summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorTomasz Wrobel <tomasz.wrobel@nokia.com>2021-07-21 15:37:56 +0200
committerTomasz Wrobel <tomasz.wrobel@nokia.com>2021-07-21 16:52:46 +0200
commitb151ffacf655f2e14f99c6850c53bee562c24e9e (patch)
tree59e7b861d67883ed09f4e76280543d46ca988e8e
parent57d9b2c0a7956306e54234233b8330628ac9f960 (diff)
[OOM-K8S-CERT-EXTERNAL-PROVIDER] Add handling request when updateEnpoint is missing
Issue-ID: OOM-2753 Signed-off-by: Tomasz Wrobel <tomasz.wrobel@nokia.com> Change-Id: I06fc3043787631b83cc776b1e446700bd13f9863
-rw-r--r--certServiceK8sExternalProvider/deploy/configuration.yaml1
-rw-r--r--certServiceK8sExternalProvider/deploy/crd.yaml4
-rw-r--r--certServiceK8sExternalProvider/src/cmpv2controller/util/certificate_update_util_test.go5
-rw-r--r--certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner.go17
-rw-r--r--certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_test.go32
5 files changed, 53 insertions, 6 deletions
diff --git a/certServiceK8sExternalProvider/deploy/configuration.yaml b/certServiceK8sExternalProvider/deploy/configuration.yaml
index 5764a52a..45fc5c4f 100644
--- a/certServiceK8sExternalProvider/deploy/configuration.yaml
+++ b/certServiceK8sExternalProvider/deploy/configuration.yaml
@@ -31,6 +31,7 @@ spec:
url: https://oom-cert-service:8443
healthEndpoint: actuator/health
certEndpoint: v1/certificate
+ updateEndpoint: v1/certificate-update
caName: RA
certSecretRef:
name: cmpv2-issuer-secret
diff --git a/certServiceK8sExternalProvider/deploy/crd.yaml b/certServiceK8sExternalProvider/deploy/crd.yaml
index b14d8063..71fb58eb 100644
--- a/certServiceK8sExternalProvider/deploy/crd.yaml
+++ b/certServiceK8sExternalProvider/deploy/crd.yaml
@@ -66,6 +66,9 @@ spec:
certEndpoint:
description: Path of cerfificate signing enpoint.
type: string
+ updateEndpoint:
+ description: Path of certificate update endpoint.
+ type: string
caName:
description: Name of the external CA server configured on CertService API side.
type: string
@@ -99,6 +102,7 @@ spec:
- url
- healthEndpoint
- certEndpoint
+ - updateEndpoint
- caName
- certSecretRef
type: object
diff --git a/certServiceK8sExternalProvider/src/cmpv2controller/util/certificate_update_util_test.go b/certServiceK8sExternalProvider/src/cmpv2controller/util/certificate_update_util_test.go
index f9005277..a48cb60f 100644
--- a/certServiceK8sExternalProvider/src/cmpv2controller/util/certificate_update_util_test.go
+++ b/certServiceK8sExternalProvider/src/cmpv2controller/util/certificate_update_util_test.go
@@ -35,8 +35,8 @@ import (
)
const (
- testPrivateKeyData = "test-private-key"
- testCertificateData = "test-certificate"
+ testPrivateKeyData = "test-private-key"
+ testCertificateData = "test-certificate"
)
func Test_CheckIfCertificateUpdateAndRetrieveOldCertificateAndPk_revisionOne(t *testing.T) {
@@ -128,4 +128,3 @@ func Test_RetrieveOldCertificateAndPk_shouldBeEmptyWhenOldCertificateCannotBeUnm
assert.Equal(t, []byte{}, certificate)
assert.Equal(t, []byte{}, privateKey)
}
-
diff --git a/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner.go b/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner.go
index 53932494..db171e33 100644
--- a/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner.go
+++ b/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner.go
@@ -43,6 +43,7 @@ type CertServiceCA struct {
url string
healthEndpoint string
certEndpoint string
+ updateEndpoint string
caName string
certServiceClient certserviceclient.CertServiceClient
}
@@ -55,10 +56,11 @@ func New(cmpv2Issuer *cmpv2api.CMPv2Issuer, certServiceClient certserviceclient.
ca.caName = cmpv2Issuer.Spec.CaName
ca.healthEndpoint = cmpv2Issuer.Spec.HealthEndpoint
ca.certEndpoint = cmpv2Issuer.Spec.CertEndpoint
+ ca.updateEndpoint = cmpv2Issuer.Spec.UpdateEndpoint
ca.certServiceClient = certServiceClient
log := leveledlogger.GetLoggerWithName("cmpv2-provisioner")
- log.Info("Configuring CA: ", "name", ca.name, "url", ca.url, "caName", ca.caName, "healthEndpoint", ca.healthEndpoint, "certEndpoint", ca.certEndpoint)
+ log.Info("Configuring CA: ", "name", ca.name, "url", ca.url, "caName", ca.caName, "healthEndpoint", ca.healthEndpoint, "certEndpoint", ca.certEndpoint, "updateEndpoint", ca.updateEndpoint)
return &ca, nil
}
@@ -93,7 +95,6 @@ func (ca *CertServiceCA) Sign(
var response *certserviceclient.CertificatesResponse
var errAPI error
-
if ca.isCertificateUpdate(signCertificateModel) {
log.Debug("Certificate will be updated.", "old-certificate", signCertificateModel.OldCertificateBytes)
log.Info("Attempt to send certificate update request")
@@ -124,7 +125,17 @@ func (ca *CertServiceCA) Sign(
return signedCertificateChain, trustedCertificates, nil
}
+func (ca *CertServiceCA) updateEndpointIsConfigured() bool {
+ log := leveledlogger.GetLoggerWithName("certservice-provisioner")
+ isConfigured := ca.updateEndpoint != ""
+ if !isConfigured {
+ log.Info("Missing 'update endpoint' configuration. Certificates will received by certificate request instead of certificate update request")
+ }
+ return isConfigured
+}
func (ca *CertServiceCA) isCertificateUpdate(signCertificateModel model.SignCertificateModel) bool {
- return len(signCertificateModel.OldCertificateBytes) > 0 && len(signCertificateModel.OldPrivateKeyBytes) > 0
+ return len(signCertificateModel.OldCertificateBytes) > 0 &&
+ len(signCertificateModel.OldPrivateKeyBytes) > 0 &&
+ ca.updateEndpointIsConfigured()
}
diff --git a/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_test.go b/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_test.go
index e0b0c2e9..39af8ec6 100644
--- a/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_test.go
+++ b/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_test.go
@@ -37,6 +37,7 @@ import (
const ISSUER_NAME = "cmpv2-issuer"
const ISSUER_URL = "issuer/url"
+const ISSUER_UPDATE_URL = "update-url"
const ISSUER_NAMESPACE = "onap"
func Test_shouldCreateCorrectCertServiceCA(t *testing.T) {
@@ -122,10 +123,41 @@ func Test_shouldReturnCorrectSignedPemsWhenParametersAreCorrectForUpdateCertific
testdata.VerifyCertsAreEqualToExpected(t, signedPEM, trustedCAs)
}
+func Test_shouldReturnCorrectSignedPemForCertificateRequestWhenUpdateEndpointConfigurationIsMissing(t *testing.T) {
+ issuer := createIssuerAndCerts(ISSUER_NAME, ISSUER_URL)
+ issuer.Spec.UpdateEndpoint = ""
+ provisionerFactory := ProvisionerFactoryMock{}
+ provisioner, err := provisionerFactory.CreateProvisioner(&issuer, apiv1.Secret{})
+
+ issuerNamespaceName := testdata.CreateIssuerNamespaceName(ISSUER_NAMESPACE, ISSUER_NAME)
+ Store(issuerNamespaceName, provisioner)
+
+ provisioner, ok := Load(issuerNamespaceName)
+
+ testdata.VerifyThatConditionIsTrue(ok, "Provisioner could not be loaded", t)
+
+ request := createCertificateRequest()
+ privateKeyBytes := getPrivateKeyBytes()
+
+ signCertificateModel := model.SignCertificateModel{
+ CertificateRequest: request,
+ PrivateKeyBytes: privateKeyBytes,
+ OldCertificateBytes: testdata.OldCertificateBytes,
+ OldPrivateKeyBytes: testdata.OldPrivateKeyBytes,
+ }
+
+ signedPEM, trustedCAs, err := provisioner.Sign(signCertificateModel)
+
+ assert.Nil(t, err)
+
+ testdata.VerifyCertsAreEqualToExpected(t, signedPEM, trustedCAs)
+}
+
func createIssuerAndCerts(name string, url string) cmpv2api.CMPv2Issuer {
issuer := cmpv2api.CMPv2Issuer{}
issuer.Name = name
issuer.Spec.URL = url
+ issuer.Spec.UpdateEndpoint = ISSUER_UPDATE_URL
return issuer
}