
 	if !ok {
@@ -99,30 +108,27 @@ func (ca *CertServiceCA) Sign(ctx context.Context, certificateRequest *certmanag
 	log.Info("Certificate Chain", "cert-chain", response.CertificateChain)
 	log.Info("Trusted Certificates", "trust-certs", response.TrustedCertificates)
 
-	cert := x509.Certificate{}
-	cert.Raw = csr.Raw
 
 	// TODO
-	// write here code which will call CertServiceCA and sign CSR
-	// END
-
+	// stored response as PEM
+	cert := x509.Certificate{}
+	cert.Raw = csr.Raw
 	encodedPEM, err := encodeX509(&cert)
 	if err != nil {
 		return nil, nil, err
 	}
+	// END
 
 	signedPEM := encodedPEM
 	trustedCA := encodedPEM
 
-	log.Info("Successfully signed: ", "cert-name", certificateRequest.Name)
 	log.Info("Signed cert PEM: ", "bytes", signedPEM)
 	log.Info("Trusted CA  PEM: ", "bytes", trustedCA)
+	log.Info("Successfully signed: ", "cert-name", certificateRequest.Name)
 
 	return signedPEM, trustedCA, nil
 }
 
-// TODO JM utility methods - will be used in "real" implementation
-
 // decodeCSR decodes a certificate request in PEM format and returns the
 func decodeCSR(data []byte) (*x509.CertificateRequest, error) {
 	block, rest := pem.Decode(data)
@@ -151,24 +157,3 @@ func encodeX509(cert *x509.Certificate) ([]byte, error) {
 	}
 	return caPem.Bytes(), nil
 }
-
-// generateSubject returns the first SAN that is not 127.0.0.1 or localhost. The
-// CSRs generated by the Certificate resource have always those SANs. If no SANs
-// are available `certservice-issuer-certificate` will be used as a subject is always
-// required.
-func generateSubject(sans []string) string {
-	if len(sans) == 0 {
-		return "certservice-issuer-certificate"
-	}
-	for _, s := range sans {
-		if s != "127.0.0.1" && s != "localhost" {
-			return s
-		}
-	}
-	return sans[0]
-}
-
-func decode(cert string) []byte {
-	bytes, _ := base64.RawStdEncoding.DecodeString(cert)
-	return bytes
-}
diff --git a/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_factory.go b/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_factory.go
index 125c1bc6..27f5c108 100644
--- a/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_factory.go
+++ b/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_factory.go
@@ -44,7 +44,8 @@ func CreateProvisioner(issuer *cmpv2api.CMPv2Issuer, secret v1.Secret) (*CertSer
 		return nil, err
 	}
 
-	certServiceClient, err := certserviceclient.CreateCertServiceClient(issuer.Spec.URL, issuer.Spec.CaName, keyBase64, certBase64, cacertBase64)
+	certServiceClient, err := certserviceclient.CreateCertServiceClient(issuer.Spec.URL, issuer.Spec.HealthEndpoint, issuer.Spec.CertEndpoint,
+		issuer.Spec.CaName, keyBase64, certBase64, cacertBase64)
 	if err != nil {
 		return nil, err
 	}
diff --git a/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_factory_test.go b/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_factory_test.go
index 1e215d3f..3c0dbfd7 100644
--- a/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_factory_test.go
+++ b/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_factory_test.go
@@ -35,6 +35,8 @@ import (
 const (
 	secretName      = "issuer-cert-secret"
 	url             = "https://oom-cert-service:8443/v1/certificate/"
+	healthEndpoint  = "actuator/health"
+	certEndpoint    = "v1/certificate"
 	caName          = "RA"
 	keySecretKey    = "cmpv2Issuer-key.pem"
 	certSecretKey   = "cmpv2Issuer-cert.pem"
@@ -49,6 +51,8 @@ func Test_shouldCreateProvisioner(t *testing.T) {
 	assert.NotNil(t, provisioner)
 	assert.Equal(t, url, provisioner.url)
 	assert.Equal(t, caName, provisioner.caName)
+	assert.Equal(t, healthEndpoint, provisioner.healthEndpoint)
+	assert.Equal(t, certEndpoint, provisioner.certEndpoint)
 }
 
 func Test_shouldReturnError_whenSecretMissingKeyRef(t *testing.T) {
@@ -103,6 +107,8 @@ func getValidIssuerAndSecret() (cmpv2api.CMPv2Issuer, v1.Secret) {
 	issuer := cmpv2api.CMPv2Issuer{
 		Spec: cmpv2api.CMPv2IssuerSpec{
 			URL:    url,
+			HealthEndpoint: healthEndpoint,
+			CertEndpoint: certEndpoint,
 			CaName: caName,
 			CertSecretRef: cmpv2api.SecretKeySelector{
 				Name:      secretName,
diff --git a/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_test.go b/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_test.go
index 39e399b8..31f2bc26 100644
--- a/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_test.go
+++ b/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_test.go
@@ -167,3 +167,8 @@ type certServiceClientMock struct {
 func (client *certServiceClientMock) GetCertificates(csr []byte, key []byte) (*certserviceclient.CertificatesResponse, error) {
 	return client.getCertificatesFunc(csr, key)
 }
+
+func (client *certServiceClientMock) CheckHealth() error {
+	return nil
+}
+
author	Jan Malkiewicz <jan.malkiewicz@nokia.com>	2020-10-23 09:46:13 +0200
committer	Jan Malkiewicz <jan.malkiewicz@nokia.com>	2020-10-26 08:57:00 +0100
commit	a7bb3d59e71f7f7980f8b7db400df94cabd92c0a (patch)
tree	75891dbe1512a6d035e054f4b88104f26778beea
parent	ee23e5f54f96807b1f1fff0b45238a247d3dd8e0 (diff)