diff options
author | Jan Malkiewicz <jan.malkiewicz@nokia.com> | 2020-10-23 09:46:13 +0200 |
---|---|---|
committer | Jan Malkiewicz <jan.malkiewicz@nokia.com> | 2020-10-26 08:57:00 +0100 |
commit | a7bb3d59e71f7f7980f8b7db400df94cabd92c0a (patch) | |
tree | 75891dbe1512a6d035e054f4b88104f26778beea /certServiceK8sExternalProvider/src/cmpv2provisioner | |
parent | ee23e5f54f96807b1f1fff0b45238a247d3dd8e0 (diff) |
[OOM-K8S-CERT-EXTERNAL-PROVIDER] Add health check of CMPv2 provisioner (cert-service-api)
Issue-ID: OOM-2559
Signed-off-by: Jan Malkiewicz <jan.malkiewicz@nokia.com>
Change-Id: I81d4dcfcb10f71182ea667770bafb9556817b793
Diffstat (limited to 'certServiceK8sExternalProvider/src/cmpv2provisioner')
4 files changed, 29 insertions, 32 deletions
diff --git a/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner.go b/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner.go index 67d719cc..c0304d7d 100644 --- a/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner.go +++ b/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner.go @@ -29,7 +29,6 @@ import ( "bytes" "context" "crypto/x509" - "encoding/base64" "encoding/pem" "fmt" "sync" @@ -47,6 +46,8 @@ var collection = new(sync.Map) type CertServiceCA struct { name string url string + healthEndpoint string + certEndpoint string caName string certServiceClient certserviceclient.CertServiceClient } @@ -57,14 +58,22 @@ func New(cmpv2Issuer *cmpv2api.CMPv2Issuer, certServiceClient certserviceclient. ca.name = cmpv2Issuer.Name ca.url = cmpv2Issuer.Spec.URL ca.caName = cmpv2Issuer.Spec.CaName + ca.healthEndpoint = cmpv2Issuer.Spec.HealthEndpoint + ca.certEndpoint = cmpv2Issuer.Spec.CertEndpoint ca.certServiceClient = certServiceClient log := ctrl.Log.WithName("cmpv2-provisioner") - log.Info("Configuring CA: ", "name", ca.name, "url", ca.url, "caName", ca.caName) + log.Info("Configuring CA: ", "name", ca.name, "url", ca.url, "caName", ca.caName, "healthEndpoint", ca.healthEndpoint, "certEndpoint", ca.certEndpoint) return &ca, nil } +func (ca *CertServiceCA) CheckHealth() error { + log := ctrl.Log.WithName("cmpv2-provisioner") + log.Info("Checking health of CMPv2 issuer: ", "name", ca.name) + return ca.certServiceClient.CheckHealth() +} + func Load(namespacedName types.NamespacedName) (*CertServiceCA, bool) { provisioner, ok := collection.Load(namespacedName) if !ok { @@ -99,30 +108,27 @@ func (ca *CertServiceCA) Sign(ctx context.Context, certificateRequest *certmanag log.Info("Certificate Chain", "cert-chain", response.CertificateChain) log.Info("Trusted Certificates", "trust-certs", response.TrustedCertificates) - cert := x509.Certificate{} - cert.Raw = csr.Raw // TODO - // write here code which will call CertServiceCA and sign CSR - // END - + // stored response as PEM + cert := x509.Certificate{} + cert.Raw = csr.Raw encodedPEM, err := encodeX509(&cert) if err != nil { return nil, nil, err } + // END signedPEM := encodedPEM trustedCA := encodedPEM - log.Info("Successfully signed: ", "cert-name", certificateRequest.Name) log.Info("Signed cert PEM: ", "bytes", signedPEM) log.Info("Trusted CA PEM: ", "bytes", trustedCA) + log.Info("Successfully signed: ", "cert-name", certificateRequest.Name) return signedPEM, trustedCA, nil } -// TODO JM utility methods - will be used in "real" implementation - // decodeCSR decodes a certificate request in PEM format and returns the func decodeCSR(data []byte) (*x509.CertificateRequest, error) { block, rest := pem.Decode(data) @@ -151,24 +157,3 @@ func encodeX509(cert *x509.Certificate) ([]byte, error) { } return caPem.Bytes(), nil } - -// generateSubject returns the first SAN that is not 127.0.0.1 or localhost. The -// CSRs generated by the Certificate resource have always those SANs. If no SANs -// are available `certservice-issuer-certificate` will be used as a subject is always -// required. -func generateSubject(sans []string) string { - if len(sans) == 0 { - return "certservice-issuer-certificate" - } - for _, s := range sans { - if s != "127.0.0.1" && s != "localhost" { - return s - } - } - return sans[0] -} - -func decode(cert string) []byte { - bytes, _ := base64.RawStdEncoding.DecodeString(cert) - return bytes -} diff --git a/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_factory.go b/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_factory.go index 125c1bc6..27f5c108 100644 --- a/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_factory.go +++ b/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_factory.go @@ -44,7 +44,8 @@ func CreateProvisioner(issuer *cmpv2api.CMPv2Issuer, secret v1.Secret) (*CertSer return nil, err } - certServiceClient, err := certserviceclient.CreateCertServiceClient(issuer.Spec.URL, issuer.Spec.CaName, keyBase64, certBase64, cacertBase64) + certServiceClient, err := certserviceclient.CreateCertServiceClient(issuer.Spec.URL, issuer.Spec.HealthEndpoint, issuer.Spec.CertEndpoint, + issuer.Spec.CaName, keyBase64, certBase64, cacertBase64) if err != nil { return nil, err } diff --git a/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_factory_test.go b/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_factory_test.go index 1e215d3f..3c0dbfd7 100644 --- a/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_factory_test.go +++ b/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_factory_test.go @@ -35,6 +35,8 @@ import ( const ( secretName = "issuer-cert-secret" url = "https://oom-cert-service:8443/v1/certificate/" + healthEndpoint = "actuator/health" + certEndpoint = "v1/certificate" caName = "RA" keySecretKey = "cmpv2Issuer-key.pem" certSecretKey = "cmpv2Issuer-cert.pem" @@ -49,6 +51,8 @@ func Test_shouldCreateProvisioner(t *testing.T) { assert.NotNil(t, provisioner) assert.Equal(t, url, provisioner.url) assert.Equal(t, caName, provisioner.caName) + assert.Equal(t, healthEndpoint, provisioner.healthEndpoint) + assert.Equal(t, certEndpoint, provisioner.certEndpoint) } func Test_shouldReturnError_whenSecretMissingKeyRef(t *testing.T) { @@ -103,6 +107,8 @@ func getValidIssuerAndSecret() (cmpv2api.CMPv2Issuer, v1.Secret) { issuer := cmpv2api.CMPv2Issuer{ Spec: cmpv2api.CMPv2IssuerSpec{ URL: url, + HealthEndpoint: healthEndpoint, + CertEndpoint: certEndpoint, CaName: caName, CertSecretRef: cmpv2api.SecretKeySelector{ Name: secretName, diff --git a/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_test.go b/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_test.go index 39e399b8..31f2bc26 100644 --- a/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_test.go +++ b/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_test.go @@ -167,3 +167,8 @@ type certServiceClientMock struct { func (client *certServiceClientMock) GetCertificates(csr []byte, key []byte) (*certserviceclient.CertificatesResponse, error) { return client.getCertificatesFunc(csr, key) } + +func (client *certServiceClientMock) CheckHealth() error { + return nil +} + |