From f5fb53b031c2f1c4bc4872de59b9774a559d786f Mon Sep 17 00:00:00 2001 From: Jan Malkiewicz Date: Thu, 15 Oct 2020 09:04:18 +0200 Subject: [OOM-K8S-CERT-EXTERNAL-PROVIDER] Mock implementaion enhanced (part II) Rename CertServiceIssuer -> CMPv2Issuer Checking for Issuer.Kind (has to be CMPv2Issuer) Introduced exit codes Refactoring file names and packages Moved tests to main package (according to GOlang convention) Issue-ID: OOM-2559 Signed-off-by: Jan Malkiewicz Change-Id: I710d9f6c9bd22318e5152e5215b78d5a9e7b4540 --- .../src/api/cerservice_issuer_crd_deepcopy.go | 161 -------------------- .../src/api/certservice_issuer_crd_schema.go | 138 ----------------- .../src/api/groupversion_info.go | 42 ----- .../certificaterequest_reconciler.go | 162 -------------------- .../certservice_issuer_reconciler.go | 127 ---------------- .../certservice_issuer_status_reconciler.go | 116 -------------- .../certservice-provisioner.go | 164 -------------------- .../src/cmpv2api/cmpv2_groupversion_info.go | 45 ++++++ .../src/cmpv2api/cmpv2_issuer_crd_deepcopy.go | 161 ++++++++++++++++++++ .../src/cmpv2api/cmpv2_issuer_crd_schema.go | 132 ++++++++++++++++ .../certificate_request_controller.go | 169 +++++++++++++++++++++ .../certificate_request_controller_test.go | 35 +++++ .../src/cmpv2controller/cmpv2_issuer_controller.go | 127 ++++++++++++++++ .../cmpv2controller/cmpv2_issuer_status_updater.go | 116 ++++++++++++++ .../src/cmpv2provisioner/cmpv2_provisioner.go | 164 ++++++++++++++++++++ .../src/cmpv2provisioner/cmpv2_provisioner_test.go | 30 ++++ certServiceK8sExternalProvider/src/exit_code.go | 20 +++ 17 files changed, 999 insertions(+), 910 deletions(-) delete mode 100644 certServiceK8sExternalProvider/src/api/cerservice_issuer_crd_deepcopy.go delete mode 100644 certServiceK8sExternalProvider/src/api/certservice_issuer_crd_schema.go delete mode 100644 certServiceK8sExternalProvider/src/api/groupversion_info.go delete mode 100644 certServiceK8sExternalProvider/src/certservice-controller/certificaterequest_reconciler.go delete mode 100644 certServiceK8sExternalProvider/src/certservice-controller/certservice_issuer_reconciler.go delete mode 100644 certServiceK8sExternalProvider/src/certservice-controller/certservice_issuer_status_reconciler.go delete mode 100644 certServiceK8sExternalProvider/src/certservice-provisioner/certservice-provisioner.go create mode 100644 certServiceK8sExternalProvider/src/cmpv2api/cmpv2_groupversion_info.go create mode 100644 certServiceK8sExternalProvider/src/cmpv2api/cmpv2_issuer_crd_deepcopy.go create mode 100644 certServiceK8sExternalProvider/src/cmpv2api/cmpv2_issuer_crd_schema.go create mode 100644 certServiceK8sExternalProvider/src/cmpv2controller/certificate_request_controller.go create mode 100644 certServiceK8sExternalProvider/src/cmpv2controller/certificate_request_controller_test.go create mode 100644 certServiceK8sExternalProvider/src/cmpv2controller/cmpv2_issuer_controller.go create mode 100644 certServiceK8sExternalProvider/src/cmpv2controller/cmpv2_issuer_status_updater.go create mode 100644 certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner.go create mode 100644 certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_test.go create mode 100644 certServiceK8sExternalProvider/src/exit_code.go (limited to 'certServiceK8sExternalProvider/src') diff --git a/certServiceK8sExternalProvider/src/api/cerservice_issuer_crd_deepcopy.go b/certServiceK8sExternalProvider/src/api/cerservice_issuer_crd_deepcopy.go deleted file mode 100644 index b901cc76..00000000 --- a/certServiceK8sExternalProvider/src/api/cerservice_issuer_crd_deepcopy.go +++ /dev/null @@ -1,161 +0,0 @@ -/* - * ============LICENSE_START======================================================= - * oom-certservice-k8s-external-provider - * ================================================================================ - * Copyright (c) 2019 Smallstep Labs, Inc. - * Modifications copyright (C) 2020 Nokia. All rights reserved. - * ================================================================================ - * This source code was copied from the following git repository: - * https://github.com/smallstep/step-issuer - * The source code was modified for usage in the ONAP project. - * ================================================================================ - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * ============LICENSE_END========================================================= - */ - -package api - -import ( - runtime "k8s.io/apimachinery/pkg/runtime" -) - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (inputSecretKeySelector *SecretKeySelector) DeepCopyInto(outSecretKeySelector *SecretKeySelector) { - *outSecretKeySelector = *inputSecretKeySelector -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretKeySelector. -func (inputSecretKeySelector *SecretKeySelector) DeepCopy() *SecretKeySelector { - if inputSecretKeySelector == nil { - return nil - } - out := new(SecretKeySelector) - inputSecretKeySelector.DeepCopyInto(out) - return out -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (inputCertServiceIssuer *CertServiceIssuer) DeepCopyInto(outCertServiceIssuer *CertServiceIssuer) { - *outCertServiceIssuer = *inputCertServiceIssuer - outCertServiceIssuer.TypeMeta = inputCertServiceIssuer.TypeMeta - inputCertServiceIssuer.ObjectMeta.DeepCopyInto(&outCertServiceIssuer.ObjectMeta) - inputCertServiceIssuer.Spec.DeepCopyInto(&outCertServiceIssuer.Spec) - inputCertServiceIssuer.Status.DeepCopyInto(&outCertServiceIssuer.Status) -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertServiceIssuer. -func (inputCertServiceIssuer *CertServiceIssuer) DeepCopy() *CertServiceIssuer { - if inputCertServiceIssuer == nil { - return nil - } - out := new(CertServiceIssuer) - inputCertServiceIssuer.DeepCopyInto(out) - return out -} - -// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. -func (inputCertServiceIssuer *CertServiceIssuer) DeepCopyObject() runtime.Object { - if deepCopy := inputCertServiceIssuer.DeepCopy(); deepCopy != nil { - return deepCopy - } - return nil -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (inputIssuerCondition *CertServiceIssuerCondition) DeepCopyInto(outIssuerCondition *CertServiceIssuerCondition) { - *outIssuerCondition = *inputIssuerCondition - if inputIssuerCondition.LastTransitionTime != nil { - in, out := &inputIssuerCondition.LastTransitionTime, &outIssuerCondition.LastTransitionTime - *out = (*in).DeepCopy() - } -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertServiceIssuerCondition. -func (inputIssuerCondition *CertServiceIssuerCondition) DeepCopy() *CertServiceIssuerCondition { - if inputIssuerCondition == nil { - return nil - } - out := new(CertServiceIssuerCondition) - inputIssuerCondition.DeepCopyInto(out) - return out -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (inputIssuerList *CertServiceIssuerList) DeepCopyInto(outIssuerList *CertServiceIssuerList) { - *outIssuerList = *inputIssuerList - outIssuerList.TypeMeta = inputIssuerList.TypeMeta - inputIssuerList.ListMeta.DeepCopyInto(&outIssuerList.ListMeta) - if inputIssuerList.Items != nil { - in, out := &inputIssuerList.Items, &outIssuerList.Items - *out = make([]CertServiceIssuer, len(*in)) - for i := range *in { - (*in)[i].DeepCopyInto(&(*out)[i]) - } - } -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertServiceIssuerList. -func (inputIssuerList *CertServiceIssuerList) DeepCopy() *CertServiceIssuerList { - if inputIssuerList == nil { - return nil - } - out := new(CertServiceIssuerList) - inputIssuerList.DeepCopyInto(out) - return out -} - -// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. -func (inputIssuerList *CertServiceIssuerList) DeepCopyObject() runtime.Object { - if deepCopy := inputIssuerList.DeepCopy(); deepCopy != nil { - return deepCopy - } - return nil -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (inputIssuerSpec *CertServiceIssuerSpec) DeepCopyInto(outIssuerSpec *CertServiceIssuerSpec) { - *outIssuerSpec = *inputIssuerSpec - outIssuerSpec.KeyRef = inputIssuerSpec.KeyRef -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertServiceIssuerSpec. -func (inputIssuerSpec *CertServiceIssuerSpec) DeepCopy() *CertServiceIssuerSpec { - if inputIssuerSpec == nil { - return nil - } - out := new(CertServiceIssuerSpec) - inputIssuerSpec.DeepCopyInto(out) - return out -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (inputIssuerStatus *CertServiceIssuerStatus) DeepCopyInto(outIssuerStatus *CertServiceIssuerStatus) { - *outIssuerStatus = *inputIssuerStatus - if inputIssuerStatus.Conditions != nil { - in, out := &inputIssuerStatus.Conditions, &outIssuerStatus.Conditions - *out = make([]CertServiceIssuerCondition, len(*in)) - for i := range *in { - (*in)[i].DeepCopyInto(&(*out)[i]) - } - } -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertServiceIssuerStatus. -func (inputIssuerStatus *CertServiceIssuerStatus) DeepCopy() *CertServiceIssuerStatus { - if inputIssuerStatus == nil { - return nil - } - out := new(CertServiceIssuerStatus) - inputIssuerStatus.DeepCopyInto(out) - return out -} diff --git a/certServiceK8sExternalProvider/src/api/certservice_issuer_crd_schema.go b/certServiceK8sExternalProvider/src/api/certservice_issuer_crd_schema.go deleted file mode 100644 index b09813bb..00000000 --- a/certServiceK8sExternalProvider/src/api/certservice_issuer_crd_schema.go +++ /dev/null @@ -1,138 +0,0 @@ -/* - * ============LICENSE_START======================================================= - * oom-certservice-k8s-external-provider - * ================================================================================ - * Copyright (c) 2019 Smallstep Labs, Inc. - * Modifications copyright (C) 2020 Nokia. All rights reserved. - * ================================================================================ - * This source code was copied from the following git repository: - * https://github.com/smallstep/step-issuer - * The source code was modified for usage in the ONAP project. - * ================================================================================ - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * ============LICENSE_END========================================================= - */ - -package api - -import ( - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" -) - -func init() { - SchemeBuilder.Register(&CertServiceIssuer{}, &CertServiceIssuerList{}) -} - -// CertServiceIssuerSpec defines the desired state of CertServiceIssuer -type CertServiceIssuerSpec struct { - // URL is the base URL for the CertService certificates instance. - URL string `json:"url"` - - // KeyRef is a reference to a Secret containing the provisioner - // password used to decrypt the provisioner private key. - KeyRef SecretKeySelector `json:"keyRef"` -} - -// CertServiceIssuerStatus defines the observed state of CertServiceIssuer -type CertServiceIssuerStatus struct { - // INSERT ADDITIONAL STATUS FIELD - define observed state of cluster - // Important: Run "make" to regenerate code after modifying this file - - // +optional - Conditions []CertServiceIssuerCondition `json:"conditions,omitempty"` -} - -// +kubebuilder:object:root=true - -// CertServiceIssuer is the Schema for the certserviceissuers API -// +kubebuilder:subresource:status -type CertServiceIssuer struct { - metav1.TypeMeta `json:",inline"` - metav1.ObjectMeta `json:"metadata,omitempty"` - - Spec CertServiceIssuerSpec `json:"spec,omitempty"` - Status CertServiceIssuerStatus `json:"status,omitempty"` -} - -// +kubebuilder:object:root=true - -// CertServiceIssuerList contains a list of CertServiceIssuer -type CertServiceIssuerList struct { - metav1.TypeMeta `json:",inline"` - metav1.ListMeta `json:"metadata,omitempty"` - Items []CertServiceIssuer `json:"items"` -} - -// SecretKeySelector contains the reference to a secret. -type SecretKeySelector struct { - // The name of the secret in the pod's namespace to select from. - Name string `json:"name"` - - // The key of the secret to select from. Must be a valid secret key. - // +optional - Key string `json:"key,omitempty"` -} - -// ConditionType represents a CertServiceIssuer condition type. -// +kubebuilder:validation:Enum=Ready -type ConditionType string - -const ( - // ConditionReady indicates that a CertServiceIssuer is ready for use. - ConditionReady ConditionType = "Ready" -) - -// ConditionStatus represents a condition's status. -// +kubebuilder:validation:Enum=True;False;Unknown -type ConditionStatus string - -// These are valid condition statuses. "ConditionTrue" means a resource is in -// the condition; "ConditionFalse" means a resource is not in the condition; -// "ConditionUnknown" means kubernetes can't decide if a resource is in the -// condition or not. In the future, we could add other intermediate -// conditions, e.g. ConditionDegraded. -const ( - // ConditionTrue represents the fact that a given condition is true - ConditionTrue ConditionStatus = "True" - - // ConditionFalse represents the fact that a given condition is false - ConditionFalse ConditionStatus = "False" - - // ConditionUnknown represents the fact that a given condition is unknown - ConditionUnknown ConditionStatus = "Unknown" -) - -// CertServiceIssuerCondition contains condition information for the CertService issuer. -type CertServiceIssuerCondition struct { - // Type of the condition, currently ('Ready'). - Type ConditionType `json:"type"` - - // Status of the condition, one of ('True', 'False', 'Unknown'). - // +kubebuilder:validation:Enum=True;False;Unknown - Status ConditionStatus `json:"status"` - - // LastTransitionTime is the timestamp corresponding to the last status - // change of this condition. - // +optional - LastTransitionTime *metav1.Time `json:"lastTransitionTime,omitempty"` - - // Reason is a brief machine readable explanation for the condition's last - // transition. - // +optional - Reason string `json:"reason,omitempty"` - - // Message is a human readable description of the details of the last - // transition, complementing reason. - // +optional - Message string `json:"message,omitempty"` -} diff --git a/certServiceK8sExternalProvider/src/api/groupversion_info.go b/certServiceK8sExternalProvider/src/api/groupversion_info.go deleted file mode 100644 index 0a64b25e..00000000 --- a/certServiceK8sExternalProvider/src/api/groupversion_info.go +++ /dev/null @@ -1,42 +0,0 @@ -/* - * ============LICENSE_START======================================================= - * oom-certservice-k8s-external-provider - * ================================================================================ - * Copyright (c) 2019 Smallstep Labs, Inc. - * Modifications copyright (C) 2020 Nokia. All rights reserved. - * ================================================================================ - * This source code was copied from the following git repository: - * https://github.com/smallstep/step-issuer - * The source code was modified for usage in the ONAP project. - * ================================================================================ - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * ============LICENSE_END========================================================= - */ - -package api - -import ( - "k8s.io/apimachinery/pkg/runtime/schema" - "sigs.k8s.io/controller-runtime/pkg/scheme" -) - -var ( - // GroupVersion is group version used to register these objects - GroupVersion = schema.GroupVersion{Group: "certmanager.onap.org", Version: "v1"} - - // SchemeBuilder is used to add go types to the GroupVersionKind scheme - SchemeBuilder = &scheme.Builder{GroupVersion: GroupVersion} - - // AddToScheme adds the types in this group-version to the given scheme. - AddToScheme = SchemeBuilder.AddToScheme -) diff --git a/certServiceK8sExternalProvider/src/certservice-controller/certificaterequest_reconciler.go b/certServiceK8sExternalProvider/src/certservice-controller/certificaterequest_reconciler.go deleted file mode 100644 index b744676e..00000000 --- a/certServiceK8sExternalProvider/src/certservice-controller/certificaterequest_reconciler.go +++ /dev/null @@ -1,162 +0,0 @@ -/* - * ============LICENSE_START======================================================= - * oom-certservice-k8s-external-provider - * ================================================================================ - * Copyright 2019 The cert-manager authors. - * Modifications copyright (C) 2020 Nokia. All rights reserved. - * ================================================================================ - * This source code was copied from the following git repository: - * https://github.com/smallstep/step-issuer - * The source code was modified for usage in the ONAP project. - * ================================================================================ - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * ============LICENSE_END========================================================= - */ - -package certservice_controller - -import ( - "context" - "fmt" - "onap.org/oom-certservice/k8s-external-provider/src/api" - provisioners "onap.org/oom-certservice/k8s-external-provider/src/certservice-provisioner" - - "github.com/go-logr/logr" - apiutil "github.com/jetstack/cert-manager/pkg/api/util" - cmapi "github.com/jetstack/cert-manager/pkg/apis/certmanager/v1" - cmmeta "github.com/jetstack/cert-manager/pkg/apis/meta/v1" - core "k8s.io/api/core/v1" - apierrors "k8s.io/apimachinery/pkg/api/errors" - "k8s.io/apimachinery/pkg/types" - "k8s.io/client-go/tools/record" - ctrl "sigs.k8s.io/controller-runtime" - "sigs.k8s.io/controller-runtime/pkg/client" -) - -// CertificateRequestReconciler reconciles a CertServiceIssuer object. -type CertificateRequestReconciler struct { - client.Client - Log logr.Logger - Recorder record.EventRecorder -} - -// Reconcile will read and validate a CertServiceIssuer resource associated to the -// CertificateRequest resource, and it will sign the CertificateRequest with the -// provisioner in the CertServiceIssuer. -func (reconciler *CertificateRequestReconciler) Reconcile(req ctrl.Request) (ctrl.Result, error) { - ctx := context.Background() - log := reconciler.Log.WithValues("certificaterequest", req.NamespacedName) - - // Fetch the CertificateRequest resource being reconciled. - // Just ignore the request if the certificate request has been deleted. - certificateRequest := new(cmapi.CertificateRequest) - if err := reconciler.Client.Get(ctx, req.NamespacedName, certificateRequest); err != nil { - if apierrors.IsNotFound(err) { - return ctrl.Result{}, nil - } - - log.Error(err, "failed to retrieve CertificateRequest resource") - return ctrl.Result{}, err - } - - // Check the CertificateRequest's issuerRef and if it does not match the api - // group name, log a message at a debug level and stop processing. - if certificateRequest.Spec.IssuerRef.Group != "" && certificateRequest.Spec.IssuerRef.Group != api.GroupVersion.Group { - log.V(4).Info("resource does not specify an issuerRef group name that we are responsible for", "group", certificateRequest.Spec.IssuerRef.Group) - return ctrl.Result{}, nil - } - - // If the certificate data is already set then we skip this request as it - // has already been completed in the past. - if len(certificateRequest.Status.Certificate) > 0 { - log.V(4).Info("existing certificate data found in status, skipping already completed CertificateRequest") - return ctrl.Result{}, nil - } - - // Fetch the CertServiceIssuer resource - issuer := api.CertServiceIssuer{} - issuerNamespaceName := types.NamespacedName{ - Namespace: req.Namespace, - Name: certificateRequest.Spec.IssuerRef.Name, - } - if err := reconciler.Client.Get(ctx, issuerNamespaceName, &issuer); err != nil { - log.Error(err, "failed to retrieve CertServiceIssuer resource", "namespace", req.Namespace, "name", certificateRequest.Spec.IssuerRef.Name) - _ = reconciler.setStatus(ctx, certificateRequest, cmmeta.ConditionFalse, cmapi.CertificateRequestReasonPending, "Failed to retrieve CertServiceIssuer resource %s: %v", issuerNamespaceName, err) - return ctrl.Result{}, err - } - - // Check if the CertServiceIssuer resource has been marked Ready - if !certServiceIssuerHasCondition(issuer, api.CertServiceIssuerCondition{Type: api.ConditionReady, Status: api.ConditionTrue}) { - err := fmt.Errorf("resource %s is not ready", issuerNamespaceName) - log.Error(err, "failed to retrieve CertServiceIssuer resource", "namespace", req.Namespace, "name", certificateRequest.Spec.IssuerRef.Name) - _ = reconciler.setStatus(ctx, certificateRequest, cmmeta.ConditionFalse, cmapi.CertificateRequestReasonPending, "CertServiceIssuer resource %s is not Ready", issuerNamespaceName) - return ctrl.Result{}, err - } - - // Load the provisioner that will sign the CertificateRequest - provisioner, ok := provisioners.Load(issuerNamespaceName) - if !ok { - err := fmt.Errorf("provisioner %s not found", issuerNamespaceName) - log.Error(err, "failed to provisioner for CertServiceIssuer resource") - _ = reconciler.setStatus(ctx, certificateRequest, cmmeta.ConditionFalse, cmapi.CertificateRequestReasonPending, "Failed to load provisioner for CertServiceIssuer resource %s", issuerNamespaceName) - return ctrl.Result{}, err - } - - // Sign CertificateRequest - signedPEM, trustedCAs, err := provisioner.Sign(ctx, certificateRequest) - if err != nil { - log.Error(err, "failed to sign certificate request") - return ctrl.Result{}, reconciler.setStatus(ctx, certificateRequest, cmmeta.ConditionFalse, cmapi.CertificateRequestReasonFailed, "Failed to sign certificate request: %v", err) - } - certificateRequest.Status.Certificate = signedPEM - certificateRequest.Status.CA = trustedCAs - - return ctrl.Result{}, reconciler.setStatus(ctx, certificateRequest, cmmeta.ConditionTrue, cmapi.CertificateRequestReasonIssued, "Certificate issued") -} - -// SetupWithManager initializes the CertificateRequest controller into the -// controller runtime. -func (reconciler *CertificateRequestReconciler) SetupWithManager(manager ctrl.Manager) error { - return ctrl.NewControllerManagedBy(manager). - For(&cmapi.CertificateRequest{}). - Complete(reconciler) -} - -// certServiceIssuerHasCondition will return true if the given CertServiceIssuer resource has -// a condition matching the provided CertServiceIssuerCondition. Only the Type and -// Status field will be used in the comparison, meaning that this function will -// return 'true' even if the Reason, Message and LastTransitionTime fields do -// not match. -func certServiceIssuerHasCondition(issuer api.CertServiceIssuer, condition api.CertServiceIssuerCondition) bool { - existingConditions := issuer.Status.Conditions - for _, cond := range existingConditions { - if condition.Type == cond.Type && condition.Status == cond.Status { - return true - } - } - return false -} - -func (reconciler *CertificateRequestReconciler) setStatus(ctx context.Context, certificateRequest *cmapi.CertificateRequest, status cmmeta.ConditionStatus, reason, message string, args ...interface{}) error { - completeMessage := fmt.Sprintf(message, args...) - apiutil.SetCertificateRequestCondition(certificateRequest, cmapi.CertificateRequestConditionReady, status, reason, completeMessage) - - // Fire an Event to additionally inform users of the change - eventType := core.EventTypeNormal - if status == cmmeta.ConditionFalse { - eventType = core.EventTypeWarning - } - reconciler.Recorder.Event(certificateRequest, eventType, reason, completeMessage) - - return reconciler.Client.Status().Update(ctx, certificateRequest) -} diff --git a/certServiceK8sExternalProvider/src/certservice-controller/certservice_issuer_reconciler.go b/certServiceK8sExternalProvider/src/certservice-controller/certservice_issuer_reconciler.go deleted file mode 100644 index b826e2dd..00000000 --- a/certServiceK8sExternalProvider/src/certservice-controller/certservice_issuer_reconciler.go +++ /dev/null @@ -1,127 +0,0 @@ -/* - * ============LICENSE_START======================================================= - * oom-certservice-k8s-external-provider - * ================================================================================ - * Copyright (c) 2019 Smallstep Labs, Inc. - * Modifications copyright (C) 2020 Nokia. All rights reserved. - * ================================================================================ - * This source code was copied from the following git repository: - * https://github.com/smallstep/step-issuer - * The source code was modified for usage in the ONAP project. - * ================================================================================ - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * ============LICENSE_END========================================================= - */ - -package certservice_controller - -import ( - "context" - "fmt" - "github.com/go-logr/logr" - core "k8s.io/api/core/v1" - apierrors "k8s.io/apimachinery/pkg/api/errors" - "k8s.io/apimachinery/pkg/types" - "k8s.io/client-go/tools/record" - "k8s.io/utils/clock" - "onap.org/oom-certservice/k8s-external-provider/src/api" - provisioners "onap.org/oom-certservice/k8s-external-provider/src/certservice-provisioner" - ctrl "sigs.k8s.io/controller-runtime" - "sigs.k8s.io/controller-runtime/pkg/client" -) - -// CertServiceIssuerReconciler reconciles a CertServiceIssuer object -type CertServiceIssuerReconciler struct { - client.Client - Log logr.Logger - Clock clock.Clock - Recorder record.EventRecorder -} - -// Reconcile will read and validate the CertServiceIssuer resources, it will set the -// status condition ready to true if everything is right. -func (reconciler *CertServiceIssuerReconciler) Reconcile(req ctrl.Request) (ctrl.Result, error) { - ctx := context.Background() - log := reconciler.Log.WithValues("certservice-issuer-controller", req.NamespacedName) - - issuer := new(api.CertServiceIssuer) - if err := reconciler.Client.Get(ctx, req.NamespacedName, issuer); err != nil { - log.Error(err, "failed to retrieve CertServiceIssuer resource") - return ctrl.Result{}, client.IgnoreNotFound(err) - } - log.Info("Issuer loaded: ", "issuer", issuer) - - statusReconciler := newStatusReconciler(reconciler, issuer, log) - if err := validateCertServiceIssuerSpec(issuer.Spec); err != nil { - log.Error(err, "failed to validate CertServiceIssuer resource") - statusReconciler.UpdateNoError(ctx, api.ConditionFalse, "Validation", "Failed to validate resource: %v", err) - return ctrl.Result{}, err - } - log.Info("Issuer validated. ") - - // Fetch the provisioner password - var secret core.Secret - secretNamespaceName := types.NamespacedName{ - Namespace: req.Namespace, - Name: issuer.Spec.KeyRef.Name, - } - if err := reconciler.Client.Get(ctx, secretNamespaceName, &secret); err != nil { - log.Error(err, "failed to retrieve CertServiceIssuer provisioner secret", "namespace", secretNamespaceName.Namespace, "name", secretNamespaceName.Name) - if apierrors.IsNotFound(err) { - statusReconciler.UpdateNoError(ctx, api.ConditionFalse, "NotFound", "Failed to retrieve provisioner secret: %v", err) - } else { - statusReconciler.UpdateNoError(ctx, api.ConditionFalse, "Error", "Failed to retrieve provisioner secret: %v", err) - } - return ctrl.Result{}, err - } - password, ok := secret.Data[issuer.Spec.KeyRef.Key] - if !ok { - err := fmt.Errorf("secret %s does not contain key %s", secret.Name, issuer.Spec.KeyRef.Key) - log.Error(err, "failed to retrieve CertServiceIssuer provisioner secret", "namespace", secretNamespaceName.Namespace, "name", secretNamespaceName.Name) - statusReconciler.UpdateNoError(ctx, api.ConditionFalse, "NotFound", "Failed to retrieve provisioner secret: %v", err) - return ctrl.Result{}, err - } - - // Initialize and store the provisioner - provisioner, err := provisioners.New(issuer, password) - if err != nil { - log.Error(err, "failed to initialize provisioner") - statusReconciler.UpdateNoError(ctx, api.ConditionFalse, "Error", "failed initialize provisioner") - return ctrl.Result{}, err - } - provisioners.Store(req.NamespacedName, provisioner) - - log.Info( "CertServiceIssuer verified. Updating status to Verified...") - return ctrl.Result{}, statusReconciler.Update(ctx, api.ConditionTrue, "Verified", "CertServiceIssuer verified and ready to sign certificates") -} - -// SetupWithManager initializes the CertServiceIssuer controller into the controller -// runtime. -func (reconciler *CertServiceIssuerReconciler) SetupWithManager(manager ctrl.Manager) error { - return ctrl.NewControllerManagedBy(manager). - For(&api.CertServiceIssuer{}). - Complete(reconciler) -} - -func validateCertServiceIssuerSpec(issuerSpec api.CertServiceIssuerSpec) error { - switch { - case issuerSpec.URL == "": - return fmt.Errorf("spec.url cannot be empty") - case issuerSpec.KeyRef.Name == "": - return fmt.Errorf("spec.keyRef.name cannot be empty") - case issuerSpec.KeyRef.Key == "": - return fmt.Errorf("spec.keyRef.key cannot be empty") - default: - return nil - } -} diff --git a/certServiceK8sExternalProvider/src/certservice-controller/certservice_issuer_status_reconciler.go b/certServiceK8sExternalProvider/src/certservice-controller/certservice_issuer_status_reconciler.go deleted file mode 100644 index f2c0452e..00000000 --- a/certServiceK8sExternalProvider/src/certservice-controller/certservice_issuer_status_reconciler.go +++ /dev/null @@ -1,116 +0,0 @@ -/* - * ============LICENSE_START======================================================= - * oom-certservice-k8s-external-provider - * ================================================================================ - * Copyright (c) 2019 Smallstep Labs, Inc. - * Modifications copyright (C) 2020 Nokia. All rights reserved. - * ================================================================================ - * This source code was copied from the following git repository: - * https://github.com/smallstep/step-issuer - * The source code was modified for usage in the ONAP project. - * ================================================================================ - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * ============LICENSE_END========================================================= - */ - -package certservice_controller - -import ( - "context" - "fmt" - "github.com/go-logr/logr" - core "k8s.io/api/core/v1" - meta "k8s.io/apimachinery/pkg/apis/meta/v1" - "onap.org/oom-certservice/k8s-external-provider/src/api" -) - -type certServiceIssuerStatusReconciler struct { - *CertServiceIssuerReconciler - issuer *api.CertServiceIssuer - logger logr.Logger -} - -func newStatusReconciler(reconciler *CertServiceIssuerReconciler, issuer *api.CertServiceIssuer, log logr.Logger) *certServiceIssuerStatusReconciler { - return &certServiceIssuerStatusReconciler{ - CertServiceIssuerReconciler: reconciler, - issuer: issuer, - logger: log, - } -} - -func (reconciler *certServiceIssuerStatusReconciler) Update(ctx context.Context, status api.ConditionStatus, reason, message string, args ...interface{}) error { - completeMessage := fmt.Sprintf(message, args...) - reconciler.setCondition(status, reason, completeMessage) - - // Fire an Event to additionally inform users of the change - eventType := core.EventTypeNormal - if status == api.ConditionFalse { - eventType = core.EventTypeWarning - } - reconciler.logger.Info("Firing event: ", "issuer", reconciler.issuer, "eventtype", eventType, "reason", reason, "message", completeMessage) - reconciler.Recorder.Event(reconciler.issuer, eventType, reason, completeMessage) - - reconciler.logger.Info("Updating issuer... ") - return reconciler.Client.Update(ctx, reconciler.issuer) -} - -func (reconciler *certServiceIssuerStatusReconciler) UpdateNoError(ctx context.Context, status api.ConditionStatus, reason, message string, args ...interface{}) { - if err := reconciler.Update(ctx, status, reason, message, args...); err != nil { - reconciler.logger.Error(err, "failed to update", "status", status, "reason", reason) - } -} - -// setCondition will set a 'condition' on the given api.CertServiceIssuer resource. -// -// - If no condition of the same type already exists, the condition will be -// inserted with the LastTransitionTime set to the current time. -// - If a condition of the same type and state already exists, the condition -// will be updated but the LastTransitionTime will not be modified. -// - If a condition of the same type and different state already exists, the -// condition will be updated and the LastTransitionTime set to the current -// time. -func (reconciler *certServiceIssuerStatusReconciler) setCondition(status api.ConditionStatus, reason, message string) { - now := meta.NewTime(reconciler.Clock.Now()) - issuerCondition := api.CertServiceIssuerCondition{ - Type: api.ConditionReady, - Status: status, - Reason: reason, - Message: message, - LastTransitionTime: &now, - } - - // Search through existing conditions - for i, condition := range reconciler.issuer.Status.Conditions { - // Skip unrelated conditions - if condition.Type != api.ConditionReady { - continue - } - - // If this update doesn't contain a state transition, we don't update - // the conditions LastTransitionTime to Now() - if condition.Status == status { - issuerCondition.LastTransitionTime = condition.LastTransitionTime - } else { - reconciler.logger.Info("found status change for CertServiceIssuer condition; setting lastTransitionTime", "condition", condition.Type, "old_status", condition.Status, "new_status", status, "time", now.Time) - } - - // Overwrite the existing condition - reconciler.issuer.Status.Conditions[i] = issuerCondition - return - } - - // If we've not found an existing condition of this type, we simply insert - // the new condition into the slice. - reconciler.issuer.Status.Conditions = append(reconciler.issuer.Status.Conditions, issuerCondition) - reconciler.logger.Info("setting lastTransitionTime for CertServiceIssuer condition", "condition", api.ConditionReady, "time", now.Time) -} diff --git a/certServiceK8sExternalProvider/src/certservice-provisioner/certservice-provisioner.go b/certServiceK8sExternalProvider/src/certservice-provisioner/certservice-provisioner.go deleted file mode 100644 index 262e708b..00000000 --- a/certServiceK8sExternalProvider/src/certservice-provisioner/certservice-provisioner.go +++ /dev/null @@ -1,164 +0,0 @@ -/* - * ============LICENSE_START======================================================= - * oom-certservice-k8s-external-provider - * ================================================================================ - * Copyright (c) 2019 Smallstep Labs, Inc. - * Modifications copyright (C) 2020 Nokia. All rights reserved. - * ================================================================================ - * This source code was copied from the following git repository: - * https://github.com/smallstep/step-issuer - * The source code was modified for usage in the ONAP project. - * ================================================================================ - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * ============LICENSE_END========================================================= - */ - -package provisioners - -import ( - "bytes" - "context" - "crypto/x509" - "encoding/base64" - "encoding/pem" - "fmt" - certmanager "github.com/jetstack/cert-manager/pkg/apis/certmanager/v1" - "k8s.io/apimachinery/pkg/types" - "onap.org/oom-certservice/k8s-external-provider/src/api" - ctrl "sigs.k8s.io/controller-runtime" - "sync" -) - -var collection = new(sync.Map) - -type CertServiceCA struct { - name string - url string - key []byte -} - -func New(certServiceIssuer *api.CertServiceIssuer, key []byte) (*CertServiceCA, error) { - - ca := CertServiceCA{} - ca.name = certServiceIssuer.Name - ca.url = certServiceIssuer.Spec.URL - ca.key = key - - log := ctrl.Log.WithName("certservice-provisioner") - log.Info("Configuring CA: ", "name", ca.name, "url", ca.url, "key", ca.key) - - return &ca, nil -} - -func Load(namespacedName types.NamespacedName) (*CertServiceCA, bool) { - provisioner, ok := collection.Load(namespacedName) - if !ok { - return nil, ok - } - certServiceCAprovisioner, ok := provisioner.(*CertServiceCA) - return certServiceCAprovisioner, ok -} - -func Store(namespacedName types.NamespacedName, provisioner *CertServiceCA) { - collection.Store(namespacedName, provisioner) -} - -func (ca *CertServiceCA) Sign(ctx context.Context, certificateRequest *certmanager.CertificateRequest) ([]byte, []byte, error) { - log := ctrl.Log.WithName("certservice-provisioner") - log.Info("Signing certificate: ", "cert-name", certificateRequest.Name) - - key, _ := base64.RawStdEncoding.DecodeString(string(ca.key)) - log.Info("CA: ", "name", ca.name, "url", ca.url, "key", key) - - crPEM := certificateRequest.Spec.Request - csrBase64 := crPEM - log.Info("Csr PEM: ", "bytes", csrBase64) - - csr, err := decodeCSR(crPEM) - if err != nil { - return nil, nil, err - } - - cert := x509.Certificate{} - cert.Raw = csr.Raw - - // TODO - // write here code which will call CertServiceCA and sign CSR - // END - - encodedPEM, err := encodeX509(&cert) - if err != nil { - return nil, nil, err - } - - signedPEM := encodedPEM - trustedCA := encodedPEM - - log.Info("Successfully signed: ", "cert-name", certificateRequest.Name) - log.Info("Signed cert PEM: ", "bytes", signedPEM) - log.Info("Trusted CA PEM: ", "bytes", trustedCA) - - return signedPEM, trustedCA, nil -} - -// TODO JM utility methods - will be used in "real" implementation - -// decodeCSR decodes a certificate request in PEM format and returns the -func decodeCSR(data []byte) (*x509.CertificateRequest, error) { - block, rest := pem.Decode(data) - if block == nil || len(rest) > 0 { - return nil, fmt.Errorf("unexpected CSR PEM on sign request") - } - if block.Type != "CERTIFICATE REQUEST" { - return nil, fmt.Errorf("PEM is not a certificate request") - } - csr, err := x509.ParseCertificateRequest(block.Bytes) - if err != nil { - return nil, fmt.Errorf("error parsing certificate request: %v", err) - } - if err := csr.CheckSignature(); err != nil { - return nil, fmt.Errorf("error checking certificate request signature: %v", err) - } - return csr, nil -} - -// encodeX509 will encode a *x509.Certificate into PEM format. -func encodeX509(cert *x509.Certificate) ([]byte, error) { - caPem := bytes.NewBuffer([]byte{}) - err := pem.Encode(caPem, &pem.Block{Type: "CERTIFICATE", Bytes: cert.Raw}) - if err != nil { - return nil, err - } - return caPem.Bytes(), nil -} - -// generateSubject returns the first SAN that is not 127.0.0.1 or localhost. The -// CSRs generated by the Certificate resource have always those SANs. If no SANs -// are available `certservice-issuer-certificate` will be used as a subject is always -// required. -func generateSubject(sans []string) string { - if len(sans) == 0 { - return "certservice-issuer-certificate" - } - for _, s := range sans { - if s != "127.0.0.1" && s != "localhost" { - return s - } - } - return sans[0] -} - -func decode(cert string) []byte { - bytes, _ := base64.RawStdEncoding.DecodeString(cert) - return bytes -} diff --git a/certServiceK8sExternalProvider/src/cmpv2api/cmpv2_groupversion_info.go b/certServiceK8sExternalProvider/src/cmpv2api/cmpv2_groupversion_info.go new file mode 100644 index 00000000..996cf21a --- /dev/null +++ b/certServiceK8sExternalProvider/src/cmpv2api/cmpv2_groupversion_info.go @@ -0,0 +1,45 @@ +/* + * ============LICENSE_START======================================================= + * oom-certservice-k8s-external-provider + * ================================================================================ + * Copyright (c) 2019 Smallstep Labs, Inc. + * Modifications copyright (C) 2020 Nokia. All rights reserved. + * ================================================================================ + * This source code was copied from the following git repository: + * https://github.com/smallstep/step-issuer + * The source code was modified for usage in the ONAP project. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ + +package cmpv2api + +import ( + "k8s.io/apimachinery/pkg/runtime/schema" + "sigs.k8s.io/controller-runtime/pkg/scheme" +) + +var ( + // GroupVersion is group version used to register these objects + GroupVersion = schema.GroupVersion{Group: "certmanager.onap.org", Version: "v1"} + + // SchemeBuilder is used to add go types to the GroupVersionKind scheme + SchemeBuilder = &scheme.Builder{GroupVersion: GroupVersion} + + // AddToScheme adds the types in this group-version to the given scheme. + AddToScheme = SchemeBuilder.AddToScheme +) + +const CMPv2IssuerKind = "CMPv2Issuer" + diff --git a/certServiceK8sExternalProvider/src/cmpv2api/cmpv2_issuer_crd_deepcopy.go b/certServiceK8sExternalProvider/src/cmpv2api/cmpv2_issuer_crd_deepcopy.go new file mode 100644 index 00000000..68e79ce1 --- /dev/null +++ b/certServiceK8sExternalProvider/src/cmpv2api/cmpv2_issuer_crd_deepcopy.go @@ -0,0 +1,161 @@ +/* + * ============LICENSE_START======================================================= + * oom-certservice-k8s-external-provider + * ================================================================================ + * Copyright (c) 2019 Smallstep Labs, Inc. + * Modifications copyright (C) 2020 Nokia. All rights reserved. + * ================================================================================ + * This source code was copied from the following git repository: + * https://github.com/smallstep/step-issuer + * The source code was modified for usage in the ONAP project. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ + +package cmpv2api + +import ( + runtime "k8s.io/apimachinery/pkg/runtime" +) + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (inputSecretKeySelector *SecretKeySelector) DeepCopyInto(outSecretKeySelector *SecretKeySelector) { + *outSecretKeySelector = *inputSecretKeySelector +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretKeySelector. +func (inputSecretKeySelector *SecretKeySelector) DeepCopy() *SecretKeySelector { + if inputSecretKeySelector == nil { + return nil + } + out := new(SecretKeySelector) + inputSecretKeySelector.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (inputCMPv2Issuer *CMPv2Issuer) DeepCopyInto(outCMPv2Issuer *CMPv2Issuer) { + *outCMPv2Issuer = *inputCMPv2Issuer + outCMPv2Issuer.TypeMeta = inputCMPv2Issuer.TypeMeta + inputCMPv2Issuer.ObjectMeta.DeepCopyInto(&outCMPv2Issuer.ObjectMeta) + inputCMPv2Issuer.Spec.DeepCopyInto(&outCMPv2Issuer.Spec) + inputCMPv2Issuer.Status.DeepCopyInto(&outCMPv2Issuer.Status) +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CMPv2Issuer. +func (inputCMPv2Issuer *CMPv2Issuer) DeepCopy() *CMPv2Issuer { + if inputCMPv2Issuer == nil { + return nil + } + out := new(CMPv2Issuer) + inputCMPv2Issuer.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (inputCMPv2Issuer *CMPv2Issuer) DeepCopyObject() runtime.Object { + if deepCopy := inputCMPv2Issuer.DeepCopy(); deepCopy != nil { + return deepCopy + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (inputIssuerCondition *CMPv2IssuerCondition) DeepCopyInto(outIssuerCondition *CMPv2IssuerCondition) { + *outIssuerCondition = *inputIssuerCondition + if inputIssuerCondition.LastTransitionTime != nil { + in, out := &inputIssuerCondition.LastTransitionTime, &outIssuerCondition.LastTransitionTime + *out = (*in).DeepCopy() + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CMPv2IssuerCondition. +func (inputIssuerCondition *CMPv2IssuerCondition) DeepCopy() *CMPv2IssuerCondition { + if inputIssuerCondition == nil { + return nil + } + out := new(CMPv2IssuerCondition) + inputIssuerCondition.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (inputIssuerList *CMPv2IssuerList) DeepCopyInto(outIssuerList *CMPv2IssuerList) { + *outIssuerList = *inputIssuerList + outIssuerList.TypeMeta = inputIssuerList.TypeMeta + inputIssuerList.ListMeta.DeepCopyInto(&outIssuerList.ListMeta) + if inputIssuerList.Items != nil { + in, out := &inputIssuerList.Items, &outIssuerList.Items + *out = make([]CMPv2Issuer, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CMPv2IssuerList. +func (inputIssuerList *CMPv2IssuerList) DeepCopy() *CMPv2IssuerList { + if inputIssuerList == nil { + return nil + } + out := new(CMPv2IssuerList) + inputIssuerList.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (inputIssuerList *CMPv2IssuerList) DeepCopyObject() runtime.Object { + if deepCopy := inputIssuerList.DeepCopy(); deepCopy != nil { + return deepCopy + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (inputIssuerSpec *CMPv2IssuerSpec) DeepCopyInto(outIssuerSpec *CMPv2IssuerSpec) { + *outIssuerSpec = *inputIssuerSpec + outIssuerSpec.KeyRef = inputIssuerSpec.KeyRef +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CMPv2IssuerSpec. +func (inputIssuerSpec *CMPv2IssuerSpec) DeepCopy() *CMPv2IssuerSpec { + if inputIssuerSpec == nil { + return nil + } + out := new(CMPv2IssuerSpec) + inputIssuerSpec.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (inputIssuerStatus *CMPv2IssuerStatus) DeepCopyInto(outIssuerStatus *CMPv2IssuerStatus) { + *outIssuerStatus = *inputIssuerStatus + if inputIssuerStatus.Conditions != nil { + in, out := &inputIssuerStatus.Conditions, &outIssuerStatus.Conditions + *out = make([]CMPv2IssuerCondition, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CMPv2IssuerStatus. +func (inputIssuerStatus *CMPv2IssuerStatus) DeepCopy() *CMPv2IssuerStatus { + if inputIssuerStatus == nil { + return nil + } + out := new(CMPv2IssuerStatus) + inputIssuerStatus.DeepCopyInto(out) + return out +} diff --git a/certServiceK8sExternalProvider/src/cmpv2api/cmpv2_issuer_crd_schema.go b/certServiceK8sExternalProvider/src/cmpv2api/cmpv2_issuer_crd_schema.go new file mode 100644 index 00000000..f2482657 --- /dev/null +++ b/certServiceK8sExternalProvider/src/cmpv2api/cmpv2_issuer_crd_schema.go @@ -0,0 +1,132 @@ +/* + * ============LICENSE_START======================================================= + * oom-certservice-k8s-external-provider + * ================================================================================ + * Copyright (c) 2019 Smallstep Labs, Inc. + * Modifications copyright (C) 2020 Nokia. All rights reserved. + * ================================================================================ + * This source code was copied from the following git repository: + * https://github.com/smallstep/step-issuer + * The source code was modified for usage in the ONAP project. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ + +package cmpv2api + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +func init() { + SchemeBuilder.Register(&CMPv2Issuer{}, &CMPv2IssuerList{}) +} + +// CMPv2IssuerSpec defines the desired state of CMPv2Issuer +type CMPv2IssuerSpec struct { + // URL is the base URL for the CertService certificates instance. + URL string `json:"url"` + + // KeyRef is a reference to a Secret containing the provisioner + // password used to decrypt the provisioner private key. + KeyRef SecretKeySelector `json:"keyRef"` +} + +// CMPv2IssuerStatus defines the observed state of CMPv2Issuer +type CMPv2IssuerStatus struct { + + // +optional + Conditions []CMPv2IssuerCondition `json:"conditions,omitempty"` +} + +type CMPv2Issuer struct { + metav1.TypeMeta `json:",inline"` + metav1.ObjectMeta `json:"metadata,omitempty"` + + Spec CMPv2IssuerSpec `json:"spec,omitempty"` + Status CMPv2IssuerStatus `json:"status,omitempty"` +} + +// +kubebuilder:object:root=true + +// CMPv2IssuerList contains a list of CMPv2Issuer +type CMPv2IssuerList struct { + metav1.TypeMeta `json:",inline"` + metav1.ListMeta `json:"metadata,omitempty"` + Items []CMPv2Issuer `json:"items"` +} + +// SecretKeySelector contains the reference to a secret. +type SecretKeySelector struct { + // The name of the secret in the pod's namespace to select from. + Name string `json:"name"` + + // The key of the secret to select from. Must be a valid secret key. + // +optional + Key string `json:"key,omitempty"` +} + +// ConditionType represents a CMPv2Issuer condition type. +// +kubebuilder:validation:Enum=Ready +type ConditionType string + +const ( + // ConditionReady indicates that a CMPv2Issuer is ready for use. + ConditionReady ConditionType = "Ready" +) + +// ConditionStatus represents a condition's status. +// +kubebuilder:validation:Enum=True;False;Unknown +type ConditionStatus string + +// These are valid condition statuses. "ConditionTrue" means a resource is in +// the condition; "ConditionFalse" means a resource is not in the condition; +// "ConditionUnknown" means kubernetes can't decide if a resource is in the +// condition or not. In the future, we could add other intermediate +// conditions, e.g. ConditionDegraded. +const ( + // ConditionTrue represents the fact that a given condition is true + ConditionTrue ConditionStatus = "True" + + // ConditionFalse represents the fact that a given condition is false + ConditionFalse ConditionStatus = "False" + + // ConditionUnknown represents the fact that a given condition is unknown + ConditionUnknown ConditionStatus = "Unknown" +) + +// CMPv2IssuerCondition contains condition information for the CertService issuer. +type CMPv2IssuerCondition struct { + // Type of the condition, currently ('Ready'). + Type ConditionType `json:"type"` + + // Status of the condition, one of ('True', 'False', 'Unknown'). + // +kubebuilder:validation:Enum=True;False;Unknown + Status ConditionStatus `json:"status"` + + // LastTransitionTime is the timestamp corresponding to the last status + // change of this condition. + // +optional + LastTransitionTime *metav1.Time `json:"lastTransitionTime,omitempty"` + + // Reason is a brief machine readable explanation for the condition's last + // transition. + // +optional + Reason string `json:"reason,omitempty"` + + // Message is a human readable description of the details of the last + // transition, complementing reason. + // +optional + Message string `json:"message,omitempty"` +} diff --git a/certServiceK8sExternalProvider/src/cmpv2controller/certificate_request_controller.go b/certServiceK8sExternalProvider/src/cmpv2controller/certificate_request_controller.go new file mode 100644 index 00000000..1669c97f --- /dev/null +++ b/certServiceK8sExternalProvider/src/cmpv2controller/certificate_request_controller.go @@ -0,0 +1,169 @@ +/* + * ============LICENSE_START======================================================= + * oom-certservice-k8s-external-provider + * ================================================================================ + * Copyright 2019 The cert-manager authors. + * Modifications copyright (C) 2020 Nokia. All rights reserved. + * ================================================================================ + * This source code was copied from the following git repository: + * https://github.com/smallstep/step-issuer + * The source code was modified for usage in the ONAP project. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ + +package cmpv2controller + +import ( + "context" + "fmt" + "onap.org/oom-certservice/k8s-external-provider/src/cmpv2api" + provisioners "onap.org/oom-certservice/k8s-external-provider/src/cmpv2provisioner" + + "github.com/go-logr/logr" + apiutil "github.com/jetstack/cert-manager/pkg/api/util" + cmapi "github.com/jetstack/cert-manager/pkg/apis/certmanager/v1" + cmmeta "github.com/jetstack/cert-manager/pkg/apis/meta/v1" + core "k8s.io/api/core/v1" + apierrors "k8s.io/apimachinery/pkg/api/errors" + "k8s.io/apimachinery/pkg/types" + "k8s.io/client-go/tools/record" + ctrl "sigs.k8s.io/controller-runtime" + "sigs.k8s.io/controller-runtime/pkg/client" +) + +// CertificateRequestController reconciles a CMPv2Issuer object. +type CertificateRequestController struct { + client.Client + Log logr.Logger + Recorder record.EventRecorder +} + +// Reconcile will read and validate a CMPv2Issuer resource associated to the +// CertificateRequest resource, and it will sign the CertificateRequest with the +// provisioner in the CMPv2Issuer. +func (controller *CertificateRequestController) Reconcile(req ctrl.Request) (ctrl.Result, error) { + ctx := context.Background() + log := controller.Log.WithValues("certificate-request-controller", req.NamespacedName) + + // Fetch the CertificateRequest resource being reconciled. + // Just ignore the request if the certificate request has been deleted. + certificateRequest := new(cmapi.CertificateRequest) + if err := controller.Client.Get(ctx, req.NamespacedName, certificateRequest); err != nil { + if apierrors.IsNotFound(err) { + return ctrl.Result{}, nil + } + + log.Error(err, "failed to retrieve CertificateRequest resource") + return ctrl.Result{}, err + } + + if !isCMPv2CertificateRequest(certificateRequest) { + log.V(4).Info("certificate request is not CMPv2", + "group", certificateRequest.Spec.IssuerRef.Group, + "kind", certificateRequest.Spec.IssuerRef.Kind) + return ctrl.Result{}, nil + } + + // If the certificate data is already set then we skip this request as it + // has already been completed in the past. + if len(certificateRequest.Status.Certificate) > 0 { + log.V(4).Info("existing certificate data found in status, skipping already completed CertificateRequest") + return ctrl.Result{}, nil + } + + // Fetch the CMPv2Issuer resource + issuer := cmpv2api.CMPv2Issuer{} + issuerNamespaceName := types.NamespacedName{ + Namespace: req.Namespace, + Name: certificateRequest.Spec.IssuerRef.Name, + } + if err := controller.Client.Get(ctx, issuerNamespaceName, &issuer); err != nil { + log.Error(err, "failed to retrieve CMPv2Issuer resource", "namespace", req.Namespace, "name", certificateRequest.Spec.IssuerRef.Name) + _ = controller.setStatus(ctx, certificateRequest, cmmeta.ConditionFalse, cmapi.CertificateRequestReasonPending, "Failed to retrieve CMPv2Issuer resource %s: %v", issuerNamespaceName, err) + return ctrl.Result{}, err + } + + // Check if the CMPv2Issuer resource has been marked Ready + if !cmpv2IssuerHasCondition(issuer, cmpv2api.CMPv2IssuerCondition{Type: cmpv2api.ConditionReady, Status: cmpv2api.ConditionTrue}) { + err := fmt.Errorf("resource %s is not ready", issuerNamespaceName) + log.Error(err, "failed to retrieve CMPv2Issuer resource", "namespace", req.Namespace, "name", certificateRequest.Spec.IssuerRef.Name) + _ = controller.setStatus(ctx, certificateRequest, cmmeta.ConditionFalse, cmapi.CertificateRequestReasonPending, "CMPv2Issuer resource %s is not Ready", issuerNamespaceName) + return ctrl.Result{}, err + } + + // Load the provisioner that will sign the CertificateRequest + provisioner, ok := provisioners.Load(issuerNamespaceName) + if !ok { + err := fmt.Errorf("provisioner %s not found", issuerNamespaceName) + log.Error(err, "failed to provisioner for CMPv2Issuer resource") + _ = controller.setStatus(ctx, certificateRequest, cmmeta.ConditionFalse, cmapi.CertificateRequestReasonPending, "Failed to load provisioner for CMPv2Issuer resource %s", issuerNamespaceName) + return ctrl.Result{}, err + } + + // Sign CertificateRequest + signedPEM, trustedCAs, err := provisioner.Sign(ctx, certificateRequest) + if err != nil { + log.Error(err, "failed to sign certificate request") + return ctrl.Result{}, controller.setStatus(ctx, certificateRequest, cmmeta.ConditionFalse, cmapi.CertificateRequestReasonFailed, "Failed to sign certificate request: %v", err) + } + certificateRequest.Status.Certificate = signedPEM + certificateRequest.Status.CA = trustedCAs + + return ctrl.Result{}, controller.setStatus(ctx, certificateRequest, cmmeta.ConditionTrue, cmapi.CertificateRequestReasonIssued, "Certificate issued") +} + +// SetupWithManager initializes the CertificateRequest controller into the +// controller runtime. +func (controller *CertificateRequestController) SetupWithManager(manager ctrl.Manager) error { + return ctrl.NewControllerManagedBy(manager). + For(&cmapi.CertificateRequest{}). + Complete(controller) +} + +// cmpv2IssuerHasCondition will return true if the given CMPv2Issuer resource has +// a condition matching the provided CMPv2IssuerCondition. Only the Type and +// Status field will be used in the comparison, meaning that this function will +// return 'true' even if the Reason, Message and LastTransitionTime fields do +// not match. +func cmpv2IssuerHasCondition(issuer cmpv2api.CMPv2Issuer, condition cmpv2api.CMPv2IssuerCondition) bool { + existingConditions := issuer.Status.Conditions + for _, cond := range existingConditions { + if condition.Type == cond.Type && condition.Status == cond.Status { + return true + } + } + return false +} + +func isCMPv2CertificateRequest(certificateRequest *cmapi.CertificateRequest) bool { + return certificateRequest.Spec.IssuerRef.Group != "" && + certificateRequest.Spec.IssuerRef.Group == cmpv2api.GroupVersion.Group && + certificateRequest.Spec.IssuerRef.Kind == cmpv2api.CMPv2IssuerKind + +} + +func (controller *CertificateRequestController) setStatus(ctx context.Context, certificateRequest *cmapi.CertificateRequest, status cmmeta.ConditionStatus, reason, message string, args ...interface{}) error { + completeMessage := fmt.Sprintf(message, args...) + apiutil.SetCertificateRequestCondition(certificateRequest, cmapi.CertificateRequestConditionReady, status, reason, completeMessage) + + // Fire an Event to additionally inform users of the change + eventType := core.EventTypeNormal + if status == cmmeta.ConditionFalse { + eventType = core.EventTypeWarning + } + controller.Recorder.Event(certificateRequest, eventType, reason, completeMessage) + + return controller.Client.Status().Update(ctx, certificateRequest) +} diff --git a/certServiceK8sExternalProvider/src/cmpv2controller/certificate_request_controller_test.go b/certServiceK8sExternalProvider/src/cmpv2controller/certificate_request_controller_test.go new file mode 100644 index 00000000..36cfbc48 --- /dev/null +++ b/certServiceK8sExternalProvider/src/cmpv2controller/certificate_request_controller_test.go @@ -0,0 +1,35 @@ +package cmpv2controller + +import ( + cmapi "github.com/jetstack/cert-manager/pkg/apis/certmanager/v1" + "testing" +) + +func TestIsCMPv2CertificateRequest_notCMPv2Request(t *testing.T) { + request := new(cmapi.CertificateRequest) + if isCMPv2CertificateRequest(request) { + t.Logf("CPMv2 request [NOK]") + t.FailNow() + } + + request.Spec.IssuerRef.Group = "certmanager.onap.org" + request.Spec.IssuerRef.Kind = "CertificateRequest" + if isCMPv2CertificateRequest(request) { + t.Logf("CPMv2 request [NOK]") + t.FailNow() + } +} + +func TestIsCMPv2CertificateRequest_CMPvRequest(t *testing.T) { + request := new(cmapi.CertificateRequest) + request.Spec.IssuerRef.Group = "certmanager.onap.org" + request.Spec.IssuerRef.Kind = "CMPv2Issuer" + + if isCMPv2CertificateRequest(request) { + t.Logf("CPMv2 request [OK]") + } else { + t.Logf("Not a CPMv2 request [NOK]") + t.FailNow() + } +} + diff --git a/certServiceK8sExternalProvider/src/cmpv2controller/cmpv2_issuer_controller.go b/certServiceK8sExternalProvider/src/cmpv2controller/cmpv2_issuer_controller.go new file mode 100644 index 00000000..e5b1b196 --- /dev/null +++ b/certServiceK8sExternalProvider/src/cmpv2controller/cmpv2_issuer_controller.go @@ -0,0 +1,127 @@ +/* + * ============LICENSE_START======================================================= + * oom-certservice-k8s-external-provider + * ================================================================================ + * Copyright (c) 2019 Smallstep Labs, Inc. + * Modifications copyright (C) 2020 Nokia. All rights reserved. + * ================================================================================ + * This source code was copied from the following git repository: + * https://github.com/smallstep/step-issuer + * The source code was modified for usage in the ONAP project. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ + +package cmpv2controller + +import ( + "context" + "fmt" + "github.com/go-logr/logr" + core "k8s.io/api/core/v1" + apierrors "k8s.io/apimachinery/pkg/api/errors" + "k8s.io/apimachinery/pkg/types" + "k8s.io/client-go/tools/record" + "k8s.io/utils/clock" + "onap.org/oom-certservice/k8s-external-provider/src/cmpv2api" + provisioners "onap.org/oom-certservice/k8s-external-provider/src/cmpv2provisioner" + ctrl "sigs.k8s.io/controller-runtime" + "sigs.k8s.io/controller-runtime/pkg/client" +) + +// CMPv2IssuerController reconciles a CMPv2Issuer object +type CMPv2IssuerController struct { + client.Client + Log logr.Logger + Clock clock.Clock + Recorder record.EventRecorder +} + +// Reconcile will read and validate the CMPv2Issuer resources, it will set the +// status condition ready to true if everything is right. +func (controller *CMPv2IssuerController) Reconcile(req ctrl.Request) (ctrl.Result, error) { + ctx := context.Background() + log := controller.Log.WithValues("cmpv2-issuer-controller", req.NamespacedName) + + issuer := new(cmpv2api.CMPv2Issuer) + if err := controller.Client.Get(ctx, req.NamespacedName, issuer); err != nil { + log.Error(err, "failed to retrieve CMPv2Issuer resource") + return ctrl.Result{}, client.IgnoreNotFound(err) + } + log.Info("Issuer loaded: ", "issuer", issuer) + + statusUpdater := newStatusUpdater(controller, issuer, log) + if err := validateCMPv2IssuerSpec(issuer.Spec); err != nil { + log.Error(err, "failed to validate CMPv2Issuer resource") + statusUpdater.UpdateNoError(ctx, cmpv2api.ConditionFalse, "Validation", "Failed to validate resource: %v", err) + return ctrl.Result{}, err + } + log.Info("Issuer validated. ") + + // Fetch the provisioner password + var secret core.Secret + secretNamespaceName := types.NamespacedName{ + Namespace: req.Namespace, + Name: issuer.Spec.KeyRef.Name, + } + if err := controller.Client.Get(ctx, secretNamespaceName, &secret); err != nil { + log.Error(err, "failed to retrieve CMPv2Issuer provisioner secret", "namespace", secretNamespaceName.Namespace, "name", secretNamespaceName.Name) + if apierrors.IsNotFound(err) { + statusUpdater.UpdateNoError(ctx, cmpv2api.ConditionFalse, "NotFound", "Failed to retrieve provisioner secret: %v", err) + } else { + statusUpdater.UpdateNoError(ctx, cmpv2api.ConditionFalse, "Error", "Failed to retrieve provisioner secret: %v", err) + } + return ctrl.Result{}, err + } + password, ok := secret.Data[issuer.Spec.KeyRef.Key] + if !ok { + err := fmt.Errorf("secret %s does not contain key %s", secret.Name, issuer.Spec.KeyRef.Key) + log.Error(err, "failed to retrieve CMPv2Issuer provisioner secret", "namespace", secretNamespaceName.Namespace, "name", secretNamespaceName.Name) + statusUpdater.UpdateNoError(ctx, cmpv2api.ConditionFalse, "NotFound", "Failed to retrieve provisioner secret: %v", err) + return ctrl.Result{}, err + } + + // Initialize and store the provisioner + provisioner, err := provisioners.New(issuer, password) + if err != nil { + log.Error(err, "failed to initialize provisioner") + statusUpdater.UpdateNoError(ctx, cmpv2api.ConditionFalse, "Error", "failed initialize provisioner") + return ctrl.Result{}, err + } + provisioners.Store(req.NamespacedName, provisioner) + + log.Info( "CMPv2Issuer verified. Updating status to Verified...") + return ctrl.Result{}, statusUpdater.Update(ctx, cmpv2api.ConditionTrue, "Verified", "CMPv2Issuer verified and ready to sign certificates") +} + +// SetupWithManager initializes the CMPv2Issuer controller into the controller +// runtime. +func (controller *CMPv2IssuerController) SetupWithManager(manager ctrl.Manager) error { + return ctrl.NewControllerManagedBy(manager). + For(&cmpv2api.CMPv2Issuer{}). + Complete(controller) +} + +func validateCMPv2IssuerSpec(issuerSpec cmpv2api.CMPv2IssuerSpec) error { + switch { + case issuerSpec.URL == "": + return fmt.Errorf("spec.url cannot be empty") + case issuerSpec.KeyRef.Name == "": + return fmt.Errorf("spec.keyRef.name cannot be empty") + case issuerSpec.KeyRef.Key == "": + return fmt.Errorf("spec.keyRef.key cannot be empty") + default: + return nil + } +} diff --git a/certServiceK8sExternalProvider/src/cmpv2controller/cmpv2_issuer_status_updater.go b/certServiceK8sExternalProvider/src/cmpv2controller/cmpv2_issuer_status_updater.go new file mode 100644 index 00000000..f2ec5c5a --- /dev/null +++ b/certServiceK8sExternalProvider/src/cmpv2controller/cmpv2_issuer_status_updater.go @@ -0,0 +1,116 @@ +/* + * ============LICENSE_START======================================================= + * oom-certservice-k8s-external-provider + * ================================================================================ + * Copyright (c) 2019 Smallstep Labs, Inc. + * Modifications copyright (C) 2020 Nokia. All rights reserved. + * ================================================================================ + * This source code was copied from the following git repository: + * https://github.com/smallstep/step-issuer + * The source code was modified for usage in the ONAP project. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ + +package cmpv2controller + +import ( + "context" + "fmt" + "github.com/go-logr/logr" + core "k8s.io/api/core/v1" + meta "k8s.io/apimachinery/pkg/apis/meta/v1" + "onap.org/oom-certservice/k8s-external-provider/src/cmpv2api" +) + +type CMPv2IssuerStatusUpdater struct { + *CMPv2IssuerController + issuer *cmpv2api.CMPv2Issuer + logger logr.Logger +} + +func newStatusUpdater(controller *CMPv2IssuerController, issuer *cmpv2api.CMPv2Issuer, log logr.Logger) *CMPv2IssuerStatusUpdater { + return &CMPv2IssuerStatusUpdater{ + CMPv2IssuerController: controller, + issuer: issuer, + logger: log, + } +} + +func (updater *CMPv2IssuerStatusUpdater) Update(ctx context.Context, status cmpv2api.ConditionStatus, reason, message string, args ...interface{}) error { + completeMessage := fmt.Sprintf(message, args...) + updater.setCondition(status, reason, completeMessage) + + // Fire an Event to additionally inform users of the change + eventType := core.EventTypeNormal + if status == cmpv2api.ConditionFalse { + eventType = core.EventTypeWarning + } + updater.logger.Info("Firing event: ", "issuer", updater.issuer, "eventtype", eventType, "reason", reason, "message", completeMessage) + updater.Recorder.Event(updater.issuer, eventType, reason, completeMessage) + + updater.logger.Info("Updating issuer... ") + return updater.Client.Update(ctx, updater.issuer) +} + +func (updater *CMPv2IssuerStatusUpdater) UpdateNoError(ctx context.Context, status cmpv2api.ConditionStatus, reason, message string, args ...interface{}) { + if err := updater.Update(ctx, status, reason, message, args...); err != nil { + updater.logger.Error(err, "failed to update", "status", status, "reason", reason) + } +} + +// setCondition will set a 'condition' on the given cmpv2api.CMPv2Issuer resource. +// +// - If no condition of the same type already exists, the condition will be +// inserted with the LastTransitionTime set to the current time. +// - If a condition of the same type and state already exists, the condition +// will be updated but the LastTransitionTime will not be modified. +// - If a condition of the same type and different state already exists, the +// condition will be updated and the LastTransitionTime set to the current +// time. +func (updater *CMPv2IssuerStatusUpdater) setCondition(status cmpv2api.ConditionStatus, reason, message string) { + now := meta.NewTime(updater.Clock.Now()) + issuerCondition := cmpv2api.CMPv2IssuerCondition{ + Type: cmpv2api.ConditionReady, + Status: status, + Reason: reason, + Message: message, + LastTransitionTime: &now, + } + + // Search through existing conditions + for i, condition := range updater.issuer.Status.Conditions { + // Skip unrelated conditions + if condition.Type != cmpv2api.ConditionReady { + continue + } + + // If this update doesn't contain a state transition, we don't update + // the conditions LastTransitionTime to Now() + if condition.Status == status { + issuerCondition.LastTransitionTime = condition.LastTransitionTime + } else { + updater.logger.Info("found status change for CMPv2Issuer condition; setting lastTransitionTime", "condition", condition.Type, "old_status", condition.Status, "new_status", status, "time", now.Time) + } + + // Overwrite the existing condition + updater.issuer.Status.Conditions[i] = issuerCondition + return + } + + // If we've not found an existing condition of this type, we simply insert + // the new condition into the slice. + updater.issuer.Status.Conditions = append(updater.issuer.Status.Conditions, issuerCondition) + updater.logger.Info("setting lastTransitionTime for CMPv2Issuer condition", "condition", cmpv2api.ConditionReady, "time", now.Time) +} diff --git a/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner.go b/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner.go new file mode 100644 index 00000000..a51b8425 --- /dev/null +++ b/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner.go @@ -0,0 +1,164 @@ +/* + * ============LICENSE_START======================================================= + * oom-certservice-k8s-external-provider + * ================================================================================ + * Copyright (c) 2019 Smallstep Labs, Inc. + * Modifications copyright (C) 2020 Nokia. All rights reserved. + * ================================================================================ + * This source code was copied from the following git repository: + * https://github.com/smallstep/step-issuer + * The source code was modified for usage in the ONAP project. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ + +package cmpv2provisioner + +import ( + "bytes" + "context" + "crypto/x509" + "encoding/base64" + "encoding/pem" + "fmt" + certmanager "github.com/jetstack/cert-manager/pkg/apis/certmanager/v1" + "k8s.io/apimachinery/pkg/types" + "onap.org/oom-certservice/k8s-external-provider/src/cmpv2api" + ctrl "sigs.k8s.io/controller-runtime" + "sync" +) + +var collection = new(sync.Map) + +type CertServiceCA struct { + name string + url string + key []byte +} + +func New(cmpv2Issuer *cmpv2api.CMPv2Issuer, key []byte) (*CertServiceCA, error) { + + ca := CertServiceCA{} + ca.name = cmpv2Issuer.Name + ca.url = cmpv2Issuer.Spec.URL + ca.key = key + + log := ctrl.Log.WithName("cmpv2-provisioner") + log.Info("Configuring CA: ", "name", ca.name, "url", ca.url, "key", ca.key) + + return &ca, nil +} + +func Load(namespacedName types.NamespacedName) (*CertServiceCA, bool) { + provisioner, ok := collection.Load(namespacedName) + if !ok { + return nil, ok + } + certServiceCAprovisioner, ok := provisioner.(*CertServiceCA) + return certServiceCAprovisioner, ok +} + +func Store(namespacedName types.NamespacedName, provisioner *CertServiceCA) { + collection.Store(namespacedName, provisioner) +} + +func (ca *CertServiceCA) Sign(ctx context.Context, certificateRequest *certmanager.CertificateRequest) ([]byte, []byte, error) { + log := ctrl.Log.WithName("certservice-provisioner") + log.Info("Signing certificate: ", "cert-name", certificateRequest.Name) + + key, _ := base64.RawStdEncoding.DecodeString(string(ca.key)) + log.Info("CA: ", "name", ca.name, "url", ca.url, "key", key) + + crPEM := certificateRequest.Spec.Request + csrBase64 := crPEM + log.Info("Csr PEM: ", "bytes", csrBase64) + + csr, err := decodeCSR(crPEM) + if err != nil { + return nil, nil, err + } + + cert := x509.Certificate{} + cert.Raw = csr.Raw + + // TODO + // write here code which will call CertServiceCA and sign CSR + // END + + encodedPEM, err := encodeX509(&cert) + if err != nil { + return nil, nil, err + } + + signedPEM := encodedPEM + trustedCA := encodedPEM + + log.Info("Successfully signed: ", "cert-name", certificateRequest.Name) + log.Info("Signed cert PEM: ", "bytes", signedPEM) + log.Info("Trusted CA PEM: ", "bytes", trustedCA) + + return signedPEM, trustedCA, nil +} + +// TODO JM utility methods - will be used in "real" implementation + +// decodeCSR decodes a certificate request in PEM format and returns the +func decodeCSR(data []byte) (*x509.CertificateRequest, error) { + block, rest := pem.Decode(data) + if block == nil || len(rest) > 0 { + return nil, fmt.Errorf("unexpected CSR PEM on sign request") + } + if block.Type != "CERTIFICATE REQUEST" { + return nil, fmt.Errorf("PEM is not a certificate request") + } + csr, err := x509.ParseCertificateRequest(block.Bytes) + if err != nil { + return nil, fmt.Errorf("error parsing certificate request: %v", err) + } + if err := csr.CheckSignature(); err != nil { + return nil, fmt.Errorf("error checking certificate request signature: %v", err) + } + return csr, nil +} + +// encodeX509 will encode a *x509.Certificate into PEM format. +func encodeX509(cert *x509.Certificate) ([]byte, error) { + caPem := bytes.NewBuffer([]byte{}) + err := pem.Encode(caPem, &pem.Block{Type: "CERTIFICATE", Bytes: cert.Raw}) + if err != nil { + return nil, err + } + return caPem.Bytes(), nil +} + +// generateSubject returns the first SAN that is not 127.0.0.1 or localhost. The +// CSRs generated by the Certificate resource have always those SANs. If no SANs +// are available `certservice-issuer-certificate` will be used as a subject is always +// required. +func generateSubject(sans []string) string { + if len(sans) == 0 { + return "certservice-issuer-certificate" + } + for _, s := range sans { + if s != "127.0.0.1" && s != "localhost" { + return s + } + } + return sans[0] +} + +func decode(cert string) []byte { + bytes, _ := base64.RawStdEncoding.DecodeString(cert) + return bytes +} diff --git a/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_test.go b/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_test.go new file mode 100644 index 00000000..92d09b3c --- /dev/null +++ b/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_test.go @@ -0,0 +1,30 @@ +/* + * ============LICENSE_START======================================================= + * oom-certservice-k8s-external-provider + * ================================================================================ + * Copyright (C) 2020 Nokia. All rights reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ + +package cmpv2provisioner + +import ( + "testing" +) + +func TestSignCertificate(t *testing.T) { + + t.Logf("Dummy GO test --> Everything is OK <--.") +} diff --git a/certServiceK8sExternalProvider/src/exit_code.go b/certServiceK8sExternalProvider/src/exit_code.go new file mode 100644 index 00000000..dea56c83 --- /dev/null +++ b/certServiceK8sExternalProvider/src/exit_code.go @@ -0,0 +1,20 @@ +package app + +type ExitCode struct { + Code int + Message string +} + +func newExitCode(code int, message string) *ExitCode{ + exitCode := new (ExitCode) + exitCode.Code = code + exitCode.Message = message + return exitCode +} + +var ( + FAILED_TO_CREATE_CONTROLLER_MANAGER = ExitCode{1, "unable to create k8s controller manager"} + FAILED_TO_REGISTER_CMPv2_ISSUER_CONTROLLER = ExitCode{2, "unable to register CMPv2Issuer controller"} + FAILED_TO_REGISTER_CERT_REQUEST_CONTROLLER = ExitCode{3, "unable to register CertificateRequestController"} + EXCEPTION_WHILE_RUNNING_CONTROLLER_MANAGER = ExitCode{4, "an exception occurs while running k8s controller manager"} +) -- cgit 1.2.3-korg