summaryrefslogtreecommitdiffstats
path: root/certServiceK8sExternalProvider
diff options
context:
space:
mode:
authorJan Malkiewicz <jan.malkiewicz@nokia.com>2020-10-23 09:46:13 +0200
committerJan Malkiewicz <jan.malkiewicz@nokia.com>2020-10-26 08:57:00 +0100
commita7bb3d59e71f7f7980f8b7db400df94cabd92c0a (patch)
tree75891dbe1512a6d035e054f4b88104f26778beea /certServiceK8sExternalProvider
parentee23e5f54f96807b1f1fff0b45238a247d3dd8e0 (diff)
[OOM-K8S-CERT-EXTERNAL-PROVIDER] Add health check of CMPv2 provisioner (cert-service-api)
Issue-ID: OOM-2559 Signed-off-by: Jan Malkiewicz <jan.malkiewicz@nokia.com> Change-Id: I81d4dcfcb10f71182ea667770bafb9556817b793
Diffstat (limited to 'certServiceK8sExternalProvider')
-rw-r--r--certServiceK8sExternalProvider/deploy/configuration.yaml4
-rw-r--r--certServiceK8sExternalProvider/deploy/crd.yaml8
-rw-r--r--certServiceK8sExternalProvider/src/certserviceclient/cert_service_client.go22
-rw-r--r--certServiceK8sExternalProvider/src/certserviceclient/cert_service_client_factory.go44
-rw-r--r--certServiceK8sExternalProvider/src/certserviceclient/cert_service_client_factory_test.go54
-rw-r--r--certServiceK8sExternalProvider/src/certserviceclient/cert_service_client_test.go57
-rw-r--r--certServiceK8sExternalProvider/src/cmpv2api/cmpv2_issuer_crd_schema.go4
-rw-r--r--certServiceK8sExternalProvider/src/cmpv2controller/certificate_request_controller.go5
-rw-r--r--certServiceK8sExternalProvider/src/cmpv2controller/cmpv2_issuer_controller.go9
-rw-r--r--certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner.go47
-rw-r--r--certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_factory.go3
-rw-r--r--certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_factory_test.go6
-rw-r--r--certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_test.go5
13 files changed, 204 insertions, 64 deletions
diff --git a/certServiceK8sExternalProvider/deploy/configuration.yaml b/certServiceK8sExternalProvider/deploy/configuration.yaml
index 4a0f2dc6..5764a52a 100644
--- a/certServiceK8sExternalProvider/deploy/configuration.yaml
+++ b/certServiceK8sExternalProvider/deploy/configuration.yaml
@@ -28,7 +28,9 @@ metadata:
name: cmpv2-issuer
namespace: onap
spec:
- url: https://oom-cert-service:8443/v1/certificate/
+ url: https://oom-cert-service:8443
+ healthEndpoint: actuator/health
+ certEndpoint: v1/certificate
caName: RA
certSecretRef:
name: cmpv2-issuer-secret
diff --git a/certServiceK8sExternalProvider/deploy/crd.yaml b/certServiceK8sExternalProvider/deploy/crd.yaml
index cc884388..b14d8063 100644
--- a/certServiceK8sExternalProvider/deploy/crd.yaml
+++ b/certServiceK8sExternalProvider/deploy/crd.yaml
@@ -60,6 +60,12 @@ spec:
url:
description: URL to CertService API.
type: string
+ healthEndpoint:
+ description: Path of health check endpoint.
+ type: string
+ certEndpoint:
+ description: Path of cerfificate signing enpoint.
+ type: string
caName:
description: Name of the external CA server configured on CertService API side.
type: string
@@ -91,6 +97,8 @@ spec:
type: object
required:
- url
+ - healthEndpoint
+ - certEndpoint
- caName
- certSecretRef
type: object
diff --git a/certServiceK8sExternalProvider/src/certserviceclient/cert_service_client.go b/certServiceK8sExternalProvider/src/certserviceclient/cert_service_client.go
index 870a3eda..15b90624 100644
--- a/certServiceK8sExternalProvider/src/certserviceclient/cert_service_client.go
+++ b/certServiceK8sExternalProvider/src/certserviceclient/cert_service_client.go
@@ -23,6 +23,7 @@ package certserviceclient
import (
"encoding/base64"
"encoding/json"
+ "fmt"
"net/http"
)
@@ -33,9 +34,11 @@ const (
type CertServiceClient interface {
GetCertificates(csr []byte, key []byte) (*CertificatesResponse, error)
+ CheckHealth() error
}
type CertServiceClientImpl struct {
+ healthUrl string
certificationUrl string
httpClient HTTPClient
}
@@ -49,6 +52,25 @@ type CertificatesResponse struct {
TrustedCertificates []string `json:"trustedCertificates"`
}
+func (client *CertServiceClientImpl) CheckHealth() error {
+ request, err := http.NewRequest("GET", client.healthUrl, nil)
+ if err != nil {
+ return err
+ }
+
+ response, err := client.httpClient.Do(request)
+ if err != nil {
+ return err
+ }
+
+ if response.StatusCode != 200 {
+ return fmt.Errorf("health check retured status code [%d]", response.StatusCode)
+ }
+
+ return nil
+}
+
+
func (client *CertServiceClientImpl) GetCertificates(csr []byte, key []byte) (*CertificatesResponse, error) {
request, err := http.NewRequest("GET", client.certificationUrl, nil)
diff --git a/certServiceK8sExternalProvider/src/certserviceclient/cert_service_client_factory.go b/certServiceK8sExternalProvider/src/certserviceclient/cert_service_client_factory.go
index 198f2294..2c04b908 100644
--- a/certServiceK8sExternalProvider/src/certserviceclient/cert_service_client_factory.go
+++ b/certServiceK8sExternalProvider/src/certserviceclient/cert_service_client_factory.go
@@ -29,7 +29,8 @@ import (
"path"
)
-func CreateCertServiceClient(baseUrl string, caName string, keyPemBase64 []byte, certPemBase64 []byte, cacertPemBase64 []byte) (*CertServiceClientImpl, error) {
+func CreateCertServiceClient(baseUrl string, healthEndpoint string, certEndpoint string, caName string,
+ keyPemBase64 []byte, certPemBase64 []byte, cacertPemBase64 []byte) (*CertServiceClientImpl, error) {
cert, err := tls.X509KeyPair(certPemBase64, keyPemBase64)
if err != nil {
return nil, err
@@ -48,27 +49,48 @@ func CreateCertServiceClient(baseUrl string, caName string, keyPemBase64 []byte,
},
},
}
- certificationUrl, err := parseUrl(baseUrl, caName)
+ healthUrl, certificationUrl, err := validateAndParseUrls(baseUrl, healthEndpoint, certEndpoint, caName)
if err != nil {
return nil, err
}
client := CertServiceClientImpl{
- certificationUrl: certificationUrl.String(),
+ healthUrl: healthUrl,
+ certificationUrl: certificationUrl,
httpClient: httpClient,
}
return &client, nil
}
-func parseUrl(baseUrl string, caName string) (*url.URL, error) {
- parsedUrl, err := url.Parse(baseUrl)
- if err != nil {
- return nil, err
+func validateAndParseUrls(baseUrl string, healthEndpoint string, certEndpoint string, caName string) (string, string, error) {
+ if err := validateUrls(baseUrl, healthEndpoint, certEndpoint, caName); err != nil {
+ return "", "", err
+ }
+
+ certUrl, _ := url.Parse(baseUrl)
+ healthUrl, _ := url.Parse(baseUrl)
+
+ certUrl.Path = path.Join(certEndpoint, caName)
+ healthUrl.Path = path.Join(healthEndpoint)
+
+ return healthUrl.String(), certUrl.String(), nil
+}
+
+func validateUrls(baseUrl string, healthEndpoint string, certEndpoint string, caName string) error {
+ if _, err := url.Parse(baseUrl); err != nil {
+ return err
}
if caName == "" {
- return nil, fmt.Errorf("caName cannot be empty")
+ return fmt.Errorf("caName cannot be empty")
}
-
- parsedUrl.Path = path.Join(parsedUrl.Path, caName)
- return parsedUrl, nil
+ if _, err := url.Parse(caName); err != nil {
+ return err
+ }
+ if _, err := url.Parse(healthEndpoint); err != nil {
+ return err
+ }
+ if _, err := url.Parse(certEndpoint); err != nil {
+ return err
+ }
+ return nil
}
diff --git a/certServiceK8sExternalProvider/src/certserviceclient/cert_service_client_factory_test.go b/certServiceK8sExternalProvider/src/certserviceclient/cert_service_client_factory_test.go
index 50a6d796..5d255a62 100644
--- a/certServiceK8sExternalProvider/src/certserviceclient/cert_service_client_factory_test.go
+++ b/certServiceK8sExternalProvider/src/certserviceclient/cert_service_client_factory_test.go
@@ -29,42 +29,70 @@ import (
)
const (
- validUrl = "https://oom-cert-service:8443/v1/certificate/"
- validUrl2 = "https://oom-cert-service:8443/v1/certificate"
- invalidUrl = "https://oom-cert service:8443/v1/certificate"
+ validUrl = "https://oom-cert-service:8443/"
+ validUrl2 = "https://oom-cert-service:8443"
+ invalidUrl = "https://oom-cert service:8443/"
+ healthEndpoint = "actuator/health"
+ healthEndpointInvalid = ":/actuator/health"
+ certEndpoint = "v1/certificate"
+ certEndpointInvalid = ":/v1/certificate"
caName = "RA"
+ caNameInvalid = ":/RA"
expectedCertificationUrl = "https://oom-cert-service:8443/v1/certificate/RA"
+ expectedHealthCheckUrl = "https://oom-cert-service:8443/actuator/health"
)
func Test_shouldCreateCertServiceClient(t *testing.T) {
- shouldCreateCertServiceClientWithExpectedUrl(t, expectedCertificationUrl, validUrl)
- shouldCreateCertServiceClientWithExpectedUrl(t, expectedCertificationUrl, validUrl2)
+ shouldCreateCertServiceClientWithExpectedUrl(t, validUrl)
+ shouldCreateCertServiceClientWithExpectedUrl(t, validUrl2)
}
-func shouldCreateCertServiceClientWithExpectedUrl(t *testing.T, expectedCertificationUrl string, baseUrl string) {
- client, err := CreateCertServiceClient(baseUrl, caName, testdata.KeyBytes, testdata.CertBytes, testdata.CacertBytes)
+func shouldCreateCertServiceClientWithExpectedUrl(t *testing.T, baseUrl string) {
+ client, err := CreateCertServiceClient(baseUrl, healthEndpoint, certEndpoint, caName, testdata.KeyBytes, testdata.CertBytes, testdata.CacertBytes)
assert.NotNil(t, client)
assert.Nil(t, err)
assert.Equal(t, expectedCertificationUrl, client.certificationUrl)
+ assert.Equal(t, expectedHealthCheckUrl, client.healthUrl)
+}
+
+func Test_shouldReturnError_whenCaNameInvalid(t *testing.T) {
+ client, err := CreateCertServiceClient(validUrl, healthEndpoint, certEndpoint, caNameInvalid, testdata.KeyBytes, testdata.CertBytes, testdata.CacertBytes)
+
+ assert.Nil(t, client)
+ assert.Error(t, err)
+}
+
+func Test_shouldReturnError_whenHealthEndpointInvalid(t *testing.T) {
+ client, err := CreateCertServiceClient(validUrl, healthEndpointInvalid, certEndpoint, caName, testdata.KeyBytes, testdata.CertBytes, testdata.CacertBytes)
+
+ assert.Nil(t, client)
+ assert.Error(t, err)
+}
+
+func Test_shouldReturnError_whenCertEndpointInvalid(t *testing.T) {
+ client, err := CreateCertServiceClient(validUrl, healthEndpoint, certEndpointInvalid, caName, testdata.KeyBytes, testdata.CertBytes, testdata.CacertBytes)
+
+ assert.Nil(t, client)
+ assert.Error(t, err)
}
func Test_shouldReturnError_whenUrlInvalid(t *testing.T) {
- client, err := CreateCertServiceClient(invalidUrl, caName, testdata.KeyBytes, testdata.CertBytes, testdata.CacertBytes)
+ client, err := CreateCertServiceClient(invalidUrl, healthEndpoint, certEndpoint, caName, testdata.KeyBytes, testdata.CertBytes, testdata.CacertBytes)
assert.Nil(t, client)
assert.Error(t, err)
}
func Test_shouldReturnError_whenCanameEmpty(t *testing.T) {
- client, err := CreateCertServiceClient(validUrl, "", testdata.KeyBytes, testdata.CertBytes, testdata.CacertBytes)
+ client, err := CreateCertServiceClient(validUrl, healthEndpoint, certEndpoint, "", testdata.KeyBytes, testdata.CertBytes, testdata.CacertBytes)
assert.Nil(t, client)
assert.Error(t, err)
}
func Test_shouldReturnError_whenKeyNotMatchingCert(t *testing.T) {
- client, err := CreateCertServiceClient(validUrl, caName, testdata.NotMatchingKeyBytes, testdata.CertBytes, testdata.CacertBytes)
+ client, err := CreateCertServiceClient(validUrl, healthEndpoint, certEndpoint, caName, testdata.NotMatchingKeyBytes, testdata.CertBytes, testdata.CacertBytes)
assert.Nil(t, client)
assert.Error(t, err)
@@ -72,7 +100,7 @@ func Test_shouldReturnError_whenKeyNotMatchingCert(t *testing.T) {
func Test_shouldReturnError_whenKeyInvalid(t *testing.T) {
//Cert used as key
- client, err := CreateCertServiceClient(validUrl, caName, testdata.CertBytes, testdata.CertBytes, testdata.CacertBytes)
+ client, err := CreateCertServiceClient(validUrl, healthEndpoint, certEndpoint, caName, testdata.CertBytes, testdata.CertBytes, testdata.CacertBytes)
assert.Nil(t, client)
assert.Error(t, err)
@@ -80,7 +108,7 @@ func Test_shouldReturnError_whenKeyInvalid(t *testing.T) {
func Test_shouldReturnError_whenCertInvalid(t *testing.T) {
//Cacert used as cert
- client, err := CreateCertServiceClient(validUrl, caName, testdata.KeyBytes, testdata.CacertBytes, testdata.CacertBytes)
+ client, err := CreateCertServiceClient(validUrl, healthEndpoint, certEndpoint, caName, testdata.KeyBytes, testdata.CacertBytes, testdata.CacertBytes)
assert.Nil(t, client)
assert.Error(t, err)
@@ -88,7 +116,7 @@ func Test_shouldReturnError_whenCertInvalid(t *testing.T) {
func Test_shouldReturnError_whenCacertInvalid(t *testing.T) {
//Key used as cacert
- client, err := CreateCertServiceClient(validUrl, caName, testdata.KeyBytes, testdata.CertBytes, testdata.KeyBytes)
+ client, err := CreateCertServiceClient(validUrl, healthEndpoint, certEndpoint, caName, testdata.KeyBytes, testdata.CertBytes, testdata.KeyBytes)
assert.Nil(t, client)
assert.Error(t, err)
diff --git a/certServiceK8sExternalProvider/src/certserviceclient/cert_service_client_test.go b/certServiceK8sExternalProvider/src/certserviceclient/cert_service_client_test.go
index 1e15d43e..06fc4792 100644
--- a/certServiceK8sExternalProvider/src/certserviceclient/cert_service_client_test.go
+++ b/certServiceK8sExternalProvider/src/certserviceclient/cert_service_client_test.go
@@ -37,7 +37,7 @@ const (
)
-func Test_shouldParseCertificateResponseCorrectly(t *testing.T) {
+func Test_GetCertificates_shouldParseCertificateResponseCorrectly(t *testing.T) {
responseJson := `{"certificateChain": ["cert-0", "cert-1"], "trustedCertificates": ["trusted-cert-0", "trusted-cert-1"]}`
responseJsonReader := ioutil.NopCloser(bytes.NewReader([]byte(responseJson)))
client := CertServiceClientImpl{
@@ -56,7 +56,7 @@ func Test_shouldParseCertificateResponseCorrectly(t *testing.T) {
assert.ElementsMatch(t, []string{"trusted-cert-0", "trusted-cert-1"}, response.TrustedCertificates)
}
-func Test_shouldReturnError_whenResponseIsNotJson(t *testing.T) {
+func Test_GetCertificates_shouldReturnError_whenResponseIsNotJson(t *testing.T) {
responseJson := `not a json`
responseJsonReader := ioutil.NopCloser(bytes.NewReader([]byte(responseJson)))
client := CertServiceClientImpl{
@@ -76,7 +76,7 @@ func Test_shouldReturnError_whenResponseIsNotJson(t *testing.T) {
assert.Error(t, err)
}
-func Test_shouldReturnError_whenHttpClientReturnsError(t *testing.T) {
+func Test_GetCertificates_shouldReturnError_whenHttpClientReturnsError(t *testing.T) {
client := CertServiceClientImpl{
certificationUrl: certificationUrl,
httpClient: &httpClientMock{
@@ -91,6 +91,57 @@ func Test_shouldReturnError_whenHttpClientReturnsError(t *testing.T) {
assert.Error(t, err)
}
+func Test_CheckHealth_shouldReturnNil_whenHttpClientReturnsStatusCode200(t *testing.T) {
+ client := CertServiceClientImpl{
+ certificationUrl: certificationUrl,
+ httpClient: &httpClientMock{
+ DoFunc: func(req *http.Request) (response *http.Response, e error) {
+ mockedResponse := &http.Response{
+ Body: nil,
+ StatusCode: 200,
+ }
+ return mockedResponse, nil
+ },
+ },
+ }
+
+ err := client.CheckHealth()
+
+ assert.Nil(t, err)
+}
+
+func Test_CheckHealth_shouldReturnError_whenHttpClientReturnsStatusCode404(t *testing.T) {
+ client := CertServiceClientImpl{
+ certificationUrl: certificationUrl,
+ httpClient: &httpClientMock{
+ DoFunc: func(req *http.Request) (response *http.Response, e error) {
+ mockedResponse := &http.Response{
+ Body: nil,
+ StatusCode: 404,
+ }
+ return mockedResponse, nil
+ },
+ },
+ }
+
+ err := client.CheckHealth()
+
+ assert.Error(t, err)
+}
+
+func Test_CheckHealth_shouldReturnError_whenHttpClientReturnsError(t *testing.T) {
+ client := CertServiceClientImpl{
+ certificationUrl: certificationUrl,
+ httpClient: &httpClientMock{
+ DoFunc: func(req *http.Request) (response *http.Response, err error) {
+ return nil, fmt.Errorf("mock error")
+ },
+ },
+ }
+ err := client.CheckHealth()
+
+ assert.Error(t, err)
+}
type httpClientMock struct {
DoFunc func(*http.Request) (*http.Response, error)
diff --git a/certServiceK8sExternalProvider/src/cmpv2api/cmpv2_issuer_crd_schema.go b/certServiceK8sExternalProvider/src/cmpv2api/cmpv2_issuer_crd_schema.go
index f26dc876..73392060 100644
--- a/certServiceK8sExternalProvider/src/cmpv2api/cmpv2_issuer_crd_schema.go
+++ b/certServiceK8sExternalProvider/src/cmpv2api/cmpv2_issuer_crd_schema.go
@@ -37,6 +37,10 @@ func init() {
type CMPv2IssuerSpec struct {
// URL is the base URL for the CertService certificates instance.
URL string `json:"url"`
+ // Path to health check endpoint.
+ HealthEndpoint string `json:"healthEndpoint"`
+ // Path to certificate signing endpoint.
+ CertEndpoint string `json:"certEndpoint"`
// CaName is the name of the external CA server
CaName string `json:"caName"`
// KeyRef is a reference to a Secret containing the provisioner
diff --git a/certServiceK8sExternalProvider/src/cmpv2controller/certificate_request_controller.go b/certServiceK8sExternalProvider/src/cmpv2controller/certificate_request_controller.go
index d526bbc8..136d3eb4 100644
--- a/certServiceK8sExternalProvider/src/cmpv2controller/certificate_request_controller.go
+++ b/certServiceK8sExternalProvider/src/cmpv2controller/certificate_request_controller.go
@@ -65,6 +65,7 @@ func (controller *CertificateRequestController) Reconcile(k8sRequest ctrl.Reques
// 1. Fetch the CertificateRequest resource being reconciled.
certificateRequest := new(cmapi.CertificateRequest)
+ log.Info("Registered new certificate sign request: ", "cert-name", certificateRequest.Name)
if err := controller.Client.Get(ctx, k8sRequest.NamespacedName, certificateRequest); err != nil {
err = handleErrorResourceNotFound(log, err)
return ctrl.Result{}, err
@@ -72,7 +73,7 @@ func (controller *CertificateRequestController) Reconcile(k8sRequest ctrl.Reques
// 2. Check if CertificateRequest is meant for CMPv2Issuer (if not ignore)
if !isCMPv2CertificateRequest(certificateRequest) {
- log.V(4).Info("Certificate request is not meant for CMPv2Issuer (ignoring)",
+ log.Info("Certificate request is not meant for CMPv2Issuer (ignoring)",
"group", certificateRequest.Spec.IssuerRef.Group,
"kind", certificateRequest.Spec.IssuerRef.Kind)
return ctrl.Result{}, nil
@@ -81,7 +82,7 @@ func (controller *CertificateRequestController) Reconcile(k8sRequest ctrl.Reques
// 3. If the certificate data is already set then we skip this request as it
// has already been completed in the past.
if len(certificateRequest.Status.Certificate) > 0 {
- log.V(4).Info("Existing certificate data found in status, skipping already completed CertificateRequest")
+ log.Info("Existing certificate data found in status, skipping already completed CertificateRequest")
return ctrl.Result{}, nil
}
diff --git a/certServiceK8sExternalProvider/src/cmpv2controller/cmpv2_issuer_controller.go b/certServiceK8sExternalProvider/src/cmpv2controller/cmpv2_issuer_controller.go
index 1b4e5312..c6e0e1da 100644
--- a/certServiceK8sExternalProvider/src/cmpv2controller/cmpv2_issuer_controller.go
+++ b/certServiceK8sExternalProvider/src/cmpv2controller/cmpv2_issuer_controller.go
@@ -83,7 +83,7 @@ func (controller *CMPv2IssuerController) Reconcile(req ctrl.Request) (ctrl.Resul
return ctrl.Result{}, err
}
- // 4. Create CMPv2 provisioner and store the instance for further use
+ // 4. Create CMPv2 provisioner
provisioner, err := provisioners.CreateProvisioner(issuer, secret)
if err != nil {
log.Error(err, "failed to initialize provisioner")
@@ -91,9 +91,14 @@ func (controller *CMPv2IssuerController) Reconcile(req ctrl.Request) (ctrl.Resul
handleErrorProvisionerInitialization(ctx, log, err, statusUpdater)
return ctrl.Result{}, err
}
+
+ // 5. Check health of the provisioner and store the instance for further use
+ if err := provisioner.CheckHealth(); err != nil {
+ return ctrl.Result{}, err
+ }
provisioners.Store(req.NamespacedName, provisioner)
- // 5. Update the status of CMPv2Issuer to 'Validated'
+ // 6. Update the status of CMPv2Issuer to 'Validated'
if err := updateCMPv2IssuerStatusToVerified(statusUpdater, ctx, log); err != nil {
handleErrorUpdatingCMPv2IssuerStatus(log, err)
return ctrl.Result{}, err
diff --git a/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner.go b/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner.go
index 67d719cc..c0304d7d 100644
--- a/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner.go
+++ b/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner.go
@@ -29,7 +29,6 @@ import (
"bytes"
"context"
"crypto/x509"
- "encoding/base64"
"encoding/pem"
"fmt"
"sync"
@@ -47,6 +46,8 @@ var collection = new(sync.Map)
type CertServiceCA struct {
name string
url string
+ healthEndpoint string
+ certEndpoint string
caName string
certServiceClient certserviceclient.CertServiceClient
}
@@ -57,14 +58,22 @@ func New(cmpv2Issuer *cmpv2api.CMPv2Issuer, certServiceClient certserviceclient.
ca.name = cmpv2Issuer.Name
ca.url = cmpv2Issuer.Spec.URL
ca.caName = cmpv2Issuer.Spec.CaName
+ ca.healthEndpoint = cmpv2Issuer.Spec.HealthEndpoint
+ ca.certEndpoint = cmpv2Issuer.Spec.CertEndpoint
ca.certServiceClient = certServiceClient
log := ctrl.Log.WithName("cmpv2-provisioner")
- log.Info("Configuring CA: ", "name", ca.name, "url", ca.url, "caName", ca.caName)
+ log.Info("Configuring CA: ", "name", ca.name, "url", ca.url, "caName", ca.caName, "healthEndpoint", ca.healthEndpoint, "certEndpoint", ca.certEndpoint)
return &ca, nil
}
+func (ca *CertServiceCA) CheckHealth() error {
+ log := ctrl.Log.WithName("cmpv2-provisioner")
+ log.Info("Checking health of CMPv2 issuer: ", "name", ca.name)
+ return ca.certServiceClient.CheckHealth()
+}
+
func Load(namespacedName types.NamespacedName) (*CertServiceCA, bool) {
provisioner, ok := collection.Load(namespacedName)
if !ok {
@@ -99,30 +108,27 @@ func (ca *CertServiceCA) Sign(ctx context.Context, certificateRequest *certmanag
log.Info("Certificate Chain", "cert-chain", response.CertificateChain)
log.Info("Trusted Certificates", "trust-certs", response.TrustedCertificates)
- cert := x509.Certificate{}
- cert.Raw = csr.Raw
// TODO
- // write here code which will call CertServiceCA and sign CSR
- // END
-
+ // stored response as PEM
+ cert := x509.Certificate{}
+ cert.Raw = csr.Raw
encodedPEM, err := encodeX509(&cert)
if err != nil {
return nil, nil, err
}
+ // END
signedPEM := encodedPEM
trustedCA := encodedPEM
- log.Info("Successfully signed: ", "cert-name", certificateRequest.Name)
log.Info("Signed cert PEM: ", "bytes", signedPEM)
log.Info("Trusted CA PEM: ", "bytes", trustedCA)
+ log.Info("Successfully signed: ", "cert-name", certificateRequest.Name)
return signedPEM, trustedCA, nil
}
-// TODO JM utility methods - will be used in "real" implementation
-
// decodeCSR decodes a certificate request in PEM format and returns the
func decodeCSR(data []byte) (*x509.CertificateRequest, error) {
block, rest := pem.Decode(data)
@@ -151,24 +157,3 @@ func encodeX509(cert *x509.Certificate) ([]byte, error) {
}
return caPem.Bytes(), nil
}
-
-// generateSubject returns the first SAN that is not 127.0.0.1 or localhost. The
-// CSRs generated by the Certificate resource have always those SANs. If no SANs
-// are available `certservice-issuer-certificate` will be used as a subject is always
-// required.
-func generateSubject(sans []string) string {
- if len(sans) == 0 {
- return "certservice-issuer-certificate"
- }
- for _, s := range sans {
- if s != "127.0.0.1" && s != "localhost" {
- return s
- }
- }
- return sans[0]
-}
-
-func decode(cert string) []byte {
- bytes, _ := base64.RawStdEncoding.DecodeString(cert)
- return bytes
-}
diff --git a/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_factory.go b/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_factory.go
index 125c1bc6..27f5c108 100644
--- a/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_factory.go
+++ b/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_factory.go
@@ -44,7 +44,8 @@ func CreateProvisioner(issuer *cmpv2api.CMPv2Issuer, secret v1.Secret) (*CertSer
return nil, err
}
- certServiceClient, err := certserviceclient.CreateCertServiceClient(issuer.Spec.URL, issuer.Spec.CaName, keyBase64, certBase64, cacertBase64)
+ certServiceClient, err := certserviceclient.CreateCertServiceClient(issuer.Spec.URL, issuer.Spec.HealthEndpoint, issuer.Spec.CertEndpoint,
+ issuer.Spec.CaName, keyBase64, certBase64, cacertBase64)
if err != nil {
return nil, err
}
diff --git a/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_factory_test.go b/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_factory_test.go
index 1e215d3f..3c0dbfd7 100644
--- a/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_factory_test.go
+++ b/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_factory_test.go
@@ -35,6 +35,8 @@ import (
const (
secretName = "issuer-cert-secret"
url = "https://oom-cert-service:8443/v1/certificate/"
+ healthEndpoint = "actuator/health"
+ certEndpoint = "v1/certificate"
caName = "RA"
keySecretKey = "cmpv2Issuer-key.pem"
certSecretKey = "cmpv2Issuer-cert.pem"
@@ -49,6 +51,8 @@ func Test_shouldCreateProvisioner(t *testing.T) {
assert.NotNil(t, provisioner)
assert.Equal(t, url, provisioner.url)
assert.Equal(t, caName, provisioner.caName)
+ assert.Equal(t, healthEndpoint, provisioner.healthEndpoint)
+ assert.Equal(t, certEndpoint, provisioner.certEndpoint)
}
func Test_shouldReturnError_whenSecretMissingKeyRef(t *testing.T) {
@@ -103,6 +107,8 @@ func getValidIssuerAndSecret() (cmpv2api.CMPv2Issuer, v1.Secret) {
issuer := cmpv2api.CMPv2Issuer{
Spec: cmpv2api.CMPv2IssuerSpec{
URL: url,
+ HealthEndpoint: healthEndpoint,
+ CertEndpoint: certEndpoint,
CaName: caName,
CertSecretRef: cmpv2api.SecretKeySelector{
Name: secretName,
diff --git a/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_test.go b/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_test.go
index 39e399b8..31f2bc26 100644
--- a/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_test.go
+++ b/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_test.go
@@ -167,3 +167,8 @@ type certServiceClientMock struct {
func (client *certServiceClientMock) GetCertificates(csr []byte, key []byte) (*certserviceclient.CertificatesResponse, error) {
return client.getCertificatesFunc(csr, key)
}
+
+func (client *certServiceClientMock) CheckHealth() error {
+ return nil
+}
+