diff options
Diffstat (limited to 'certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner.go')
-rw-r--r-- | certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner.go | 47 |
1 files changed, 16 insertions, 31 deletions
diff --git a/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner.go b/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner.go index 67d719cc..c0304d7d 100644 --- a/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner.go +++ b/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner.go @@ -29,7 +29,6 @@ import ( "bytes" "context" "crypto/x509" - "encoding/base64" "encoding/pem" "fmt" "sync" @@ -47,6 +46,8 @@ var collection = new(sync.Map) type CertServiceCA struct { name string url string + healthEndpoint string + certEndpoint string caName string certServiceClient certserviceclient.CertServiceClient } @@ -57,14 +58,22 @@ func New(cmpv2Issuer *cmpv2api.CMPv2Issuer, certServiceClient certserviceclient. ca.name = cmpv2Issuer.Name ca.url = cmpv2Issuer.Spec.URL ca.caName = cmpv2Issuer.Spec.CaName + ca.healthEndpoint = cmpv2Issuer.Spec.HealthEndpoint + ca.certEndpoint = cmpv2Issuer.Spec.CertEndpoint ca.certServiceClient = certServiceClient log := ctrl.Log.WithName("cmpv2-provisioner") - log.Info("Configuring CA: ", "name", ca.name, "url", ca.url, "caName", ca.caName) + log.Info("Configuring CA: ", "name", ca.name, "url", ca.url, "caName", ca.caName, "healthEndpoint", ca.healthEndpoint, "certEndpoint", ca.certEndpoint) return &ca, nil } +func (ca *CertServiceCA) CheckHealth() error { + log := ctrl.Log.WithName("cmpv2-provisioner") + log.Info("Checking health of CMPv2 issuer: ", "name", ca.name) + return ca.certServiceClient.CheckHealth() +} + func Load(namespacedName types.NamespacedName) (*CertServiceCA, bool) { provisioner, ok := collection.Load(namespacedName) if !ok { @@ -99,30 +108,27 @@ func (ca *CertServiceCA) Sign(ctx context.Context, certificateRequest *certmanag log.Info("Certificate Chain", "cert-chain", response.CertificateChain) log.Info("Trusted Certificates", "trust-certs", response.TrustedCertificates) - cert := x509.Certificate{} - cert.Raw = csr.Raw // TODO - // write here code which will call CertServiceCA and sign CSR - // END - + // stored response as PEM + cert := x509.Certificate{} + cert.Raw = csr.Raw encodedPEM, err := encodeX509(&cert) if err != nil { return nil, nil, err } + // END signedPEM := encodedPEM trustedCA := encodedPEM - log.Info("Successfully signed: ", "cert-name", certificateRequest.Name) log.Info("Signed cert PEM: ", "bytes", signedPEM) log.Info("Trusted CA PEM: ", "bytes", trustedCA) + log.Info("Successfully signed: ", "cert-name", certificateRequest.Name) return signedPEM, trustedCA, nil } -// TODO JM utility methods - will be used in "real" implementation - // decodeCSR decodes a certificate request in PEM format and returns the func decodeCSR(data []byte) (*x509.CertificateRequest, error) { block, rest := pem.Decode(data) @@ -151,24 +157,3 @@ func encodeX509(cert *x509.Certificate) ([]byte, error) { } return caPem.Bytes(), nil } - -// generateSubject returns the first SAN that is not 127.0.0.1 or localhost. The -// CSRs generated by the Certificate resource have always those SANs. If no SANs -// are available `certservice-issuer-certificate` will be used as a subject is always -// required. -func generateSubject(sans []string) string { - if len(sans) == 0 { - return "certservice-issuer-certificate" - } - for _, s := range sans { - if s != "127.0.0.1" && s != "localhost" { - return s - } - } - return sans[0] -} - -func decode(cert string) []byte { - bytes, _ := base64.RawStdEncoding.DecodeString(cert) - return bytes -} |