aboutsummaryrefslogtreecommitdiffstats
path: root/certServiceK8sExternalProvider/src/certservice-controller/certificaterequest_reconciler.go
diff options
context:
space:
mode:
Diffstat (limited to 'certServiceK8sExternalProvider/src/certservice-controller/certificaterequest_reconciler.go')
-rw-r--r--certServiceK8sExternalProvider/src/certservice-controller/certificaterequest_reconciler.go162
1 files changed, 0 insertions, 162 deletions
diff --git a/certServiceK8sExternalProvider/src/certservice-controller/certificaterequest_reconciler.go b/certServiceK8sExternalProvider/src/certservice-controller/certificaterequest_reconciler.go
deleted file mode 100644
index b744676e..00000000
--- a/certServiceK8sExternalProvider/src/certservice-controller/certificaterequest_reconciler.go
+++ /dev/null
@@ -1,162 +0,0 @@
-/*
- * ============LICENSE_START=======================================================
- * oom-certservice-k8s-external-provider
- * ================================================================================
- * Copyright 2019 The cert-manager authors.
- * Modifications copyright (C) 2020 Nokia. All rights reserved.
- * ================================================================================
- * This source code was copied from the following git repository:
- * https://github.com/smallstep/step-issuer
- * The source code was modified for usage in the ONAP project.
- * ================================================================================
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- * ============LICENSE_END=========================================================
- */
-
-package certservice_controller
-
-import (
- "context"
- "fmt"
- "onap.org/oom-certservice/k8s-external-provider/src/api"
- provisioners "onap.org/oom-certservice/k8s-external-provider/src/certservice-provisioner"
-
- "github.com/go-logr/logr"
- apiutil "github.com/jetstack/cert-manager/pkg/api/util"
- cmapi "github.com/jetstack/cert-manager/pkg/apis/certmanager/v1"
- cmmeta "github.com/jetstack/cert-manager/pkg/apis/meta/v1"
- core "k8s.io/api/core/v1"
- apierrors "k8s.io/apimachinery/pkg/api/errors"
- "k8s.io/apimachinery/pkg/types"
- "k8s.io/client-go/tools/record"
- ctrl "sigs.k8s.io/controller-runtime"
- "sigs.k8s.io/controller-runtime/pkg/client"
-)
-
-// CertificateRequestReconciler reconciles a CertServiceIssuer object.
-type CertificateRequestReconciler struct {
- client.Client
- Log logr.Logger
- Recorder record.EventRecorder
-}
-
-// Reconcile will read and validate a CertServiceIssuer resource associated to the
-// CertificateRequest resource, and it will sign the CertificateRequest with the
-// provisioner in the CertServiceIssuer.
-func (reconciler *CertificateRequestReconciler) Reconcile(req ctrl.Request) (ctrl.Result, error) {
- ctx := context.Background()
- log := reconciler.Log.WithValues("certificaterequest", req.NamespacedName)
-
- // Fetch the CertificateRequest resource being reconciled.
- // Just ignore the request if the certificate request has been deleted.
- certificateRequest := new(cmapi.CertificateRequest)
- if err := reconciler.Client.Get(ctx, req.NamespacedName, certificateRequest); err != nil {
- if apierrors.IsNotFound(err) {
- return ctrl.Result{}, nil
- }
-
- log.Error(err, "failed to retrieve CertificateRequest resource")
- return ctrl.Result{}, err
- }
-
- // Check the CertificateRequest's issuerRef and if it does not match the api
- // group name, log a message at a debug level and stop processing.
- if certificateRequest.Spec.IssuerRef.Group != "" && certificateRequest.Spec.IssuerRef.Group != api.GroupVersion.Group {
- log.V(4).Info("resource does not specify an issuerRef group name that we are responsible for", "group", certificateRequest.Spec.IssuerRef.Group)
- return ctrl.Result{}, nil
- }
-
- // If the certificate data is already set then we skip this request as it
- // has already been completed in the past.
- if len(certificateRequest.Status.Certificate) > 0 {
- log.V(4).Info("existing certificate data found in status, skipping already completed CertificateRequest")
- return ctrl.Result{}, nil
- }
-
- // Fetch the CertServiceIssuer resource
- issuer := api.CertServiceIssuer{}
- issuerNamespaceName := types.NamespacedName{
- Namespace: req.Namespace,
- Name: certificateRequest.Spec.IssuerRef.Name,
- }
- if err := reconciler.Client.Get(ctx, issuerNamespaceName, &issuer); err != nil {
- log.Error(err, "failed to retrieve CertServiceIssuer resource", "namespace", req.Namespace, "name", certificateRequest.Spec.IssuerRef.Name)
- _ = reconciler.setStatus(ctx, certificateRequest, cmmeta.ConditionFalse, cmapi.CertificateRequestReasonPending, "Failed to retrieve CertServiceIssuer resource %s: %v", issuerNamespaceName, err)
- return ctrl.Result{}, err
- }
-
- // Check if the CertServiceIssuer resource has been marked Ready
- if !certServiceIssuerHasCondition(issuer, api.CertServiceIssuerCondition{Type: api.ConditionReady, Status: api.ConditionTrue}) {
- err := fmt.Errorf("resource %s is not ready", issuerNamespaceName)
- log.Error(err, "failed to retrieve CertServiceIssuer resource", "namespace", req.Namespace, "name", certificateRequest.Spec.IssuerRef.Name)
- _ = reconciler.setStatus(ctx, certificateRequest, cmmeta.ConditionFalse, cmapi.CertificateRequestReasonPending, "CertServiceIssuer resource %s is not Ready", issuerNamespaceName)
- return ctrl.Result{}, err
- }
-
- // Load the provisioner that will sign the CertificateRequest
- provisioner, ok := provisioners.Load(issuerNamespaceName)
- if !ok {
- err := fmt.Errorf("provisioner %s not found", issuerNamespaceName)
- log.Error(err, "failed to provisioner for CertServiceIssuer resource")
- _ = reconciler.setStatus(ctx, certificateRequest, cmmeta.ConditionFalse, cmapi.CertificateRequestReasonPending, "Failed to load provisioner for CertServiceIssuer resource %s", issuerNamespaceName)
- return ctrl.Result{}, err
- }
-
- // Sign CertificateRequest
- signedPEM, trustedCAs, err := provisioner.Sign(ctx, certificateRequest)
- if err != nil {
- log.Error(err, "failed to sign certificate request")
- return ctrl.Result{}, reconciler.setStatus(ctx, certificateRequest, cmmeta.ConditionFalse, cmapi.CertificateRequestReasonFailed, "Failed to sign certificate request: %v", err)
- }
- certificateRequest.Status.Certificate = signedPEM
- certificateRequest.Status.CA = trustedCAs
-
- return ctrl.Result{}, reconciler.setStatus(ctx, certificateRequest, cmmeta.ConditionTrue, cmapi.CertificateRequestReasonIssued, "Certificate issued")
-}
-
-// SetupWithManager initializes the CertificateRequest controller into the
-// controller runtime.
-func (reconciler *CertificateRequestReconciler) SetupWithManager(manager ctrl.Manager) error {
- return ctrl.NewControllerManagedBy(manager).
- For(&cmapi.CertificateRequest{}).
- Complete(reconciler)
-}
-
-// certServiceIssuerHasCondition will return true if the given CertServiceIssuer resource has
-// a condition matching the provided CertServiceIssuerCondition. Only the Type and
-// Status field will be used in the comparison, meaning that this function will
-// return 'true' even if the Reason, Message and LastTransitionTime fields do
-// not match.
-func certServiceIssuerHasCondition(issuer api.CertServiceIssuer, condition api.CertServiceIssuerCondition) bool {
- existingConditions := issuer.Status.Conditions
- for _, cond := range existingConditions {
- if condition.Type == cond.Type && condition.Status == cond.Status {
- return true
- }
- }
- return false
-}
-
-func (reconciler *CertificateRequestReconciler) setStatus(ctx context.Context, certificateRequest *cmapi.CertificateRequest, status cmmeta.ConditionStatus, reason, message string, args ...interface{}) error {
- completeMessage := fmt.Sprintf(message, args...)
- apiutil.SetCertificateRequestCondition(certificateRequest, cmapi.CertificateRequestConditionReady, status, reason, completeMessage)
-
- // Fire an Event to additionally inform users of the change
- eventType := core.EventTypeNormal
- if status == cmmeta.ConditionFalse {
- eventType = core.EventTypeWarning
- }
- reconciler.Recorder.Event(certificateRequest, eventType, reason, completeMessage)
-
- return reconciler.Client.Status().Update(ctx, certificateRequest)
-}