diff options
Diffstat (limited to 'certServiceK8sExternalProvider/src/cmpv2controller/certificate_request_controller.go')
-rw-r--r-- | certServiceK8sExternalProvider/src/cmpv2controller/certificate_request_controller.go | 69 |
1 files changed, 26 insertions, 43 deletions
diff --git a/certServiceK8sExternalProvider/src/cmpv2controller/certificate_request_controller.go b/certServiceK8sExternalProvider/src/cmpv2controller/certificate_request_controller.go index 2933b499..cb667bd6 100644 --- a/certServiceK8sExternalProvider/src/cmpv2controller/certificate_request_controller.go +++ b/certServiceK8sExternalProvider/src/cmpv2controller/certificate_request_controller.go @@ -29,9 +29,7 @@ import ( "context" "fmt" - apiutil "github.com/jetstack/cert-manager/pkg/api/util" cmapi "github.com/jetstack/cert-manager/pkg/apis/certmanager/v1" - cmmeta "github.com/jetstack/cert-manager/pkg/apis/meta/v1" core "k8s.io/api/core/v1" apierrors "k8s.io/apimachinery/pkg/api/errors" "k8s.io/apimachinery/pkg/types" @@ -39,10 +37,11 @@ import ( ctrl "sigs.k8s.io/controller-runtime" "sigs.k8s.io/controller-runtime/pkg/client" - "onap.org/oom-certservice/k8s-external-provider/src/leveledlogger" "onap.org/oom-certservice/k8s-external-provider/src/cmpv2api" "onap.org/oom-certservice/k8s-external-provider/src/cmpv2controller/logger" + "onap.org/oom-certservice/k8s-external-provider/src/cmpv2controller/updater" provisioners "onap.org/oom-certservice/k8s-external-provider/src/cmpv2provisioner" + "onap.org/oom-certservice/k8s-external-provider/src/leveledlogger" x509utils "onap.org/oom-certservice/k8s-external-provider/src/x509" ) @@ -53,9 +52,9 @@ const ( // CertificateRequestController reconciles a CMPv2Issuer object. type CertificateRequestController struct { - client.Client - Log leveledlogger.Logger + Client client.Client Recorder record.EventRecorder + Log leveledlogger.Logger } // Reconcile will read and validate a CMPv2Issuer resource associated to the @@ -67,6 +66,8 @@ func (controller *CertificateRequestController) Reconcile(k8sRequest ctrl.Reques // 1. Fetch the CertificateRequest resource being reconciled. certificateRequest := new(cmapi.CertificateRequest) + certUpdater := updater.NewCertificateRequestUpdater(controller.Client, controller.Recorder, certificateRequest, ctx, log) + log.Info("Registered new certificate sign request: ", "cert-name", certificateRequest.Name) if err := controller.Client.Get(ctx, k8sRequest.NamespacedName, certificateRequest); err != nil { err = handleErrorResourceNotFound(log, err) @@ -95,20 +96,20 @@ func (controller *CertificateRequestController) Reconcile(k8sRequest ctrl.Reques Name: certificateRequest.Spec.IssuerRef.Name, } if err := controller.Client.Get(ctx, issuerNamespaceName, &issuer); err != nil { - controller.handleErrorGettingCMPv2Issuer(ctx, log, err, certificateRequest, issuerNamespaceName, k8sRequest) + controller.handleErrorGettingCMPv2Issuer(certUpdater, log, err, certificateRequest, issuerNamespaceName, k8sRequest) return ctrl.Result{}, err } // 5. Check if CMPv2Issuer is ready to sing certificates if !isCMPv2IssuerReady(issuer) { - err := controller.handleErrorCMPv2IssuerIsNotReady(ctx, log, issuerNamespaceName, certificateRequest, k8sRequest) + err := controller.handleErrorCMPv2IssuerIsNotReady(certUpdater, log, issuerNamespaceName, certificateRequest, k8sRequest) return ctrl.Result{}, err } // 6. Load the provisioner that will sign the CertificateRequest provisioner, ok := provisioners.Load(issuerNamespaceName) if !ok { - err := controller.handleErrorCouldNotLoadCMPv2Provisioner(ctx, log, issuerNamespaceName, certificateRequest) + err := controller.handleErrorCouldNotLoadCMPv2Provisioner(certUpdater, log, issuerNamespaceName) return ctrl.Result{}, err } @@ -120,7 +121,7 @@ func (controller *CertificateRequestController) Reconcile(k8sRequest ctrl.Reques } var privateKeySecret core.Secret if err := controller.Client.Get(ctx, privateKeySecretNamespaceName, &privateKeySecret); err != nil { - controller.handleErrorGettingPrivateKey(ctx, log, err, certificateRequest, privateKeySecretNamespaceName) + controller.handleErrorGettingPrivateKey(certUpdater, log, err, privateKeySecretNamespaceName) return ctrl.Result{}, err } privateKeyBytes := privateKeySecret.Data[privateKeySecretKey] @@ -129,54 +130,36 @@ func (controller *CertificateRequestController) Reconcile(k8sRequest ctrl.Reques log.Info("Decoding CSR...") csr, err := x509utils.DecodeCSR(certificateRequest.Spec.Request) if err != nil { - controller.handleErrorFailedToDecodeCSR(ctx, log, err, certificateRequest) + controller.handleErrorFailedToDecodeCSR(certUpdater, log, err) return ctrl.Result{}, err } // 9. Log Certificate Request properties not supported or overridden by CertService API - logger.LogCertRequestProperties(leveledlogger.GetLoggerWithName("CSR details"), certificateRequest, csr) + logger.LogCertRequestProperties(leveledlogger.GetLoggerWithName("CSR details:"), certificateRequest, csr) // 10. Sign CertificateRequest signedPEM, trustedCAs, err := provisioner.Sign(ctx, certificateRequest, privateKeyBytes) if err != nil { - controller.handleErrorFailedToSignCertificate(ctx, log, err, certificateRequest) + controller.handleErrorFailedToSignCertificate(certUpdater, log, err) return ctrl.Result{}, nil } // 11. Store signed certificates in CertificateRequest certificateRequest.Status.Certificate = signedPEM certificateRequest.Status.CA = trustedCAs - if err := controller.updateCertificateRequestWithSignedCerficates(ctx, certificateRequest); err != nil { + if err := certUpdater.UpdateCertificateRequestWithSignedCertificates(); err != nil { return ctrl.Result{}, err } return ctrl.Result{}, nil } -func (controller *CertificateRequestController) updateCertificateRequestWithSignedCerficates(ctx context.Context, certificateRequest *cmapi.CertificateRequest) error { - return controller.setStatus(ctx, certificateRequest, cmmeta.ConditionTrue, cmapi.CertificateRequestReasonIssued, "Certificate issued") -} - func (controller *CertificateRequestController) SetupWithManager(manager ctrl.Manager) error { return ctrl.NewControllerManagedBy(manager). For(&cmapi.CertificateRequest{}). Complete(controller) } -func (controller *CertificateRequestController) setStatus(ctx context.Context, certificateRequest *cmapi.CertificateRequest, status cmmeta.ConditionStatus, reason, message string, args ...interface{}) error { - completeMessage := fmt.Sprintf(message, args...) - apiutil.SetCertificateRequestCondition(certificateRequest, cmapi.CertificateRequestConditionReady, status, reason, completeMessage) - - // Fire an Event to additionally inform users of the change - eventType := core.EventTypeNormal - if status == cmmeta.ConditionFalse { - eventType = core.EventTypeWarning - } - controller.Recorder.Event(certificateRequest, eventType, reason, completeMessage) - - return controller.Client.Status().Update(ctx, certificateRequest) -} - func isCMPv2IssuerReady(issuer cmpv2api.CMPv2Issuer) bool { condition := cmpv2api.CMPv2IssuerCondition{Type: cmpv2api.ConditionReady, Status: cmpv2api.ConditionTrue} return hasCondition(issuer, condition) @@ -201,38 +184,38 @@ func isCMPv2CertificateRequest(certificateRequest *cmapi.CertificateRequest) boo // Error handling -func (controller *CertificateRequestController) handleErrorCouldNotLoadCMPv2Provisioner(ctx context.Context, log leveledlogger.Logger, issuerNamespaceName types.NamespacedName, certificateRequest *cmapi.CertificateRequest) error { +func (controller *CertificateRequestController) handleErrorCouldNotLoadCMPv2Provisioner(updater *updater.CertificateRequestStatusUpdater, log leveledlogger.Logger, issuerNamespaceName types.NamespacedName) error { err := fmt.Errorf("provisioner %s not found", issuerNamespaceName) log.Error(err, "Failed to load CMPv2 Provisioner resource") - _ = controller.setStatus(ctx, certificateRequest, cmmeta.ConditionFalse, cmapi.CertificateRequestReasonPending, "Failed to load provisioner for CMPv2Issuer resource %s", issuerNamespaceName) + _ = updater.UpdateStatusWithEventTypeWarning(cmapi.CertificateRequestReasonPending, "Failed to load provisioner for CMPv2Issuer resource %s", issuerNamespaceName) return err } -func (controller *CertificateRequestController) handleErrorCMPv2IssuerIsNotReady(ctx context.Context, log leveledlogger.Logger, issuerNamespaceName types.NamespacedName, certificateRequest *cmapi.CertificateRequest, req ctrl.Request) error { +func (controller *CertificateRequestController) handleErrorCMPv2IssuerIsNotReady(updater *updater.CertificateRequestStatusUpdater, log leveledlogger.Logger, issuerNamespaceName types.NamespacedName, certificateRequest *cmapi.CertificateRequest, req ctrl.Request) error { err := fmt.Errorf("resource %s is not ready", issuerNamespaceName) log.Error(err, "CMPv2Issuer not ready", "namespace", req.Namespace, "name", certificateRequest.Spec.IssuerRef.Name) - _ = controller.setStatus(ctx, certificateRequest, cmmeta.ConditionFalse, cmapi.CertificateRequestReasonPending, "CMPv2Issuer resource %s is not Ready", issuerNamespaceName) + _ = updater.UpdateStatusWithEventTypeWarning(cmapi.CertificateRequestReasonPending, "CMPv2Issuer resource %s is not Ready", issuerNamespaceName) return err } -func (controller *CertificateRequestController) handleErrorGettingCMPv2Issuer(ctx context.Context, log leveledlogger.Logger, err error, certificateRequest *cmapi.CertificateRequest, issuerNamespaceName types.NamespacedName, req ctrl.Request) { +func (controller *CertificateRequestController) handleErrorGettingCMPv2Issuer(updater *updater.CertificateRequestStatusUpdater, log leveledlogger.Logger, err error, certificateRequest *cmapi.CertificateRequest, issuerNamespaceName types.NamespacedName, req ctrl.Request) { log.Error(err, "Failed to retrieve CMPv2Issuer resource", "namespace", req.Namespace, "name", certificateRequest.Spec.IssuerRef.Name) - _ = controller.setStatus(ctx, certificateRequest, cmmeta.ConditionFalse, cmapi.CertificateRequestReasonPending, "Failed to retrieve CMPv2Issuer resource %s: %v", issuerNamespaceName, err) + _ = updater.UpdateStatusWithEventTypeWarning(cmapi.CertificateRequestReasonPending, "Failed to retrieve CMPv2Issuer resource %s: %v", issuerNamespaceName, err) } -func (controller *CertificateRequestController) handleErrorGettingPrivateKey(ctx context.Context, log leveledlogger.Logger, err error, certificateRequest *cmapi.CertificateRequest, pkSecretNamespacedName types.NamespacedName) { +func (controller *CertificateRequestController) handleErrorGettingPrivateKey(updater *updater.CertificateRequestStatusUpdater, log leveledlogger.Logger, err error, pkSecretNamespacedName types.NamespacedName) { log.Error(err, "Failed to retrieve private key secret for certificate request", "namespace", pkSecretNamespacedName.Namespace, "name", pkSecretNamespacedName.Name) - _ = controller.setStatus(ctx, certificateRequest, cmmeta.ConditionFalse, cmapi.CertificateRequestReasonPending, "Failed to retrieve private key secret: %v", err) + _ = updater.UpdateStatusWithEventTypeWarning(cmapi.CertificateRequestReasonPending, "Failed to retrieve private key secret: %v", err) } -func (controller *CertificateRequestController) handleErrorFailedToSignCertificate(ctx context.Context, log leveledlogger.Logger, err error, certificateRequest *cmapi.CertificateRequest) { +func (controller *CertificateRequestController) handleErrorFailedToSignCertificate(updater *updater.CertificateRequestStatusUpdater, log leveledlogger.Logger, err error) { log.Error(err, "Failed to sign certificate request") - _ = controller.setStatus(ctx, certificateRequest, cmmeta.ConditionFalse, cmapi.CertificateRequestReasonFailed, "Failed to sign certificate request: %v", err) + _ = updater.UpdateStatusWithEventTypeWarning(cmapi.CertificateRequestReasonFailed, "Failed to sign certificate request: %v", err) } -func (controller *CertificateRequestController) handleErrorFailedToDecodeCSR(ctx context.Context, log leveledlogger.Logger, err error, certificateRequest *cmapi.CertificateRequest) { +func (controller *CertificateRequestController) handleErrorFailedToDecodeCSR(updater *updater.CertificateRequestStatusUpdater, log leveledlogger.Logger, err error) { log.Error(err, "Failed to decode certificate sign request") - _ = controller.setStatus(ctx, certificateRequest, cmmeta.ConditionFalse, cmapi.CertificateRequestReasonFailed, "Failed to decode CSR: %v", err) + _ = updater.UpdateStatusWithEventTypeWarning(cmapi.CertificateRequestReasonFailed, "Failed to decode CSR: %v", err) } func handleErrorResourceNotFound(log leveledlogger.Logger, err error) error { |