aboutsummaryrefslogtreecommitdiffstats
path: root/certServiceK8sExternalProvider/src/cmpv2provisioner
diff options
context:
space:
mode:
authorJan Malkiewicz <jan.malkiewicz@nokia.com>2020-10-23 09:46:13 +0200
committerJan Malkiewicz <jan.malkiewicz@nokia.com>2020-10-26 08:57:00 +0100
commita7bb3d59e71f7f7980f8b7db400df94cabd92c0a (patch)
tree75891dbe1512a6d035e054f4b88104f26778beea /certServiceK8sExternalProvider/src/cmpv2provisioner
parentee23e5f54f96807b1f1fff0b45238a247d3dd8e0 (diff)
[OOM-K8S-CERT-EXTERNAL-PROVIDER] Add health check of CMPv2 provisioner (cert-service-api)
Issue-ID: OOM-2559 Signed-off-by: Jan Malkiewicz <jan.malkiewicz@nokia.com> Change-Id: I81d4dcfcb10f71182ea667770bafb9556817b793
Diffstat (limited to 'certServiceK8sExternalProvider/src/cmpv2provisioner')
-rw-r--r--certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner.go47
-rw-r--r--certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_factory.go3
-rw-r--r--certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_factory_test.go6
-rw-r--r--certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_test.go5
4 files changed, 29 insertions, 32 deletions
diff --git a/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner.go b/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner.go
index 67d719cc..c0304d7d 100644
--- a/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner.go
+++ b/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner.go
@@ -29,7 +29,6 @@ import (
"bytes"
"context"
"crypto/x509"
- "encoding/base64"
"encoding/pem"
"fmt"
"sync"
@@ -47,6 +46,8 @@ var collection = new(sync.Map)
type CertServiceCA struct {
name string
url string
+ healthEndpoint string
+ certEndpoint string
caName string
certServiceClient certserviceclient.CertServiceClient
}
@@ -57,14 +58,22 @@ func New(cmpv2Issuer *cmpv2api.CMPv2Issuer, certServiceClient certserviceclient.
ca.name = cmpv2Issuer.Name
ca.url = cmpv2Issuer.Spec.URL
ca.caName = cmpv2Issuer.Spec.CaName
+ ca.healthEndpoint = cmpv2Issuer.Spec.HealthEndpoint
+ ca.certEndpoint = cmpv2Issuer.Spec.CertEndpoint
ca.certServiceClient = certServiceClient
log := ctrl.Log.WithName("cmpv2-provisioner")
- log.Info("Configuring CA: ", "name", ca.name, "url", ca.url, "caName", ca.caName)
+ log.Info("Configuring CA: ", "name", ca.name, "url", ca.url, "caName", ca.caName, "healthEndpoint", ca.healthEndpoint, "certEndpoint", ca.certEndpoint)
return &ca, nil
}
+func (ca *CertServiceCA) CheckHealth() error {
+ log := ctrl.Log.WithName("cmpv2-provisioner")
+ log.Info("Checking health of CMPv2 issuer: ", "name", ca.name)
+ return ca.certServiceClient.CheckHealth()
+}
+
func Load(namespacedName types.NamespacedName) (*CertServiceCA, bool) {
provisioner, ok := collection.Load(namespacedName)
if !ok {
@@ -99,30 +108,27 @@ func (ca *CertServiceCA) Sign(ctx context.Context, certificateRequest *certmanag
log.Info("Certificate Chain", "cert-chain", response.CertificateChain)
log.Info("Trusted Certificates", "trust-certs", response.TrustedCertificates)
- cert := x509.Certificate{}
- cert.Raw = csr.Raw
// TODO
- // write here code which will call CertServiceCA and sign CSR
- // END
-
+ // stored response as PEM
+ cert := x509.Certificate{}
+ cert.Raw = csr.Raw
encodedPEM, err := encodeX509(&cert)
if err != nil {
return nil, nil, err
}
+ // END
signedPEM := encodedPEM
trustedCA := encodedPEM
- log.Info("Successfully signed: ", "cert-name", certificateRequest.Name)
log.Info("Signed cert PEM: ", "bytes", signedPEM)
log.Info("Trusted CA PEM: ", "bytes", trustedCA)
+ log.Info("Successfully signed: ", "cert-name", certificateRequest.Name)
return signedPEM, trustedCA, nil
}
-// TODO JM utility methods - will be used in "real" implementation
-
// decodeCSR decodes a certificate request in PEM format and returns the
func decodeCSR(data []byte) (*x509.CertificateRequest, error) {
block, rest := pem.Decode(data)
@@ -151,24 +157,3 @@ func encodeX509(cert *x509.Certificate) ([]byte, error) {
}
return caPem.Bytes(), nil
}
-
-// generateSubject returns the first SAN that is not 127.0.0.1 or localhost. The
-// CSRs generated by the Certificate resource have always those SANs. If no SANs
-// are available `certservice-issuer-certificate` will be used as a subject is always
-// required.
-func generateSubject(sans []string) string {
- if len(sans) == 0 {
- return "certservice-issuer-certificate"
- }
- for _, s := range sans {
- if s != "127.0.0.1" && s != "localhost" {
- return s
- }
- }
- return sans[0]
-}
-
-func decode(cert string) []byte {
- bytes, _ := base64.RawStdEncoding.DecodeString(cert)
- return bytes
-}
diff --git a/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_factory.go b/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_factory.go
index 125c1bc6..27f5c108 100644
--- a/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_factory.go
+++ b/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_factory.go
@@ -44,7 +44,8 @@ func CreateProvisioner(issuer *cmpv2api.CMPv2Issuer, secret v1.Secret) (*CertSer
return nil, err
}
- certServiceClient, err := certserviceclient.CreateCertServiceClient(issuer.Spec.URL, issuer.Spec.CaName, keyBase64, certBase64, cacertBase64)
+ certServiceClient, err := certserviceclient.CreateCertServiceClient(issuer.Spec.URL, issuer.Spec.HealthEndpoint, issuer.Spec.CertEndpoint,
+ issuer.Spec.CaName, keyBase64, certBase64, cacertBase64)
if err != nil {
return nil, err
}
diff --git a/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_factory_test.go b/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_factory_test.go
index 1e215d3f..3c0dbfd7 100644
--- a/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_factory_test.go
+++ b/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_factory_test.go
@@ -35,6 +35,8 @@ import (
const (
secretName = "issuer-cert-secret"
url = "https://oom-cert-service:8443/v1/certificate/"
+ healthEndpoint = "actuator/health"
+ certEndpoint = "v1/certificate"
caName = "RA"
keySecretKey = "cmpv2Issuer-key.pem"
certSecretKey = "cmpv2Issuer-cert.pem"
@@ -49,6 +51,8 @@ func Test_shouldCreateProvisioner(t *testing.T) {
assert.NotNil(t, provisioner)
assert.Equal(t, url, provisioner.url)
assert.Equal(t, caName, provisioner.caName)
+ assert.Equal(t, healthEndpoint, provisioner.healthEndpoint)
+ assert.Equal(t, certEndpoint, provisioner.certEndpoint)
}
func Test_shouldReturnError_whenSecretMissingKeyRef(t *testing.T) {
@@ -103,6 +107,8 @@ func getValidIssuerAndSecret() (cmpv2api.CMPv2Issuer, v1.Secret) {
issuer := cmpv2api.CMPv2Issuer{
Spec: cmpv2api.CMPv2IssuerSpec{
URL: url,
+ HealthEndpoint: healthEndpoint,
+ CertEndpoint: certEndpoint,
CaName: caName,
CertSecretRef: cmpv2api.SecretKeySelector{
Name: secretName,
diff --git a/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_test.go b/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_test.go
index 39e399b8..31f2bc26 100644
--- a/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_test.go
+++ b/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_test.go
@@ -167,3 +167,8 @@ type certServiceClientMock struct {
func (client *certServiceClientMock) GetCertificates(csr []byte, key []byte) (*certserviceclient.CertificatesResponse, error) {
return client.getCertificatesFunc(csr, key)
}
+
+func (client *certServiceClientMock) CheckHealth() error {
+ return nil
+}
+