diff options
author | Jan Malkiewicz <jan.malkiewicz@nokia.com> | 2020-10-15 09:04:18 +0200 |
---|---|---|
committer | Jan Malkiewicz <jan.malkiewicz@nokia.com> | 2020-10-15 16:01:53 +0200 |
commit | f5fb53b031c2f1c4bc4872de59b9774a559d786f (patch) | |
tree | 2345c86aeaedfef576b513c3b325ce303c1261c7 /certServiceK8sExternalProvider/src/cmpv2controller/certificate_request_controller.go | |
parent | 720466562b0ea1e67ff36f44e0d95645837316d4 (diff) |
[OOM-K8S-CERT-EXTERNAL-PROVIDER] Mock implementaion enhanced (part II)
Rename CertServiceIssuer -> CMPv2Issuer
Checking for Issuer.Kind (has to be CMPv2Issuer)
Introduced exit codes
Refactoring file names and packages
Moved tests to main package (according to GOlang convention)
Issue-ID: OOM-2559
Signed-off-by: Jan Malkiewicz <jan.malkiewicz@nokia.com>
Change-Id: I710d9f6c9bd22318e5152e5215b78d5a9e7b4540
Diffstat (limited to 'certServiceK8sExternalProvider/src/cmpv2controller/certificate_request_controller.go')
-rw-r--r-- | certServiceK8sExternalProvider/src/cmpv2controller/certificate_request_controller.go | 169 |
1 files changed, 169 insertions, 0 deletions
diff --git a/certServiceK8sExternalProvider/src/cmpv2controller/certificate_request_controller.go b/certServiceK8sExternalProvider/src/cmpv2controller/certificate_request_controller.go new file mode 100644 index 00000000..1669c97f --- /dev/null +++ b/certServiceK8sExternalProvider/src/cmpv2controller/certificate_request_controller.go @@ -0,0 +1,169 @@ +/* + * ============LICENSE_START======================================================= + * oom-certservice-k8s-external-provider + * ================================================================================ + * Copyright 2019 The cert-manager authors. + * Modifications copyright (C) 2020 Nokia. All rights reserved. + * ================================================================================ + * This source code was copied from the following git repository: + * https://github.com/smallstep/step-issuer + * The source code was modified for usage in the ONAP project. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ + +package cmpv2controller + +import ( + "context" + "fmt" + "onap.org/oom-certservice/k8s-external-provider/src/cmpv2api" + provisioners "onap.org/oom-certservice/k8s-external-provider/src/cmpv2provisioner" + + "github.com/go-logr/logr" + apiutil "github.com/jetstack/cert-manager/pkg/api/util" + cmapi "github.com/jetstack/cert-manager/pkg/apis/certmanager/v1" + cmmeta "github.com/jetstack/cert-manager/pkg/apis/meta/v1" + core "k8s.io/api/core/v1" + apierrors "k8s.io/apimachinery/pkg/api/errors" + "k8s.io/apimachinery/pkg/types" + "k8s.io/client-go/tools/record" + ctrl "sigs.k8s.io/controller-runtime" + "sigs.k8s.io/controller-runtime/pkg/client" +) + +// CertificateRequestController reconciles a CMPv2Issuer object. +type CertificateRequestController struct { + client.Client + Log logr.Logger + Recorder record.EventRecorder +} + +// Reconcile will read and validate a CMPv2Issuer resource associated to the +// CertificateRequest resource, and it will sign the CertificateRequest with the +// provisioner in the CMPv2Issuer. +func (controller *CertificateRequestController) Reconcile(req ctrl.Request) (ctrl.Result, error) { + ctx := context.Background() + log := controller.Log.WithValues("certificate-request-controller", req.NamespacedName) + + // Fetch the CertificateRequest resource being reconciled. + // Just ignore the request if the certificate request has been deleted. + certificateRequest := new(cmapi.CertificateRequest) + if err := controller.Client.Get(ctx, req.NamespacedName, certificateRequest); err != nil { + if apierrors.IsNotFound(err) { + return ctrl.Result{}, nil + } + + log.Error(err, "failed to retrieve CertificateRequest resource") + return ctrl.Result{}, err + } + + if !isCMPv2CertificateRequest(certificateRequest) { + log.V(4).Info("certificate request is not CMPv2", + "group", certificateRequest.Spec.IssuerRef.Group, + "kind", certificateRequest.Spec.IssuerRef.Kind) + return ctrl.Result{}, nil + } + + // If the certificate data is already set then we skip this request as it + // has already been completed in the past. + if len(certificateRequest.Status.Certificate) > 0 { + log.V(4).Info("existing certificate data found in status, skipping already completed CertificateRequest") + return ctrl.Result{}, nil + } + + // Fetch the CMPv2Issuer resource + issuer := cmpv2api.CMPv2Issuer{} + issuerNamespaceName := types.NamespacedName{ + Namespace: req.Namespace, + Name: certificateRequest.Spec.IssuerRef.Name, + } + if err := controller.Client.Get(ctx, issuerNamespaceName, &issuer); err != nil { + log.Error(err, "failed to retrieve CMPv2Issuer resource", "namespace", req.Namespace, "name", certificateRequest.Spec.IssuerRef.Name) + _ = controller.setStatus(ctx, certificateRequest, cmmeta.ConditionFalse, cmapi.CertificateRequestReasonPending, "Failed to retrieve CMPv2Issuer resource %s: %v", issuerNamespaceName, err) + return ctrl.Result{}, err + } + + // Check if the CMPv2Issuer resource has been marked Ready + if !cmpv2IssuerHasCondition(issuer, cmpv2api.CMPv2IssuerCondition{Type: cmpv2api.ConditionReady, Status: cmpv2api.ConditionTrue}) { + err := fmt.Errorf("resource %s is not ready", issuerNamespaceName) + log.Error(err, "failed to retrieve CMPv2Issuer resource", "namespace", req.Namespace, "name", certificateRequest.Spec.IssuerRef.Name) + _ = controller.setStatus(ctx, certificateRequest, cmmeta.ConditionFalse, cmapi.CertificateRequestReasonPending, "CMPv2Issuer resource %s is not Ready", issuerNamespaceName) + return ctrl.Result{}, err + } + + // Load the provisioner that will sign the CertificateRequest + provisioner, ok := provisioners.Load(issuerNamespaceName) + if !ok { + err := fmt.Errorf("provisioner %s not found", issuerNamespaceName) + log.Error(err, "failed to provisioner for CMPv2Issuer resource") + _ = controller.setStatus(ctx, certificateRequest, cmmeta.ConditionFalse, cmapi.CertificateRequestReasonPending, "Failed to load provisioner for CMPv2Issuer resource %s", issuerNamespaceName) + return ctrl.Result{}, err + } + + // Sign CertificateRequest + signedPEM, trustedCAs, err := provisioner.Sign(ctx, certificateRequest) + if err != nil { + log.Error(err, "failed to sign certificate request") + return ctrl.Result{}, controller.setStatus(ctx, certificateRequest, cmmeta.ConditionFalse, cmapi.CertificateRequestReasonFailed, "Failed to sign certificate request: %v", err) + } + certificateRequest.Status.Certificate = signedPEM + certificateRequest.Status.CA = trustedCAs + + return ctrl.Result{}, controller.setStatus(ctx, certificateRequest, cmmeta.ConditionTrue, cmapi.CertificateRequestReasonIssued, "Certificate issued") +} + +// SetupWithManager initializes the CertificateRequest controller into the +// controller runtime. +func (controller *CertificateRequestController) SetupWithManager(manager ctrl.Manager) error { + return ctrl.NewControllerManagedBy(manager). + For(&cmapi.CertificateRequest{}). + Complete(controller) +} + +// cmpv2IssuerHasCondition will return true if the given CMPv2Issuer resource has +// a condition matching the provided CMPv2IssuerCondition. Only the Type and +// Status field will be used in the comparison, meaning that this function will +// return 'true' even if the Reason, Message and LastTransitionTime fields do +// not match. +func cmpv2IssuerHasCondition(issuer cmpv2api.CMPv2Issuer, condition cmpv2api.CMPv2IssuerCondition) bool { + existingConditions := issuer.Status.Conditions + for _, cond := range existingConditions { + if condition.Type == cond.Type && condition.Status == cond.Status { + return true + } + } + return false +} + +func isCMPv2CertificateRequest(certificateRequest *cmapi.CertificateRequest) bool { + return certificateRequest.Spec.IssuerRef.Group != "" && + certificateRequest.Spec.IssuerRef.Group == cmpv2api.GroupVersion.Group && + certificateRequest.Spec.IssuerRef.Kind == cmpv2api.CMPv2IssuerKind + +} + +func (controller *CertificateRequestController) setStatus(ctx context.Context, certificateRequest *cmapi.CertificateRequest, status cmmeta.ConditionStatus, reason, message string, args ...interface{}) error { + completeMessage := fmt.Sprintf(message, args...) + apiutil.SetCertificateRequestCondition(certificateRequest, cmapi.CertificateRequestConditionReady, status, reason, completeMessage) + + // Fire an Event to additionally inform users of the change + eventType := core.EventTypeNormal + if status == cmmeta.ConditionFalse { + eventType = core.EventTypeWarning + } + controller.Recorder.Event(certificateRequest, eventType, reason, completeMessage) + + return controller.Client.Status().Update(ctx, certificateRequest) +} |