4 files changed, 447 insertions, 0 deletions
diff --git a/certServiceK8sExternalProvider/src/cmpv2controller/certificate_request_controller.go b/certServiceK8sExternalProvider/src/cmpv2controller/certificate_request_controller.go
new file mode 100644
index 00000000..1669c97f
--- /dev/null
+++ b/certServiceK8sExternalProvider/src/cmpv2controller/certificate_request_controller.go
@@ -0,0 +1,169 @@
+/*
+ * ============LICENSE_START=======================================================
+ * oom-certservice-k8s-external-provider
+ * ================================================================================
+ * Copyright 2019 The cert-manager authors.
+ * Modifications copyright (C) 2020 Nokia. All rights reserved.
+ * ================================================================================
+ * This source code was copied from the following git repository:
+ * https://github.com/smallstep/step-issuer
+ * The source code was modified for usage in the ONAP project.
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END=========================================================
+ */
+
+package cmpv2controller
+
+import (
+	"context"
+	"fmt"
+	"onap.org/oom-certservice/k8s-external-provider/src/cmpv2api"
+	provisioners "onap.org/oom-certservice/k8s-external-provider/src/cmpv2provisioner"
+
+	"github.com/go-logr/logr"
+	apiutil "github.com/jetstack/cert-manager/pkg/api/util"
+	cmapi "github.com/jetstack/cert-manager/pkg/apis/certmanager/v1"
+	cmmeta "github.com/jetstack/cert-manager/pkg/apis/meta/v1"
+	core "k8s.io/api/core/v1"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/client-go/tools/record"
+	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+)
+
+// CertificateRequestController reconciles a CMPv2Issuer object.
+type CertificateRequestController struct {
+	client.Client
+	Log      logr.Logger
+	Recorder record.EventRecorder
+}
+
+// Reconcile will read and validate a CMPv2Issuer resource associated to the
+// CertificateRequest resource, and it will sign the CertificateRequest with the
+// provisioner in the CMPv2Issuer.
+func (controller *CertificateRequestController) Reconcile(req ctrl.Request) (ctrl.Result, error) {
+	ctx := context.Background()
+	log := controller.Log.WithValues("certificate-request-controller", req.NamespacedName)
+
+	// Fetch the CertificateRequest resource being reconciled.
+	// Just ignore the request if the certificate request has been deleted.
+	certificateRequest := new(cmapi.CertificateRequest)
+	if err := controller.Client.Get(ctx, req.NamespacedName, certificateRequest); err != nil {
+		if apierrors.IsNotFound(err) {
+			return ctrl.Result{}, nil
+		}
+
+		log.Error(err, "failed to retrieve CertificateRequest resource")
+		return ctrl.Result{}, err
+	}
+
+	if !isCMPv2CertificateRequest(certificateRequest) {
+		log.V(4).Info("certificate request is not CMPv2",
+			"group", certificateRequest.Spec.IssuerRef.Group,
+			"kind", certificateRequest.Spec.IssuerRef.Kind)
+		return ctrl.Result{}, nil
+	}
+
+	// If the certificate data is already set then we skip this request as it
+	// has already been completed in the past.
+	if len(certificateRequest.Status.Certificate) > 0 {
+		log.V(4).Info("existing certificate data found in status, skipping already completed CertificateRequest")
+		return ctrl.Result{}, nil
+	}
+
+	// Fetch the CMPv2Issuer resource
+	issuer := cmpv2api.CMPv2Issuer{}
+	issuerNamespaceName := types.NamespacedName{
+		Namespace: req.Namespace,
+		Name:      certificateRequest.Spec.IssuerRef.Name,
+	}
+	if err := controller.Client.Get(ctx, issuerNamespaceName, &issuer); err != nil {
+		log.Error(err, "failed to retrieve CMPv2Issuer resource", "namespace", req.Namespace, "name", certificateRequest.Spec.IssuerRef.Name)
+		_ = controller.setStatus(ctx, certificateRequest, cmmeta.ConditionFalse, cmapi.CertificateRequestReasonPending, "Failed to retrieve CMPv2Issuer resource %s: %v", issuerNamespaceName, err)
+		return ctrl.Result{}, err
+	}
+
+	// Check if the CMPv2Issuer resource has been marked Ready
+	if !cmpv2IssuerHasCondition(issuer, cmpv2api.CMPv2IssuerCondition{Type: cmpv2api.ConditionReady, Status: cmpv2api.ConditionTrue}) {
+		err := fmt.Errorf("resource %s is not ready", issuerNamespaceName)
+		log.Error(err, "failed to retrieve CMPv2Issuer resource", "namespace", req.Namespace, "name", certificateRequest.Spec.IssuerRef.Name)
+		_ = controller.setStatus(ctx, certificateRequest, cmmeta.ConditionFalse, cmapi.CertificateRequestReasonPending, "CMPv2Issuer resource %s is not Ready", issuerNamespaceName)
+		return ctrl.Result{}, err
+	}
+
+	// Load the provisioner that will sign the CertificateRequest
+	provisioner, ok := provisioners.Load(issuerNamespaceName)
+	if !ok {
+		err := fmt.Errorf("provisioner %s not found", issuerNamespaceName)
+		log.Error(err, "failed to provisioner for CMPv2Issuer resource")
+		_ = controller.setStatus(ctx, certificateRequest, cmmeta.ConditionFalse, cmapi.CertificateRequestReasonPending, "Failed to load provisioner for CMPv2Issuer resource %s", issuerNamespaceName)
+		return ctrl.Result{}, err
+	}
+
+	// Sign CertificateRequest
+	signedPEM, trustedCAs, err := provisioner.Sign(ctx, certificateRequest)
+	if err != nil {
+		log.Error(err, "failed to sign certificate request")
+		return ctrl.Result{}, controller.setStatus(ctx, certificateRequest, cmmeta.ConditionFalse, cmapi.CertificateRequestReasonFailed, "Failed to sign certificate request: %v", err)
+	}
+	certificateRequest.Status.Certificate = signedPEM
+	certificateRequest.Status.CA = trustedCAs
+
+	return ctrl.Result{}, controller.setStatus(ctx, certificateRequest, cmmeta.ConditionTrue, cmapi.CertificateRequestReasonIssued, "Certificate issued")
+}
+
+// SetupWithManager initializes the CertificateRequest controller into the
+// controller runtime.
+func (controller *CertificateRequestController) SetupWithManager(manager ctrl.Manager) error {
+	return ctrl.NewControllerManagedBy(manager).
+		For(&cmapi.CertificateRequest{}).
+		Complete(controller)
+}
+
+// cmpv2IssuerHasCondition will return true if the given CMPv2Issuer resource has
+// a condition matching the provided CMPv2IssuerCondition. Only the Type and
+// Status field will be used in the comparison, meaning that this function will
+// return 'true' even if the Reason, Message and LastTransitionTime fields do
+// not match.
+func cmpv2IssuerHasCondition(issuer cmpv2api.CMPv2Issuer, condition cmpv2api.CMPv2IssuerCondition) bool {
+	existingConditions := issuer.Status.Conditions
+	for _, cond := range existingConditions {
+		if condition.Type == cond.Type && condition.Status == cond.Status {
+			return true
+		}
+	}
+	return false
+}
+
+func isCMPv2CertificateRequest(certificateRequest *cmapi.CertificateRequest) bool {
+	return certificateRequest.Spec.IssuerRef.Group != "" &&
+		certificateRequest.Spec.IssuerRef.Group == cmpv2api.GroupVersion.Group &&
+	    certificateRequest.Spec.IssuerRef.Kind == cmpv2api.CMPv2IssuerKind
+
+}
+
+func (controller *CertificateRequestController) setStatus(ctx context.Context, certificateRequest *cmapi.CertificateRequest, status cmmeta.ConditionStatus, reason, message string, args ...interface{}) error {
+	completeMessage := fmt.Sprintf(message, args...)
+	apiutil.SetCertificateRequestCondition(certificateRequest, cmapi.CertificateRequestConditionReady, status, reason, completeMessage)
+
+	// Fire an Event to additionally inform users of the change
+	eventType := core.EventTypeNormal
+	if status == cmmeta.ConditionFalse {
+		eventType = core.EventTypeWarning
+	}
+	controller.Recorder.Event(certificateRequest, eventType, reason, completeMessage)
+
+	return controller.Client.Status().Update(ctx, certificateRequest)
+}
diff --git a/certServiceK8sExternalProvider/src/cmpv2controller/certificate_request_controller_test.go b/certServiceK8sExternalProvider/src/cmpv2controller/certificate_request_controller_test.go
new file mode 100644
index 00000000..36cfbc48
--- /dev/null
+++ b/certServiceK8sExternalProvider/src/cmpv2controller/certificate_request_controller_test.go
@@ -0,0 +1,35 @@
+package cmpv2controller
+
+import (
+	cmapi "github.com/jetstack/cert-manager/pkg/apis/certmanager/v1"
+	"testing"
+)
+
+func TestIsCMPv2CertificateRequest_notCMPv2Request(t *testing.T) {
+	request := new(cmapi.CertificateRequest)
+	if isCMPv2CertificateRequest(request) {
+		t.Logf("CPMv2 request [NOK]")
+		t.FailNow()
+	}
+
+	request.Spec.IssuerRef.Group = "certmanager.onap.org"
+	request.Spec.IssuerRef.Kind = "CertificateRequest"
+	if isCMPv2CertificateRequest(request) {
+		t.Logf("CPMv2 request [NOK]")
+		t.FailNow()
+	}
+}
+
+func TestIsCMPv2CertificateRequest_CMPvRequest(t *testing.T) {
+	request := new(cmapi.CertificateRequest)
+	request.Spec.IssuerRef.Group = "certmanager.onap.org"
+	request.Spec.IssuerRef.Kind = "CMPv2Issuer"
+
+	if isCMPv2CertificateRequest(request) {
+		t.Logf("CPMv2 request [OK]")
+	} else {
+		t.Logf("Not a CPMv2 request [NOK]")
+		t.FailNow()
+	}
+}
+
diff --git a/certServiceK8sExternalProvider/src/cmpv2controller/cmpv2_issuer_controller.go b/certServiceK8sExternalProvider/src/cmpv2controller/cmpv2_issuer_controller.go
new file mode 100644
index 00000000..e5b1b196
--- /dev/null
+++ b/certServiceK8sExternalProvider/src/cmpv2controller/cmpv2_issuer_controller.go
@@ -0,0 +1,127 @@
+/*
+ * ============LICENSE_START=======================================================
+ * oom-certservice-k8s-external-provider
+ * ================================================================================
+ * Copyright (c) 2019 Smallstep Labs, Inc.
+ * Modifications copyright (C) 2020 Nokia. All rights reserved.
+ * ================================================================================
+ * This source code was copied from the following git repository:
+ * https://github.com/smallstep/step-issuer
+ * The source code was modified for usage in the ONAP project.
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END=========================================================
+ */
+
+package cmpv2controller
+
+import (
+	"context"
+	"fmt"
+	"github.com/go-logr/logr"
+	core "k8s.io/api/core/v1"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/client-go/tools/record"
+	"k8s.io/utils/clock"
+	"onap.org/oom-certservice/k8s-external-provider/src/cmpv2api"
+	provisioners "onap.org/oom-certservice/k8s-external-provider/src/cmpv2provisioner"
+	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+)
+
+// CMPv2IssuerController reconciles a CMPv2Issuer object
+type CMPv2IssuerController struct {
+	client.Client
+	Log      logr.Logger
+	Clock    clock.Clock
+	Recorder record.EventRecorder
+}
+
+// Reconcile will read and validate the CMPv2Issuer resources, it will set the
+// status condition ready to true if everything is right.
+func (controller *CMPv2IssuerController) Reconcile(req ctrl.Request) (ctrl.Result, error) {
+	ctx := context.Background()
+	log := controller.Log.WithValues("cmpv2-issuer-controller", req.NamespacedName)
+
+	issuer := new(cmpv2api.CMPv2Issuer)
+	if err := controller.Client.Get(ctx, req.NamespacedName, issuer); err != nil {
+		log.Error(err, "failed to retrieve CMPv2Issuer resource")
+		return ctrl.Result{}, client.IgnoreNotFound(err)
+	}
+	log.Info("Issuer loaded: ", "issuer", issuer)
+
+	statusUpdater := newStatusUpdater(controller, issuer, log)
+	if err := validateCMPv2IssuerSpec(issuer.Spec); err != nil {
+		log.Error(err, "failed to validate CMPv2Issuer resource")
+		statusUpdater.UpdateNoError(ctx, cmpv2api.ConditionFalse, "Validation", "Failed to validate resource: %v", err)
+		return ctrl.Result{}, err
+	}
+	log.Info("Issuer validated. ")
+
+	// Fetch the provisioner password
+	var secret core.Secret
+	secretNamespaceName := types.NamespacedName{
+		Namespace: req.Namespace,
+		Name:      issuer.Spec.KeyRef.Name,
+	}
+	if err := controller.Client.Get(ctx, secretNamespaceName, &secret); err != nil {
+		log.Error(err, "failed to retrieve CMPv2Issuer provisioner secret", "namespace", secretNamespaceName.Namespace, "name", secretNamespaceName.Name)
+		if apierrors.IsNotFound(err) {
+			statusUpdater.UpdateNoError(ctx, cmpv2api.ConditionFalse, "NotFound", "Failed to retrieve provisioner secret: %v", err)
+		} else {
+			statusUpdater.UpdateNoError(ctx, cmpv2api.ConditionFalse, "Error", "Failed to retrieve provisioner secret: %v", err)
+		}
+		return ctrl.Result{}, err
+	}
+	password, ok := secret.Data[issuer.Spec.KeyRef.Key]
+	if !ok {
+		err := fmt.Errorf("secret %s does not contain key %s", secret.Name, issuer.Spec.KeyRef.Key)
+		log.Error(err, "failed to retrieve CMPv2Issuer provisioner secret", "namespace", secretNamespaceName.Namespace, "name", secretNamespaceName.Name)
+		statusUpdater.UpdateNoError(ctx, cmpv2api.ConditionFalse, "NotFound", "Failed to retrieve provisioner secret: %v", err)
+		return ctrl.Result{}, err
+	}
+
+	// Initialize and store the provisioner
+	provisioner, err := provisioners.New(issuer, password)
+	if err != nil {
+		log.Error(err, "failed to initialize provisioner")
+		statusUpdater.UpdateNoError(ctx, cmpv2api.ConditionFalse, "Error", "failed initialize provisioner")
+		return ctrl.Result{}, err
+	}
+	provisioners.Store(req.NamespacedName, provisioner)
+
+	log.Info( "CMPv2Issuer verified. Updating status to Verified...")
+	return ctrl.Result{}, statusUpdater.Update(ctx, cmpv2api.ConditionTrue, "Verified", "CMPv2Issuer verified and ready to sign certificates")
+}
+
+// SetupWithManager initializes the CMPv2Issuer controller into the controller
+// runtime.
+func (controller *CMPv2IssuerController) SetupWithManager(manager ctrl.Manager) error {
+	return ctrl.NewControllerManagedBy(manager).
+		For(&cmpv2api.CMPv2Issuer{}).
+		Complete(controller)
+}
+
+func validateCMPv2IssuerSpec(issuerSpec cmpv2api.CMPv2IssuerSpec) error {
+	switch {
+	case issuerSpec.URL == "":
+		return fmt.Errorf("spec.url cannot be empty")
+	case issuerSpec.KeyRef.Name == "":
+		return fmt.Errorf("spec.keyRef.name cannot be empty")
+	case issuerSpec.KeyRef.Key == "":
+		return fmt.Errorf("spec.keyRef.key cannot be empty")
+	default:
+		return nil
+	}
+}
diff --git a/certServiceK8sExternalProvider/src/cmpv2controller/cmpv2_issuer_status_updater.go b/certServiceK8sExternalProvider/src/cmpv2controller/cmpv2_issuer_status_updater.go
new file mode 100644
index 00000000..f2ec5c5a
--- /dev/null
+++ b/certServiceK8sExternalProvider/src/cmpv2controller/cmpv2_issuer_status_updater.go
@@ -0,0 +1,116 @@
+/*
+ * ============LICENSE_START=======================================================
+ * oom-certservice-k8s-external-provider
+ * ================================================================================
+ * Copyright (c) 2019 Smallstep Labs, Inc.
+ * Modifications copyright (C) 2020 Nokia. All rights reserved.
+ * ================================================================================
+ * This source code was copied from the following git repository:
+ * https://github.com/smallstep/step-issuer
+ * The source code was modified for usage in the ONAP project.
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END=========================================================
+ */
+
+package cmpv2controller
+
+import (
+	"context"
+	"fmt"
+	"github.com/go-logr/logr"
+	core "k8s.io/api/core/v1"
+	meta "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"onap.org/oom-certservice/k8s-external-provider/src/cmpv2api"
+)
+
+type CMPv2IssuerStatusUpdater struct {
+	*CMPv2IssuerController
+	issuer *cmpv2api.CMPv2Issuer
+	logger logr.Logger
+}
+
+func newStatusUpdater(controller *CMPv2IssuerController, issuer *cmpv2api.CMPv2Issuer, log logr.Logger) *CMPv2IssuerStatusUpdater {
+	return &CMPv2IssuerStatusUpdater{
+		CMPv2IssuerController: controller,
+		issuer:                issuer,
+		logger:                log,
+	}
+}
+
+func (updater *CMPv2IssuerStatusUpdater) Update(ctx context.Context, status cmpv2api.ConditionStatus, reason, message string, args ...interface{}) error {
+	completeMessage := fmt.Sprintf(message, args...)
+	updater.setCondition(status, reason, completeMessage)
+
+	// Fire an Event to additionally inform users of the change
+	eventType := core.EventTypeNormal
+	if status == cmpv2api.ConditionFalse {
+		eventType = core.EventTypeWarning
+	}
+	updater.logger.Info("Firing event: ", "issuer", updater.issuer, "eventtype", eventType, "reason", reason, "message", completeMessage)
+	updater.Recorder.Event(updater.issuer, eventType, reason, completeMessage)
+
+	updater.logger.Info("Updating issuer... ")
+	return updater.Client.Update(ctx, updater.issuer)
+}
+
+func (updater *CMPv2IssuerStatusUpdater) UpdateNoError(ctx context.Context, status cmpv2api.ConditionStatus, reason, message string, args ...interface{}) {
+	if err := updater.Update(ctx, status, reason, message, args...); err != nil {
+		updater.logger.Error(err, "failed to update", "status", status, "reason", reason)
+	}
+}
+
+// setCondition will set a 'condition' on the given cmpv2api.CMPv2Issuer resource.
+//
+// - If no condition of the same type already exists, the condition will be
+//   inserted with the LastTransitionTime set to the current time.
+// - If a condition of the same type and state already exists, the condition
+//   will be updated but the LastTransitionTime will not be modified.
+// - If a condition of the same type and different state already exists, the
+//   condition will be updated and the LastTransitionTime set to the current
+//   time.
+func (updater *CMPv2IssuerStatusUpdater) setCondition(status cmpv2api.ConditionStatus, reason, message string) {
+	now := meta.NewTime(updater.Clock.Now())
+	issuerCondition := cmpv2api.CMPv2IssuerCondition{
+		Type:               cmpv2api.ConditionReady,
+		Status:             status,
+		Reason:             reason,
+		Message:            message,
+		LastTransitionTime: &now,
+	}
+
+	// Search through existing conditions
+	for i, condition := range updater.issuer.Status.Conditions {
+		// Skip unrelated conditions
+		if condition.Type != cmpv2api.ConditionReady {
+			continue
+		}
+
+		// If this update doesn't contain a state transition, we don't update
+		// the conditions LastTransitionTime to Now()
+		if condition.Status == status {
+			issuerCondition.LastTransitionTime = condition.LastTransitionTime
+		} else {
+			updater.logger.Info("found status change for CMPv2Issuer condition; setting lastTransitionTime", "condition", condition.Type, "old_status", condition.Status, "new_status", status, "time", now.Time)
+		}
+
+		// Overwrite the existing condition
+		updater.issuer.Status.Conditions[i] = issuerCondition
+		return
+	}
+
+	// If we've not found an existing condition of this type, we simply insert
+	// the new condition into the slice.
+	updater.issuer.Status.Conditions = append(updater.issuer.Status.Conditions, issuerCondition)
+	updater.logger.Info("setting lastTransitionTime for CMPv2Issuer condition", "condition", cmpv2api.ConditionReady, "time", now.Time)
+}