diff options
Diffstat (limited to 'certServiceK8sExternalProvider/src/certservice-controller')
3 files changed, 0 insertions, 405 deletions
diff --git a/certServiceK8sExternalProvider/src/certservice-controller/certificaterequest_reconciler.go b/certServiceK8sExternalProvider/src/certservice-controller/certificaterequest_reconciler.go deleted file mode 100644 index b744676e..00000000 --- a/certServiceK8sExternalProvider/src/certservice-controller/certificaterequest_reconciler.go +++ /dev/null @@ -1,162 +0,0 @@ -/* - * ============LICENSE_START======================================================= - * oom-certservice-k8s-external-provider - * ================================================================================ - * Copyright 2019 The cert-manager authors. - * Modifications copyright (C) 2020 Nokia. All rights reserved. - * ================================================================================ - * This source code was copied from the following git repository: - * https://github.com/smallstep/step-issuer - * The source code was modified for usage in the ONAP project. - * ================================================================================ - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * ============LICENSE_END========================================================= - */ - -package certservice_controller - -import ( - "context" - "fmt" - "onap.org/oom-certservice/k8s-external-provider/src/api" - provisioners "onap.org/oom-certservice/k8s-external-provider/src/certservice-provisioner" - - "github.com/go-logr/logr" - apiutil "github.com/jetstack/cert-manager/pkg/api/util" - cmapi "github.com/jetstack/cert-manager/pkg/apis/certmanager/v1" - cmmeta "github.com/jetstack/cert-manager/pkg/apis/meta/v1" - core "k8s.io/api/core/v1" - apierrors "k8s.io/apimachinery/pkg/api/errors" - "k8s.io/apimachinery/pkg/types" - "k8s.io/client-go/tools/record" - ctrl "sigs.k8s.io/controller-runtime" - "sigs.k8s.io/controller-runtime/pkg/client" -) - -// CertificateRequestReconciler reconciles a CertServiceIssuer object. -type CertificateRequestReconciler struct { - client.Client - Log logr.Logger - Recorder record.EventRecorder -} - -// Reconcile will read and validate a CertServiceIssuer resource associated to the -// CertificateRequest resource, and it will sign the CertificateRequest with the -// provisioner in the CertServiceIssuer. -func (reconciler *CertificateRequestReconciler) Reconcile(req ctrl.Request) (ctrl.Result, error) { - ctx := context.Background() - log := reconciler.Log.WithValues("certificaterequest", req.NamespacedName) - - // Fetch the CertificateRequest resource being reconciled. - // Just ignore the request if the certificate request has been deleted. - certificateRequest := new(cmapi.CertificateRequest) - if err := reconciler.Client.Get(ctx, req.NamespacedName, certificateRequest); err != nil { - if apierrors.IsNotFound(err) { - return ctrl.Result{}, nil - } - - log.Error(err, "failed to retrieve CertificateRequest resource") - return ctrl.Result{}, err - } - - // Check the CertificateRequest's issuerRef and if it does not match the api - // group name, log a message at a debug level and stop processing. - if certificateRequest.Spec.IssuerRef.Group != "" && certificateRequest.Spec.IssuerRef.Group != api.GroupVersion.Group { - log.V(4).Info("resource does not specify an issuerRef group name that we are responsible for", "group", certificateRequest.Spec.IssuerRef.Group) - return ctrl.Result{}, nil - } - - // If the certificate data is already set then we skip this request as it - // has already been completed in the past. - if len(certificateRequest.Status.Certificate) > 0 { - log.V(4).Info("existing certificate data found in status, skipping already completed CertificateRequest") - return ctrl.Result{}, nil - } - - // Fetch the CertServiceIssuer resource - issuer := api.CertServiceIssuer{} - issuerNamespaceName := types.NamespacedName{ - Namespace: req.Namespace, - Name: certificateRequest.Spec.IssuerRef.Name, - } - if err := reconciler.Client.Get(ctx, issuerNamespaceName, &issuer); err != nil { - log.Error(err, "failed to retrieve CertServiceIssuer resource", "namespace", req.Namespace, "name", certificateRequest.Spec.IssuerRef.Name) - _ = reconciler.setStatus(ctx, certificateRequest, cmmeta.ConditionFalse, cmapi.CertificateRequestReasonPending, "Failed to retrieve CertServiceIssuer resource %s: %v", issuerNamespaceName, err) - return ctrl.Result{}, err - } - - // Check if the CertServiceIssuer resource has been marked Ready - if !certServiceIssuerHasCondition(issuer, api.CertServiceIssuerCondition{Type: api.ConditionReady, Status: api.ConditionTrue}) { - err := fmt.Errorf("resource %s is not ready", issuerNamespaceName) - log.Error(err, "failed to retrieve CertServiceIssuer resource", "namespace", req.Namespace, "name", certificateRequest.Spec.IssuerRef.Name) - _ = reconciler.setStatus(ctx, certificateRequest, cmmeta.ConditionFalse, cmapi.CertificateRequestReasonPending, "CertServiceIssuer resource %s is not Ready", issuerNamespaceName) - return ctrl.Result{}, err - } - - // Load the provisioner that will sign the CertificateRequest - provisioner, ok := provisioners.Load(issuerNamespaceName) - if !ok { - err := fmt.Errorf("provisioner %s not found", issuerNamespaceName) - log.Error(err, "failed to provisioner for CertServiceIssuer resource") - _ = reconciler.setStatus(ctx, certificateRequest, cmmeta.ConditionFalse, cmapi.CertificateRequestReasonPending, "Failed to load provisioner for CertServiceIssuer resource %s", issuerNamespaceName) - return ctrl.Result{}, err - } - - // Sign CertificateRequest - signedPEM, trustedCAs, err := provisioner.Sign(ctx, certificateRequest) - if err != nil { - log.Error(err, "failed to sign certificate request") - return ctrl.Result{}, reconciler.setStatus(ctx, certificateRequest, cmmeta.ConditionFalse, cmapi.CertificateRequestReasonFailed, "Failed to sign certificate request: %v", err) - } - certificateRequest.Status.Certificate = signedPEM - certificateRequest.Status.CA = trustedCAs - - return ctrl.Result{}, reconciler.setStatus(ctx, certificateRequest, cmmeta.ConditionTrue, cmapi.CertificateRequestReasonIssued, "Certificate issued") -} - -// SetupWithManager initializes the CertificateRequest controller into the -// controller runtime. -func (reconciler *CertificateRequestReconciler) SetupWithManager(manager ctrl.Manager) error { - return ctrl.NewControllerManagedBy(manager). - For(&cmapi.CertificateRequest{}). - Complete(reconciler) -} - -// certServiceIssuerHasCondition will return true if the given CertServiceIssuer resource has -// a condition matching the provided CertServiceIssuerCondition. Only the Type and -// Status field will be used in the comparison, meaning that this function will -// return 'true' even if the Reason, Message and LastTransitionTime fields do -// not match. -func certServiceIssuerHasCondition(issuer api.CertServiceIssuer, condition api.CertServiceIssuerCondition) bool { - existingConditions := issuer.Status.Conditions - for _, cond := range existingConditions { - if condition.Type == cond.Type && condition.Status == cond.Status { - return true - } - } - return false -} - -func (reconciler *CertificateRequestReconciler) setStatus(ctx context.Context, certificateRequest *cmapi.CertificateRequest, status cmmeta.ConditionStatus, reason, message string, args ...interface{}) error { - completeMessage := fmt.Sprintf(message, args...) - apiutil.SetCertificateRequestCondition(certificateRequest, cmapi.CertificateRequestConditionReady, status, reason, completeMessage) - - // Fire an Event to additionally inform users of the change - eventType := core.EventTypeNormal - if status == cmmeta.ConditionFalse { - eventType = core.EventTypeWarning - } - reconciler.Recorder.Event(certificateRequest, eventType, reason, completeMessage) - - return reconciler.Client.Status().Update(ctx, certificateRequest) -} diff --git a/certServiceK8sExternalProvider/src/certservice-controller/certservice_issuer_reconciler.go b/certServiceK8sExternalProvider/src/certservice-controller/certservice_issuer_reconciler.go deleted file mode 100644 index b826e2dd..00000000 --- a/certServiceK8sExternalProvider/src/certservice-controller/certservice_issuer_reconciler.go +++ /dev/null @@ -1,127 +0,0 @@ -/* - * ============LICENSE_START======================================================= - * oom-certservice-k8s-external-provider - * ================================================================================ - * Copyright (c) 2019 Smallstep Labs, Inc. - * Modifications copyright (C) 2020 Nokia. All rights reserved. - * ================================================================================ - * This source code was copied from the following git repository: - * https://github.com/smallstep/step-issuer - * The source code was modified for usage in the ONAP project. - * ================================================================================ - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * ============LICENSE_END========================================================= - */ - -package certservice_controller - -import ( - "context" - "fmt" - "github.com/go-logr/logr" - core "k8s.io/api/core/v1" - apierrors "k8s.io/apimachinery/pkg/api/errors" - "k8s.io/apimachinery/pkg/types" - "k8s.io/client-go/tools/record" - "k8s.io/utils/clock" - "onap.org/oom-certservice/k8s-external-provider/src/api" - provisioners "onap.org/oom-certservice/k8s-external-provider/src/certservice-provisioner" - ctrl "sigs.k8s.io/controller-runtime" - "sigs.k8s.io/controller-runtime/pkg/client" -) - -// CertServiceIssuerReconciler reconciles a CertServiceIssuer object -type CertServiceIssuerReconciler struct { - client.Client - Log logr.Logger - Clock clock.Clock - Recorder record.EventRecorder -} - -// Reconcile will read and validate the CertServiceIssuer resources, it will set the -// status condition ready to true if everything is right. -func (reconciler *CertServiceIssuerReconciler) Reconcile(req ctrl.Request) (ctrl.Result, error) { - ctx := context.Background() - log := reconciler.Log.WithValues("certservice-issuer-controller", req.NamespacedName) - - issuer := new(api.CertServiceIssuer) - if err := reconciler.Client.Get(ctx, req.NamespacedName, issuer); err != nil { - log.Error(err, "failed to retrieve CertServiceIssuer resource") - return ctrl.Result{}, client.IgnoreNotFound(err) - } - log.Info("Issuer loaded: ", "issuer", issuer) - - statusReconciler := newStatusReconciler(reconciler, issuer, log) - if err := validateCertServiceIssuerSpec(issuer.Spec); err != nil { - log.Error(err, "failed to validate CertServiceIssuer resource") - statusReconciler.UpdateNoError(ctx, api.ConditionFalse, "Validation", "Failed to validate resource: %v", err) - return ctrl.Result{}, err - } - log.Info("Issuer validated. ") - - // Fetch the provisioner password - var secret core.Secret - secretNamespaceName := types.NamespacedName{ - Namespace: req.Namespace, - Name: issuer.Spec.KeyRef.Name, - } - if err := reconciler.Client.Get(ctx, secretNamespaceName, &secret); err != nil { - log.Error(err, "failed to retrieve CertServiceIssuer provisioner secret", "namespace", secretNamespaceName.Namespace, "name", secretNamespaceName.Name) - if apierrors.IsNotFound(err) { - statusReconciler.UpdateNoError(ctx, api.ConditionFalse, "NotFound", "Failed to retrieve provisioner secret: %v", err) - } else { - statusReconciler.UpdateNoError(ctx, api.ConditionFalse, "Error", "Failed to retrieve provisioner secret: %v", err) - } - return ctrl.Result{}, err - } - password, ok := secret.Data[issuer.Spec.KeyRef.Key] - if !ok { - err := fmt.Errorf("secret %s does not contain key %s", secret.Name, issuer.Spec.KeyRef.Key) - log.Error(err, "failed to retrieve CertServiceIssuer provisioner secret", "namespace", secretNamespaceName.Namespace, "name", secretNamespaceName.Name) - statusReconciler.UpdateNoError(ctx, api.ConditionFalse, "NotFound", "Failed to retrieve provisioner secret: %v", err) - return ctrl.Result{}, err - } - - // Initialize and store the provisioner - provisioner, err := provisioners.New(issuer, password) - if err != nil { - log.Error(err, "failed to initialize provisioner") - statusReconciler.UpdateNoError(ctx, api.ConditionFalse, "Error", "failed initialize provisioner") - return ctrl.Result{}, err - } - provisioners.Store(req.NamespacedName, provisioner) - - log.Info( "CertServiceIssuer verified. Updating status to Verified...") - return ctrl.Result{}, statusReconciler.Update(ctx, api.ConditionTrue, "Verified", "CertServiceIssuer verified and ready to sign certificates") -} - -// SetupWithManager initializes the CertServiceIssuer controller into the controller -// runtime. -func (reconciler *CertServiceIssuerReconciler) SetupWithManager(manager ctrl.Manager) error { - return ctrl.NewControllerManagedBy(manager). - For(&api.CertServiceIssuer{}). - Complete(reconciler) -} - -func validateCertServiceIssuerSpec(issuerSpec api.CertServiceIssuerSpec) error { - switch { - case issuerSpec.URL == "": - return fmt.Errorf("spec.url cannot be empty") - case issuerSpec.KeyRef.Name == "": - return fmt.Errorf("spec.keyRef.name cannot be empty") - case issuerSpec.KeyRef.Key == "": - return fmt.Errorf("spec.keyRef.key cannot be empty") - default: - return nil - } -} diff --git a/certServiceK8sExternalProvider/src/certservice-controller/certservice_issuer_status_reconciler.go b/certServiceK8sExternalProvider/src/certservice-controller/certservice_issuer_status_reconciler.go deleted file mode 100644 index f2c0452e..00000000 --- a/certServiceK8sExternalProvider/src/certservice-controller/certservice_issuer_status_reconciler.go +++ /dev/null @@ -1,116 +0,0 @@ -/* - * ============LICENSE_START======================================================= - * oom-certservice-k8s-external-provider - * ================================================================================ - * Copyright (c) 2019 Smallstep Labs, Inc. - * Modifications copyright (C) 2020 Nokia. All rights reserved. - * ================================================================================ - * This source code was copied from the following git repository: - * https://github.com/smallstep/step-issuer - * The source code was modified for usage in the ONAP project. - * ================================================================================ - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * ============LICENSE_END========================================================= - */ - -package certservice_controller - -import ( - "context" - "fmt" - "github.com/go-logr/logr" - core "k8s.io/api/core/v1" - meta "k8s.io/apimachinery/pkg/apis/meta/v1" - "onap.org/oom-certservice/k8s-external-provider/src/api" -) - -type certServiceIssuerStatusReconciler struct { - *CertServiceIssuerReconciler - issuer *api.CertServiceIssuer - logger logr.Logger -} - -func newStatusReconciler(reconciler *CertServiceIssuerReconciler, issuer *api.CertServiceIssuer, log logr.Logger) *certServiceIssuerStatusReconciler { - return &certServiceIssuerStatusReconciler{ - CertServiceIssuerReconciler: reconciler, - issuer: issuer, - logger: log, - } -} - -func (reconciler *certServiceIssuerStatusReconciler) Update(ctx context.Context, status api.ConditionStatus, reason, message string, args ...interface{}) error { - completeMessage := fmt.Sprintf(message, args...) - reconciler.setCondition(status, reason, completeMessage) - - // Fire an Event to additionally inform users of the change - eventType := core.EventTypeNormal - if status == api.ConditionFalse { - eventType = core.EventTypeWarning - } - reconciler.logger.Info("Firing event: ", "issuer", reconciler.issuer, "eventtype", eventType, "reason", reason, "message", completeMessage) - reconciler.Recorder.Event(reconciler.issuer, eventType, reason, completeMessage) - - reconciler.logger.Info("Updating issuer... ") - return reconciler.Client.Update(ctx, reconciler.issuer) -} - -func (reconciler *certServiceIssuerStatusReconciler) UpdateNoError(ctx context.Context, status api.ConditionStatus, reason, message string, args ...interface{}) { - if err := reconciler.Update(ctx, status, reason, message, args...); err != nil { - reconciler.logger.Error(err, "failed to update", "status", status, "reason", reason) - } -} - -// setCondition will set a 'condition' on the given api.CertServiceIssuer resource. -// -// - If no condition of the same type already exists, the condition will be -// inserted with the LastTransitionTime set to the current time. -// - If a condition of the same type and state already exists, the condition -// will be updated but the LastTransitionTime will not be modified. -// - If a condition of the same type and different state already exists, the -// condition will be updated and the LastTransitionTime set to the current -// time. -func (reconciler *certServiceIssuerStatusReconciler) setCondition(status api.ConditionStatus, reason, message string) { - now := meta.NewTime(reconciler.Clock.Now()) - issuerCondition := api.CertServiceIssuerCondition{ - Type: api.ConditionReady, - Status: status, - Reason: reason, - Message: message, - LastTransitionTime: &now, - } - - // Search through existing conditions - for i, condition := range reconciler.issuer.Status.Conditions { - // Skip unrelated conditions - if condition.Type != api.ConditionReady { - continue - } - - // If this update doesn't contain a state transition, we don't update - // the conditions LastTransitionTime to Now() - if condition.Status == status { - issuerCondition.LastTransitionTime = condition.LastTransitionTime - } else { - reconciler.logger.Info("found status change for CertServiceIssuer condition; setting lastTransitionTime", "condition", condition.Type, "old_status", condition.Status, "new_status", status, "time", now.Time) - } - - // Overwrite the existing condition - reconciler.issuer.Status.Conditions[i] = issuerCondition - return - } - - // If we've not found an existing condition of this type, we simply insert - // the new condition into the slice. - reconciler.issuer.Status.Conditions = append(reconciler.issuer.Status.Conditions, issuerCondition) - reconciler.logger.Info("setting lastTransitionTime for CertServiceIssuer condition", "condition", api.ConditionReady, "time", now.Time) -} |