aboutsummaryrefslogtreecommitdiffstats
path: root/certServiceK8sExternalProvider/src/cmpv2controller
diff options
context:
space:
mode:
authorRemigiusz Janeczek <remigiusz.janeczek@nokia.com>2020-10-22 09:18:12 +0200
committerRemigiusz Janeczek <remigiusz.janeczek@nokia.com>2020-10-22 16:00:36 +0000
commitee23e5f54f96807b1f1fff0b45238a247d3dd8e0 (patch)
treeec390b860e0c10810bd778a1b68dbfc8ab12c64a /certServiceK8sExternalProvider/src/cmpv2controller
parentaa23960c5d444dea307e0934b446f12ab0256689 (diff)
[OOM-K8S-CERT-EXTERNAL-PROVIDER] Add client for CertService API
Issue-ID: OOM-2559 Signed-off-by: Remigiusz Janeczek <remigiusz.janeczek@nokia.com> Change-Id: I3bf6c36b9eec7a661202b18eb7765e332ccfbc07
Diffstat (limited to 'certServiceK8sExternalProvider/src/cmpv2controller')
-rw-r--r--certServiceK8sExternalProvider/src/cmpv2controller/certificate_request_controller.go29
1 files changed, 26 insertions, 3 deletions
diff --git a/certServiceK8sExternalProvider/src/cmpv2controller/certificate_request_controller.go b/certServiceK8sExternalProvider/src/cmpv2controller/certificate_request_controller.go
index 54b4b103..d526bbc8 100644
--- a/certServiceK8sExternalProvider/src/cmpv2controller/certificate_request_controller.go
+++ b/certServiceK8sExternalProvider/src/cmpv2controller/certificate_request_controller.go
@@ -44,6 +44,11 @@ import (
provisioners "onap.org/oom-certservice/k8s-external-provider/src/cmpv2provisioner"
)
+const (
+ privateKeySecretNameAnnotation = "cert-manager.io/private-key-secret-name"
+ privateKeySecretKey = "tls.key"
+)
+
// CertificateRequestController reconciles a CMPv2Issuer object.
type CertificateRequestController struct {
client.Client
@@ -104,14 +109,27 @@ func (controller *CertificateRequestController) Reconcile(k8sRequest ctrl.Reques
return ctrl.Result{}, err
}
- // 7. Sign CertificateRequest
- signedPEM, trustedCAs, err := provisioner.Sign(ctx, certificateRequest)
+ // 7. Get private key matching CertificateRequest
+ privateKeySecretName := certificateRequest.ObjectMeta.Annotations[privateKeySecretNameAnnotation]
+ privateKeySecretNamespaceName := types.NamespacedName{
+ Namespace: k8sRequest.Namespace,
+ Name: privateKeySecretName,
+ }
+ var privateKeySecret core.Secret
+ if err := controller.Client.Get(ctx, privateKeySecretNamespaceName, &privateKeySecret); err != nil {
+ controller.handleErrorGettingPrivateKey(ctx, log, err, certificateRequest, privateKeySecretNamespaceName)
+ return ctrl.Result{}, err
+ }
+ privateKeyBytes := privateKeySecret.Data[privateKeySecretKey]
+
+ // 8. Sign CertificateRequest
+ signedPEM, trustedCAs, err := provisioner.Sign(ctx, certificateRequest, privateKeyBytes)
if err != nil {
controller.handleErrorFailedToSignCertificate(ctx, log, err, certificateRequest)
return ctrl.Result{}, err
}
- // 8. Store signed certificates in CertificateRequest
+ // 9. Store signed certificates in CertificateRequest
certificateRequest.Status.Certificate = signedPEM
certificateRequest.Status.CA = trustedCAs
if err := controller.updateCertificateRequestWithSignedCerficates(ctx, certificateRequest); err != nil {
@@ -188,6 +206,11 @@ func (controller *CertificateRequestController) handleErrorGettingCMPv2Issuer(ct
_ = controller.setStatus(ctx, certificateRequest, cmmeta.ConditionFalse, cmapi.CertificateRequestReasonPending, "Failed to retrieve CMPv2Issuer resource %s: %v", issuerNamespaceName, err)
}
+func (controller *CertificateRequestController) handleErrorGettingPrivateKey(ctx context.Context, log logr.Logger, err error, certificateRequest *cmapi.CertificateRequest, pkSecretNamespacedName types.NamespacedName) {
+ log.Error(err, "Failed to retrieve private key secret for certificate request", "namespace", pkSecretNamespacedName.Namespace, "name", pkSecretNamespacedName.Name)
+ _ = controller.setStatus(ctx, certificateRequest, cmmeta.ConditionFalse, cmapi.CertificateRequestReasonPending, "Failed to retrieve private key secret: %v", err)
+}
+
func (controller *CertificateRequestController) handleErrorFailedToSignCertificate(ctx context.Context, log logr.Logger, err error, certificateRequest *cmapi.CertificateRequest) {
log.Error(err, "Failed to sign certificate request")
_ = controller.setStatus(ctx, certificateRequest, cmmeta.ConditionFalse, cmapi.CertificateRequestReasonFailed, "Failed to sign certificate request: %v", err)