aboutsummaryrefslogtreecommitdiffstats
path: root/certServiceK8sExternalProvider/src/certservice-controller
diff options
context:
space:
mode:
authorJan Malkiewicz <jan.malkiewicz@nokia.com>2020-10-06 14:49:21 +0200
committerJan Malkiewicz <jan.malkiewicz@nokia.com>2020-10-08 18:09:51 +0200
commit6ff92492d2d1712443fa2bef73f28bd8b8554e23 (patch)
tree412f3011d267c1c934f383a8047a88e935203e59 /certServiceK8sExternalProvider/src/certservice-controller
parentb1ec7f0d28bcd699c9dc5aaf23e902f04145863c (diff)
[OOM-K8S-CERT-EXTERNAL-PROVIDER] Create mock implementation
This project is a GOlang implementation of an external provider for kubernetes cert-manager. External provider will use OOM CertService as backend signing CA. Mock implementation only logs intent of certificate signing. In order to provide the ultimate implemenatation please extend file 'certservice-provisioner.go'. Issue-ID: OOM-2559 Signed-off-by: Jan Malkiewicz <jan.malkiewicz@nokia.com> Change-Id: Ib3de4ca4c54424042ddaa50507375815cc3da7f4
Diffstat (limited to 'certServiceK8sExternalProvider/src/certservice-controller')
-rw-r--r--certServiceK8sExternalProvider/src/certservice-controller/certificaterequest_reconciler.go162
-rw-r--r--certServiceK8sExternalProvider/src/certservice-controller/certservice_issuer_reconciler.go125
-rw-r--r--certServiceK8sExternalProvider/src/certservice-controller/certservice_issuer_status_reconciler.go115
3 files changed, 402 insertions, 0 deletions
diff --git a/certServiceK8sExternalProvider/src/certservice-controller/certificaterequest_reconciler.go b/certServiceK8sExternalProvider/src/certservice-controller/certificaterequest_reconciler.go
new file mode 100644
index 00000000..1a917e1b
--- /dev/null
+++ b/certServiceK8sExternalProvider/src/certservice-controller/certificaterequest_reconciler.go
@@ -0,0 +1,162 @@
+/*
+ * ============LICENSE_START=======================================================
+ * oom-certservice-k8s-external-provider
+ * ================================================================================
+ * Copyright 2019 The cert-manager authors.
+ * Modifications copyright (C) 2020 Nokia. All rights reserved.
+ * ================================================================================
+ * This source code was copied from the following git repository:
+ * https://github.com/smallstep/step-issuer
+ * The source code was modified for usage in the ONAP project.
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END=========================================================
+ */
+
+package certservice_controller
+
+import (
+ "context"
+ "fmt"
+ "onap.org/oom-certservice/k8s-external-provider/src/api"
+ provisioners "onap.org/oom-certservice/k8s-external-provider/src/certservice-provisioner"
+
+ "github.com/go-logr/logr"
+ apiutil "github.com/jetstack/cert-manager/pkg/api/util"
+ cmapi "github.com/jetstack/cert-manager/pkg/apis/certmanager/v1alpha2"
+ cmmeta "github.com/jetstack/cert-manager/pkg/apis/meta/v1"
+ core "k8s.io/api/core/v1"
+ apierrors "k8s.io/apimachinery/pkg/api/errors"
+ "k8s.io/apimachinery/pkg/types"
+ "k8s.io/client-go/tools/record"
+ ctrl "sigs.k8s.io/controller-runtime"
+ "sigs.k8s.io/controller-runtime/pkg/client"
+)
+
+// CertificateRequestReconciler reconciles a CertServiceIssuer object.
+type CertificateRequestReconciler struct {
+ client.Client
+ Log logr.Logger
+ Recorder record.EventRecorder
+}
+
+// Reconcile will read and validate a CertServiceIssuer resource associated to the
+// CertificateRequest resource, and it will sign the CertificateRequest with the
+// provisioner in the CertServiceIssuer.
+func (r *CertificateRequestReconciler) Reconcile(req ctrl.Request) (ctrl.Result, error) {
+ ctx := context.Background()
+ log := r.Log.WithValues("certificaterequest", req.NamespacedName)
+
+ // Fetch the CertificateRequest resource being reconciled.
+ // Just ignore the request if the certificate request has been deleted.
+ cr := new(cmapi.CertificateRequest)
+ if err := r.Client.Get(ctx, req.NamespacedName, cr); err != nil {
+ if apierrors.IsNotFound(err) {
+ return ctrl.Result{}, nil
+ }
+
+ log.Error(err, "failed to retrieve CertificateRequest resource")
+ return ctrl.Result{}, err
+ }
+
+ // Check the CertificateRequest's issuerRef and if it does not match the api
+ // group name, log a message at a debug level and stop processing.
+ if cr.Spec.IssuerRef.Group != "" && cr.Spec.IssuerRef.Group != api.GroupVersion.Group {
+ log.V(4).Info("resource does not specify an issuerRef group name that we are responsible for", "group", cr.Spec.IssuerRef.Group)
+ return ctrl.Result{}, nil
+ }
+
+ // If the certificate data is already set then we skip this request as it
+ // has already been completed in the past.
+ if len(cr.Status.Certificate) > 0 {
+ log.V(4).Info("existing certificate data found in status, skipping already completed CertificateRequest")
+ return ctrl.Result{}, nil
+ }
+
+ // Fetch the CertServiceIssuer resource
+ iss := api.CertServiceIssuer{}
+ issNamespaceName := types.NamespacedName{
+ Namespace: req.Namespace,
+ Name: cr.Spec.IssuerRef.Name,
+ }
+ if err := r.Client.Get(ctx, issNamespaceName, &iss); err != nil {
+ log.Error(err, "failed to retrieve CertServiceIssuer resource", "namespace", req.Namespace, "name", cr.Spec.IssuerRef.Name)
+ _ = r.setStatus(ctx, cr, cmmeta.ConditionFalse, cmapi.CertificateRequestReasonPending, "Failed to retrieve CertServiceIssuer resource %s: %v", issNamespaceName, err)
+ return ctrl.Result{}, err
+ }
+
+ // Check if the CertServiceIssuer resource has been marked Ready
+ if !certServiceIssuerHasCondition(iss, api.CertServiceIssuerCondition{Type: api.ConditionReady, Status: api.ConditionTrue}) {
+ err := fmt.Errorf("resource %s is not ready", issNamespaceName)
+ log.Error(err, "failed to retrieve CertServiceIssuer resource", "namespace", req.Namespace, "name", cr.Spec.IssuerRef.Name)
+ _ = r.setStatus(ctx, cr, cmmeta.ConditionFalse, cmapi.CertificateRequestReasonPending, "CertServiceIssuer resource %s is not Ready", issNamespaceName)
+ return ctrl.Result{}, err
+ }
+
+ // Load the provisioner that will sign the CertificateRequest
+ provisioner, ok := provisioners.Load(issNamespaceName)
+ if !ok {
+ err := fmt.Errorf("provisioner %s not found", issNamespaceName)
+ log.Error(err, "failed to provisioner for CertServiceIssuer resource")
+ _ = r.setStatus(ctx, cr, cmmeta.ConditionFalse, cmapi.CertificateRequestReasonPending, "Failed to load provisioner for CertServiceIssuer resource %s", issNamespaceName)
+ return ctrl.Result{}, err
+ }
+
+ // Sign CertificateRequest
+ signedPEM, trustedCAs, err := provisioner.Sign(ctx, cr)
+ if err != nil {
+ log.Error(err, "failed to sign certificate request")
+ return ctrl.Result{}, r.setStatus(ctx, cr, cmmeta.ConditionFalse, cmapi.CertificateRequestReasonFailed, "Failed to sign certificate request: %v", err)
+ }
+ cr.Status.Certificate = signedPEM
+ cr.Status.CA = trustedCAs
+
+ return ctrl.Result{}, r.setStatus(ctx, cr, cmmeta.ConditionTrue, cmapi.CertificateRequestReasonIssued, "Certificate issued")
+}
+
+// SetupWithManager initializes the CertificateRequest controller into the
+// controller runtime.
+func (r *CertificateRequestReconciler) SetupWithManager(mgr ctrl.Manager) error {
+ return ctrl.NewControllerManagedBy(mgr).
+ For(&cmapi.CertificateRequest{}).
+ Complete(r)
+}
+
+// certServiceIssuerHasCondition will return true if the given CertServiceIssuer resource has
+// a condition matching the provided CertServiceIssuerCondition. Only the Type and
+// Status field will be used in the comparison, meaning that this function will
+// return 'true' even if the Reason, Message and LastTransitionTime fields do
+// not match.
+func certServiceIssuerHasCondition(iss api.CertServiceIssuer, c api.CertServiceIssuerCondition) bool {
+ existingConditions := iss.Status.Conditions
+ for _, cond := range existingConditions {
+ if c.Type == cond.Type && c.Status == cond.Status {
+ return true
+ }
+ }
+ return false
+}
+
+func (r *CertificateRequestReconciler) setStatus(ctx context.Context, cr *cmapi.CertificateRequest, status cmmeta.ConditionStatus, reason, message string, args ...interface{}) error {
+ completeMessage := fmt.Sprintf(message, args...)
+ apiutil.SetCertificateRequestCondition(cr, cmapi.CertificateRequestConditionReady, status, reason, completeMessage)
+
+ // Fire an Event to additionally inform users of the change
+ eventType := core.EventTypeNormal
+ if status == cmmeta.ConditionFalse {
+ eventType = core.EventTypeWarning
+ }
+ r.Recorder.Event(cr, eventType, reason, completeMessage)
+
+ return r.Client.Status().Update(ctx, cr)
+}
diff --git a/certServiceK8sExternalProvider/src/certservice-controller/certservice_issuer_reconciler.go b/certServiceK8sExternalProvider/src/certservice-controller/certservice_issuer_reconciler.go
new file mode 100644
index 00000000..d5be11e8
--- /dev/null
+++ b/certServiceK8sExternalProvider/src/certservice-controller/certservice_issuer_reconciler.go
@@ -0,0 +1,125 @@
+/*
+ * ============LICENSE_START=======================================================
+ * oom-certservice-k8s-external-provider
+ * ================================================================================
+ * Copyright (c) 2019 Smallstep Labs, Inc.
+ * Modifications copyright (C) 2020 Nokia. All rights reserved.
+ * ================================================================================
+ * This source code was copied from the following git repository:
+ * https://github.com/smallstep/step-issuer
+ * The source code was modified for usage in the ONAP project.
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END=========================================================
+ */
+
+
+package certservice_controller
+
+import (
+ "context"
+ "fmt"
+ "github.com/go-logr/logr"
+ core "k8s.io/api/core/v1"
+ apierrors "k8s.io/apimachinery/pkg/api/errors"
+ "k8s.io/apimachinery/pkg/types"
+ "k8s.io/client-go/tools/record"
+ "k8s.io/utils/clock"
+ "onap.org/oom-certservice/k8s-external-provider/src/api"
+ provisioners "onap.org/oom-certservice/k8s-external-provider/src/certservice-provisioner"
+ ctrl "sigs.k8s.io/controller-runtime"
+ "sigs.k8s.io/controller-runtime/pkg/client"
+)
+
+// CertServiceIssuerReconciler reconciles a CertServiceIssuer object
+type CertServiceIssuerReconciler struct {
+ client.Client
+ Log logr.Logger
+ Clock clock.Clock
+ Recorder record.EventRecorder
+}
+
+// Reconcile will read and validate the CertServiceIssuer resources, it will set the
+// status condition ready to true if everything is right.
+func (r *CertServiceIssuerReconciler) Reconcile(req ctrl.Request) (ctrl.Result, error) {
+ ctx := context.Background()
+ log := r.Log.WithValues("certservice-issuer-controller", req.NamespacedName)
+
+ iss := new(api.CertServiceIssuer)
+ if err := r.Client.Get(ctx, req.NamespacedName, iss); err != nil {
+ log.Error(err, "failed to retrieve CertServiceIssuer resource")
+ return ctrl.Result{}, client.IgnoreNotFound(err)
+ }
+
+ statusReconciler := newStatusReconciler(r, iss, log)
+ if err := validateCertServiceIssuerSpec(iss.Spec); err != nil {
+ log.Error(err, "failed to validate CertServiceIssuer resource")
+ statusReconciler.UpdateNoError(ctx, api.ConditionFalse, "Validation", "Failed to validate resource: %v", err)
+ return ctrl.Result{}, err
+ }
+
+ // Fetch the provisioner password
+ var secret core.Secret
+ secretNamespaceName := types.NamespacedName{
+ Namespace: req.Namespace,
+ Name: iss.Spec.KeyRef.Name,
+ }
+ if err := r.Client.Get(ctx, secretNamespaceName, &secret); err != nil {
+ log.Error(err, "failed to retrieve CertServiceIssuer provisioner secret", "namespace", secretNamespaceName.Namespace, "name", secretNamespaceName.Name)
+ if apierrors.IsNotFound(err) {
+ statusReconciler.UpdateNoError(ctx, api.ConditionFalse, "NotFound", "Failed to retrieve provisioner secret: %v", err)
+ } else {
+ statusReconciler.UpdateNoError(ctx, api.ConditionFalse, "Error", "Failed to retrieve provisioner secret: %v", err)
+ }
+ return ctrl.Result{}, err
+ }
+ password, ok := secret.Data[iss.Spec.KeyRef.Key]
+ if !ok {
+ err := fmt.Errorf("secret %s does not contain key %s", secret.Name, iss.Spec.KeyRef.Key)
+ log.Error(err, "failed to retrieve CertServiceIssuer provisioner secret", "namespace", secretNamespaceName.Namespace, "name", secretNamespaceName.Name)
+ statusReconciler.UpdateNoError(ctx, api.ConditionFalse, "NotFound", "Failed to retrieve provisioner secret: %v", err)
+ return ctrl.Result{}, err
+ }
+
+ // Initialize and store the provisioner
+ p, err := provisioners.New(iss, password)
+ if err != nil {
+ log.Error(err, "failed to initialize provisioner")
+ statusReconciler.UpdateNoError(ctx, api.ConditionFalse, "Error", "failed initialize provisioner")
+ return ctrl.Result{}, err
+ }
+ provisioners.Store(req.NamespacedName, p)
+
+ return ctrl.Result{}, statusReconciler.Update(ctx, api.ConditionTrue, "Verified", "CertServiceIssuer verified and ready to sign certificates")
+}
+
+// SetupWithManager initializes the CertServiceIssuer controller into the controller
+// runtime.
+func (r *CertServiceIssuerReconciler) SetupWithManager(mgr ctrl.Manager) error {
+ return ctrl.NewControllerManagedBy(mgr).
+ For(&api.CertServiceIssuer{}).
+ Complete(r)
+}
+
+func validateCertServiceIssuerSpec(s api.CertServiceIssuerSpec) error {
+ switch {
+ case s.URL == "":
+ return fmt.Errorf("spec.url cannot be empty")
+ case s.KeyRef.Name == "":
+ return fmt.Errorf("spec.keyRef.name cannot be empty")
+ case s.KeyRef.Key == "":
+ return fmt.Errorf("spec.keyRef.key cannot be empty")
+ default:
+ return nil
+ }
+}
diff --git a/certServiceK8sExternalProvider/src/certservice-controller/certservice_issuer_status_reconciler.go b/certServiceK8sExternalProvider/src/certservice-controller/certservice_issuer_status_reconciler.go
new file mode 100644
index 00000000..c01ae85c
--- /dev/null
+++ b/certServiceK8sExternalProvider/src/certservice-controller/certservice_issuer_status_reconciler.go
@@ -0,0 +1,115 @@
+/*
+ * ============LICENSE_START=======================================================
+ * oom-certservice-k8s-external-provider
+ * ================================================================================
+ * Copyright (c) 2019 Smallstep Labs, Inc.
+ * Modifications copyright (C) 2020 Nokia. All rights reserved.
+ * ================================================================================
+ * This source code was copied from the following git repository:
+ * https://github.com/smallstep/step-issuer
+ * The source code was modified for usage in the ONAP project.
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END=========================================================
+ */
+
+
+package certservice_controller
+
+import (
+ "context"
+ "fmt"
+ "github.com/go-logr/logr"
+ core "k8s.io/api/core/v1"
+ meta "k8s.io/apimachinery/pkg/apis/meta/v1"
+ "onap.org/oom-certservice/k8s-external-provider/src/api"
+)
+
+type certServiceIssuerStatusReconciler struct {
+ *CertServiceIssuerReconciler
+ issuer *api.CertServiceIssuer
+ logger logr.Logger
+}
+
+func newStatusReconciler(r *CertServiceIssuerReconciler, iss *api.CertServiceIssuer, log logr.Logger) *certServiceIssuerStatusReconciler {
+ return &certServiceIssuerStatusReconciler{
+ CertServiceIssuerReconciler: r,
+ issuer: iss,
+ logger: log,
+ }
+}
+
+func (r *certServiceIssuerStatusReconciler) Update(ctx context.Context, status api.ConditionStatus, reason, message string, args ...interface{}) error {
+ completeMessage := fmt.Sprintf(message, args...)
+ r.setCondition(status, reason, completeMessage)
+
+ // Fire an Event to additionally inform users of the change
+ eventType := core.EventTypeNormal
+ if status == api.ConditionFalse {
+ eventType = core.EventTypeWarning
+ }
+ r.Recorder.Event(r.issuer, eventType, reason, completeMessage)
+
+ return r.Client.Status().Update(ctx, r.issuer)
+}
+
+func (r *certServiceIssuerStatusReconciler) UpdateNoError(ctx context.Context, status api.ConditionStatus, reason, message string, args ...interface{}) {
+ if err := r.Update(ctx, status, reason, message, args...); err != nil {
+ r.logger.Error(err, "failed to update", "status", status, "reason", reason)
+ }
+}
+
+// setCondition will set a 'condition' on the given api.CertServiceIssuer resource.
+//
+// - If no condition of the same type already exists, the condition will be
+// inserted with the LastTransitionTime set to the current time.
+// - If a condition of the same type and state already exists, the condition
+// will be updated but the LastTransitionTime will not be modified.
+// - If a condition of the same type and different state already exists, the
+// condition will be updated and the LastTransitionTime set to the current
+// time.
+func (r *certServiceIssuerStatusReconciler) setCondition(status api.ConditionStatus, reason, message string) {
+ now := meta.NewTime(r.Clock.Now())
+ c := api.CertServiceIssuerCondition{
+ Type: api.ConditionReady,
+ Status: status,
+ Reason: reason,
+ Message: message,
+ LastTransitionTime: &now,
+ }
+
+ // Search through existing conditions
+ for idx, cond := range r.issuer.Status.Conditions {
+ // Skip unrelated conditions
+ if cond.Type != api.ConditionReady {
+ continue
+ }
+
+ // If this update doesn't contain a state transition, we don't update
+ // the conditions LastTransitionTime to Now()
+ if cond.Status == status {
+ c.LastTransitionTime = cond.LastTransitionTime
+ } else {
+ r.logger.Info("found status change for CertServiceIssuer condition; setting lastTransitionTime", "condition", cond.Type, "old_status", cond.Status, "new_status", status, "time", now.Time)
+ }
+
+ // Overwrite the existing condition
+ r.issuer.Status.Conditions[idx] = c
+ return
+ }
+
+ // If we've not found an existing condition of this type, we simply insert
+ // the new condition into the slice.
+ r.issuer.Status.Conditions = append(r.issuer.Status.Conditions, c)
+ r.logger.Info("setting lastTransitionTime for CertServiceIssuer condition", "condition", api.ConditionReady, "time", now.Time)
+}