From a7bb3d59e71f7f7980f8b7db400df94cabd92c0a Mon Sep 17 00:00:00 2001
From: Jan Malkiewicz <jan.malkiewicz@nokia.com>
Date: Fri, 23 Oct 2020 09:46:13 +0200
Subject: [OOM-K8S-CERT-EXTERNAL-PROVIDER] Add health check of CMPv2
 provisioner (cert-service-api)

Issue-ID: OOM-2559
Signed-off-by: Jan Malkiewicz <jan.malkiewicz@nokia.com>
Change-Id: I81d4dcfcb10f71182ea667770bafb9556817b793
---
 .../src/cmpv2provisioner/cmpv2_provisioner.go      | 47 ++++++++--------------
 .../cmpv2provisioner/cmpv2_provisioner_factory.go  |  3 +-
 .../cmpv2_provisioner_factory_test.go              |  6 +++
 .../src/cmpv2provisioner/cmpv2_provisioner_test.go |  5 +++
 4 files changed, 29 insertions(+), 32 deletions(-)

(limited to 'certServiceK8sExternalProvider/src/cmpv2provisioner')

diff --git a/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner.go b/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner.go
index 67d719cc..c0304d7d 100644
--- a/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner.go
+++ b/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner.go
@@ -29,7 +29,6 @@ import (
 	"bytes"
 	"context"
 	"crypto/x509"
-	"encoding/base64"
 	"encoding/pem"
 	"fmt"
 	"sync"
@@ -47,6 +46,8 @@ var collection = new(sync.Map)
 type CertServiceCA struct {
 	name              string
 	url               string
+	healthEndpoint    string
+	certEndpoint      string
 	caName            string
 	certServiceClient certserviceclient.CertServiceClient
 }
@@ -57,14 +58,22 @@ func New(cmpv2Issuer *cmpv2api.CMPv2Issuer, certServiceClient certserviceclient.
 	ca.name = cmpv2Issuer.Name
 	ca.url = cmpv2Issuer.Spec.URL
 	ca.caName = cmpv2Issuer.Spec.CaName
+	ca.healthEndpoint = cmpv2Issuer.Spec.HealthEndpoint
+	ca.certEndpoint = cmpv2Issuer.Spec.CertEndpoint
 	ca.certServiceClient = certServiceClient
 
 	log := ctrl.Log.WithName("cmpv2-provisioner")
-	log.Info("Configuring CA: ", "name", ca.name, "url", ca.url, "caName", ca.caName)
+	log.Info("Configuring CA: ", "name", ca.name, "url", ca.url, "caName", ca.caName, "healthEndpoint", ca.healthEndpoint, "certEndpoint", ca.certEndpoint)
 
 	return &ca, nil
 }
 
+func (ca *CertServiceCA) CheckHealth() error {
+	log := ctrl.Log.WithName("cmpv2-provisioner")
+	log.Info("Checking health of CMPv2 issuer: ", "name", ca.name)
+	return ca.certServiceClient.CheckHealth()
+}
+
 func Load(namespacedName types.NamespacedName) (*CertServiceCA, bool) {
 	provisioner, ok := collection.Load(namespacedName)
 	if !ok {
@@ -99,30 +108,27 @@ func (ca *CertServiceCA) Sign(ctx context.Context, certificateRequest *certmanag
 	log.Info("Certificate Chain", "cert-chain", response.CertificateChain)
 	log.Info("Trusted Certificates", "trust-certs", response.TrustedCertificates)
 
-	cert := x509.Certificate{}
-	cert.Raw = csr.Raw
 
 	// TODO
-	// write here code which will call CertServiceCA and sign CSR
-	// END
-
+	// stored response as PEM
+	cert := x509.Certificate{}
+	cert.Raw = csr.Raw
 	encodedPEM, err := encodeX509(&cert)
 	if err != nil {
 		return nil, nil, err
 	}
+	// END
 
 	signedPEM := encodedPEM
 	trustedCA := encodedPEM
 
-	log.Info("Successfully signed: ", "cert-name", certificateRequest.Name)
 	log.Info("Signed cert PEM: ", "bytes", signedPEM)
 	log.Info("Trusted CA  PEM: ", "bytes", trustedCA)
+	log.Info("Successfully signed: ", "cert-name", certificateRequest.Name)
 
 	return signedPEM, trustedCA, nil
 }
 
-// TODO JM utility methods - will be used in "real" implementation
-
 // decodeCSR decodes a certificate request in PEM format and returns the
 func decodeCSR(data []byte) (*x509.CertificateRequest, error) {
 	block, rest := pem.Decode(data)
@@ -151,24 +157,3 @@ func encodeX509(cert *x509.Certificate) ([]byte, error) {
 	}
 	return caPem.Bytes(), nil
 }
-
-// generateSubject returns the first SAN that is not 127.0.0.1 or localhost. The
-// CSRs generated by the Certificate resource have always those SANs. If no SANs
-// are available `certservice-issuer-certificate` will be used as a subject is always
-// required.
-func generateSubject(sans []string) string {
-	if len(sans) == 0 {
-		return "certservice-issuer-certificate"
-	}
-	for _, s := range sans {
-		if s != "127.0.0.1" && s != "localhost" {
-			return s
-		}
-	}
-	return sans[0]
-}
-
-func decode(cert string) []byte {
-	bytes, _ := base64.RawStdEncoding.DecodeString(cert)
-	return bytes
-}
diff --git a/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_factory.go b/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_factory.go
index 125c1bc6..27f5c108 100644
--- a/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_factory.go
+++ b/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_factory.go
@@ -44,7 +44,8 @@ func CreateProvisioner(issuer *cmpv2api.CMPv2Issuer, secret v1.Secret) (*CertSer
 		return nil, err
 	}
 
-	certServiceClient, err := certserviceclient.CreateCertServiceClient(issuer.Spec.URL, issuer.Spec.CaName, keyBase64, certBase64, cacertBase64)
+	certServiceClient, err := certserviceclient.CreateCertServiceClient(issuer.Spec.URL, issuer.Spec.HealthEndpoint, issuer.Spec.CertEndpoint,
+		issuer.Spec.CaName, keyBase64, certBase64, cacertBase64)
 	if err != nil {
 		return nil, err
 	}
diff --git a/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_factory_test.go b/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_factory_test.go
index 1e215d3f..3c0dbfd7 100644
--- a/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_factory_test.go
+++ b/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_factory_test.go
@@ -35,6 +35,8 @@ import (
 const (
 	secretName      = "issuer-cert-secret"
 	url             = "https://oom-cert-service:8443/v1/certificate/"
+	healthEndpoint  = "actuator/health"
+	certEndpoint    = "v1/certificate"
 	caName          = "RA"
 	keySecretKey    = "cmpv2Issuer-key.pem"
 	certSecretKey   = "cmpv2Issuer-cert.pem"
@@ -49,6 +51,8 @@ func Test_shouldCreateProvisioner(t *testing.T) {
 	assert.NotNil(t, provisioner)
 	assert.Equal(t, url, provisioner.url)
 	assert.Equal(t, caName, provisioner.caName)
+	assert.Equal(t, healthEndpoint, provisioner.healthEndpoint)
+	assert.Equal(t, certEndpoint, provisioner.certEndpoint)
 }
 
 func Test_shouldReturnError_whenSecretMissingKeyRef(t *testing.T) {
@@ -103,6 +107,8 @@ func getValidIssuerAndSecret() (cmpv2api.CMPv2Issuer, v1.Secret) {
 	issuer := cmpv2api.CMPv2Issuer{
 		Spec: cmpv2api.CMPv2IssuerSpec{
 			URL:    url,
+			HealthEndpoint: healthEndpoint,
+			CertEndpoint: certEndpoint,
 			CaName: caName,
 			CertSecretRef: cmpv2api.SecretKeySelector{
 				Name:      secretName,
diff --git a/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_test.go b/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_test.go
index 39e399b8..31f2bc26 100644
--- a/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_test.go
+++ b/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_test.go
@@ -167,3 +167,8 @@ type certServiceClientMock struct {
 func (client *certServiceClientMock) GetCertificates(csr []byte, key []byte) (*certserviceclient.CertificatesResponse, error) {
 	return client.getCertificatesFunc(csr, key)
 }
+
+func (client *certServiceClientMock) CheckHealth() error {
+	return nil
+}
+
-- 
cgit 1.2.3-korg