diff options
Diffstat (limited to 'certServiceK8sExternalProvider/src/certservice-controller/certificaterequest_reconciler.go')
| -rw-r--r-- | certServiceK8sExternalProvider/src/certservice-controller/certificaterequest_reconciler.go | 162 |
1 files changed, 162 insertions, 0 deletions
diff --git a/certServiceK8sExternalProvider/src/certservice-controller/certificaterequest_reconciler.go b/certServiceK8sExternalProvider/src/certservice-controller/certificaterequest_reconciler.go new file mode 100644 index 00000000..1a917e1b --- /dev/null +++ b/certServiceK8sExternalProvider/src/certservice-controller/certificaterequest_reconciler.go @@ -0,0 +1,162 @@ +/* + * ============LICENSE_START======================================================= + * oom-certservice-k8s-external-provider + * ================================================================================ + * Copyright 2019 The cert-manager authors. + * Modifications copyright (C) 2020 Nokia. All rights reserved. + * ================================================================================ + * This source code was copied from the following git repository: + * https://github.com/smallstep/step-issuer + * The source code was modified for usage in the ONAP project. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ + +package certservice_controller + +import ( + "context" + "fmt" + "onap.org/oom-certservice/k8s-external-provider/src/api" + provisioners "onap.org/oom-certservice/k8s-external-provider/src/certservice-provisioner" + + "github.com/go-logr/logr" + apiutil "github.com/jetstack/cert-manager/pkg/api/util" + cmapi "github.com/jetstack/cert-manager/pkg/apis/certmanager/v1alpha2" + cmmeta "github.com/jetstack/cert-manager/pkg/apis/meta/v1" + core "k8s.io/api/core/v1" + apierrors "k8s.io/apimachinery/pkg/api/errors" + "k8s.io/apimachinery/pkg/types" + "k8s.io/client-go/tools/record" + ctrl "sigs.k8s.io/controller-runtime" + "sigs.k8s.io/controller-runtime/pkg/client" +) + +// CertificateRequestReconciler reconciles a CertServiceIssuer object. +type CertificateRequestReconciler struct { + client.Client + Log logr.Logger + Recorder record.EventRecorder +} + +// Reconcile will read and validate a CertServiceIssuer resource associated to the +// CertificateRequest resource, and it will sign the CertificateRequest with the +// provisioner in the CertServiceIssuer. +func (r *CertificateRequestReconciler) Reconcile(req ctrl.Request) (ctrl.Result, error) { + ctx := context.Background() + log := r.Log.WithValues("certificaterequest", req.NamespacedName) + + // Fetch the CertificateRequest resource being reconciled. + // Just ignore the request if the certificate request has been deleted. + cr := new(cmapi.CertificateRequest) + if err := r.Client.Get(ctx, req.NamespacedName, cr); err != nil { + if apierrors.IsNotFound(err) { + return ctrl.Result{}, nil + } + + log.Error(err, "failed to retrieve CertificateRequest resource") + return ctrl.Result{}, err + } + + // Check the CertificateRequest's issuerRef and if it does not match the api + // group name, log a message at a debug level and stop processing. + if cr.Spec.IssuerRef.Group != "" && cr.Spec.IssuerRef.Group != api.GroupVersion.Group { + log.V(4).Info("resource does not specify an issuerRef group name that we are responsible for", "group", cr.Spec.IssuerRef.Group) + return ctrl.Result{}, nil + } + + // If the certificate data is already set then we skip this request as it + // has already been completed in the past. + if len(cr.Status.Certificate) > 0 { + log.V(4).Info("existing certificate data found in status, skipping already completed CertificateRequest") + return ctrl.Result{}, nil + } + + // Fetch the CertServiceIssuer resource + iss := api.CertServiceIssuer{} + issNamespaceName := types.NamespacedName{ + Namespace: req.Namespace, + Name: cr.Spec.IssuerRef.Name, + } + if err := r.Client.Get(ctx, issNamespaceName, &iss); err != nil { + log.Error(err, "failed to retrieve CertServiceIssuer resource", "namespace", req.Namespace, "name", cr.Spec.IssuerRef.Name) + _ = r.setStatus(ctx, cr, cmmeta.ConditionFalse, cmapi.CertificateRequestReasonPending, "Failed to retrieve CertServiceIssuer resource %s: %v", issNamespaceName, err) + return ctrl.Result{}, err + } + + // Check if the CertServiceIssuer resource has been marked Ready + if !certServiceIssuerHasCondition(iss, api.CertServiceIssuerCondition{Type: api.ConditionReady, Status: api.ConditionTrue}) { + err := fmt.Errorf("resource %s is not ready", issNamespaceName) + log.Error(err, "failed to retrieve CertServiceIssuer resource", "namespace", req.Namespace, "name", cr.Spec.IssuerRef.Name) + _ = r.setStatus(ctx, cr, cmmeta.ConditionFalse, cmapi.CertificateRequestReasonPending, "CertServiceIssuer resource %s is not Ready", issNamespaceName) + return ctrl.Result{}, err + } + + // Load the provisioner that will sign the CertificateRequest + provisioner, ok := provisioners.Load(issNamespaceName) + if !ok { + err := fmt.Errorf("provisioner %s not found", issNamespaceName) + log.Error(err, "failed to provisioner for CertServiceIssuer resource") + _ = r.setStatus(ctx, cr, cmmeta.ConditionFalse, cmapi.CertificateRequestReasonPending, "Failed to load provisioner for CertServiceIssuer resource %s", issNamespaceName) + return ctrl.Result{}, err + } + + // Sign CertificateRequest + signedPEM, trustedCAs, err := provisioner.Sign(ctx, cr) + if err != nil { + log.Error(err, "failed to sign certificate request") + return ctrl.Result{}, r.setStatus(ctx, cr, cmmeta.ConditionFalse, cmapi.CertificateRequestReasonFailed, "Failed to sign certificate request: %v", err) + } + cr.Status.Certificate = signedPEM + cr.Status.CA = trustedCAs + + return ctrl.Result{}, r.setStatus(ctx, cr, cmmeta.ConditionTrue, cmapi.CertificateRequestReasonIssued, "Certificate issued") +} + +// SetupWithManager initializes the CertificateRequest controller into the +// controller runtime. +func (r *CertificateRequestReconciler) SetupWithManager(mgr ctrl.Manager) error { + return ctrl.NewControllerManagedBy(mgr). + For(&cmapi.CertificateRequest{}). + Complete(r) +} + +// certServiceIssuerHasCondition will return true if the given CertServiceIssuer resource has +// a condition matching the provided CertServiceIssuerCondition. Only the Type and +// Status field will be used in the comparison, meaning that this function will +// return 'true' even if the Reason, Message and LastTransitionTime fields do +// not match. +func certServiceIssuerHasCondition(iss api.CertServiceIssuer, c api.CertServiceIssuerCondition) bool { + existingConditions := iss.Status.Conditions + for _, cond := range existingConditions { + if c.Type == cond.Type && c.Status == cond.Status { + return true + } + } + return false +} + +func (r *CertificateRequestReconciler) setStatus(ctx context.Context, cr *cmapi.CertificateRequest, status cmmeta.ConditionStatus, reason, message string, args ...interface{}) error { + completeMessage := fmt.Sprintf(message, args...) + apiutil.SetCertificateRequestCondition(cr, cmapi.CertificateRequestConditionReady, status, reason, completeMessage) + + // Fire an Event to additionally inform users of the change + eventType := core.EventTypeNormal + if status == cmmeta.ConditionFalse { + eventType = core.EventTypeWarning + } + r.Recorder.Event(cr, eventType, reason, completeMessage) + + return r.Client.Status().Update(ctx, cr) +} |