diff options
author | Remigiusz Janeczek <remigiusz.janeczek@nokia.com> | 2020-10-22 09:18:12 +0200 |
---|---|---|
committer | Remigiusz Janeczek <remigiusz.janeczek@nokia.com> | 2020-10-22 16:00:36 +0000 |
commit | ee23e5f54f96807b1f1fff0b45238a247d3dd8e0 (patch) | |
tree | ec390b860e0c10810bd778a1b68dbfc8ab12c64a /certServiceK8sExternalProvider/src/cmpv2controller | |
parent | aa23960c5d444dea307e0934b446f12ab0256689 (diff) |
[OOM-K8S-CERT-EXTERNAL-PROVIDER] Add client for CertService API
Issue-ID: OOM-2559
Signed-off-by: Remigiusz Janeczek <remigiusz.janeczek@nokia.com>
Change-Id: I3bf6c36b9eec7a661202b18eb7765e332ccfbc07
Diffstat (limited to 'certServiceK8sExternalProvider/src/cmpv2controller')
-rw-r--r-- | certServiceK8sExternalProvider/src/cmpv2controller/certificate_request_controller.go | 29 |
1 files changed, 26 insertions, 3 deletions
diff --git a/certServiceK8sExternalProvider/src/cmpv2controller/certificate_request_controller.go b/certServiceK8sExternalProvider/src/cmpv2controller/certificate_request_controller.go index 54b4b103..d526bbc8 100644 --- a/certServiceK8sExternalProvider/src/cmpv2controller/certificate_request_controller.go +++ b/certServiceK8sExternalProvider/src/cmpv2controller/certificate_request_controller.go @@ -44,6 +44,11 @@ import ( provisioners "onap.org/oom-certservice/k8s-external-provider/src/cmpv2provisioner" ) +const ( + privateKeySecretNameAnnotation = "cert-manager.io/private-key-secret-name" + privateKeySecretKey = "tls.key" +) + // CertificateRequestController reconciles a CMPv2Issuer object. type CertificateRequestController struct { client.Client @@ -104,14 +109,27 @@ func (controller *CertificateRequestController) Reconcile(k8sRequest ctrl.Reques return ctrl.Result{}, err } - // 7. Sign CertificateRequest - signedPEM, trustedCAs, err := provisioner.Sign(ctx, certificateRequest) + // 7. Get private key matching CertificateRequest + privateKeySecretName := certificateRequest.ObjectMeta.Annotations[privateKeySecretNameAnnotation] + privateKeySecretNamespaceName := types.NamespacedName{ + Namespace: k8sRequest.Namespace, + Name: privateKeySecretName, + } + var privateKeySecret core.Secret + if err := controller.Client.Get(ctx, privateKeySecretNamespaceName, &privateKeySecret); err != nil { + controller.handleErrorGettingPrivateKey(ctx, log, err, certificateRequest, privateKeySecretNamespaceName) + return ctrl.Result{}, err + } + privateKeyBytes := privateKeySecret.Data[privateKeySecretKey] + + // 8. Sign CertificateRequest + signedPEM, trustedCAs, err := provisioner.Sign(ctx, certificateRequest, privateKeyBytes) if err != nil { controller.handleErrorFailedToSignCertificate(ctx, log, err, certificateRequest) return ctrl.Result{}, err } - // 8. Store signed certificates in CertificateRequest + // 9. Store signed certificates in CertificateRequest certificateRequest.Status.Certificate = signedPEM certificateRequest.Status.CA = trustedCAs if err := controller.updateCertificateRequestWithSignedCerficates(ctx, certificateRequest); err != nil { @@ -188,6 +206,11 @@ func (controller *CertificateRequestController) handleErrorGettingCMPv2Issuer(ct _ = controller.setStatus(ctx, certificateRequest, cmmeta.ConditionFalse, cmapi.CertificateRequestReasonPending, "Failed to retrieve CMPv2Issuer resource %s: %v", issuerNamespaceName, err) } +func (controller *CertificateRequestController) handleErrorGettingPrivateKey(ctx context.Context, log logr.Logger, err error, certificateRequest *cmapi.CertificateRequest, pkSecretNamespacedName types.NamespacedName) { + log.Error(err, "Failed to retrieve private key secret for certificate request", "namespace", pkSecretNamespacedName.Namespace, "name", pkSecretNamespacedName.Name) + _ = controller.setStatus(ctx, certificateRequest, cmmeta.ConditionFalse, cmapi.CertificateRequestReasonPending, "Failed to retrieve private key secret: %v", err) +} + func (controller *CertificateRequestController) handleErrorFailedToSignCertificate(ctx context.Context, log logr.Logger, err error, certificateRequest *cmapi.CertificateRequest) { log.Error(err, "Failed to sign certificate request") _ = controller.setStatus(ctx, certificateRequest, cmmeta.ConditionFalse, cmapi.CertificateRequestReasonFailed, "Failed to sign certificate request: %v", err) |