2 * ============LICENSE_START=======================================================
3 * oom-certservice-k8s-external-provider
4 * ================================================================================
5 * Copyright 2019 The cert-manager authors.
6 * Modifications copyright (C) 2020 Nokia. All rights reserved.
7 * ================================================================================
8 * This source code was copied from the following git repository:
9 * https://github.com/smallstep/step-issuer
10 * The source code was modified for usage in the ONAP project.
11 * ================================================================================
12 * Licensed under the Apache License, Version 2.0 (the "License");
13 * you may not use this file except in compliance with the License.
14 * You may obtain a copy of the License at
16 * http://www.apache.org/licenses/LICENSE-2.0
18 * Unless required by applicable law or agreed to in writing, software
19 * distributed under the License is distributed on an "AS IS" BASIS,
20 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
21 * See the License for the specific language governing permissions and
22 * limitations under the License.
23 * ============LICENSE_END=========================================================
26 package cmpv2controller
31 "onap.org/oom-certservice/k8s-external-provider/src/cmpv2api"
32 provisioners "onap.org/oom-certservice/k8s-external-provider/src/cmpv2provisioner"
34 "github.com/go-logr/logr"
35 apiutil "github.com/jetstack/cert-manager/pkg/api/util"
36 cmapi "github.com/jetstack/cert-manager/pkg/apis/certmanager/v1"
37 cmmeta "github.com/jetstack/cert-manager/pkg/apis/meta/v1"
38 core "k8s.io/api/core/v1"
39 apierrors "k8s.io/apimachinery/pkg/api/errors"
40 "k8s.io/apimachinery/pkg/types"
41 "k8s.io/client-go/tools/record"
42 ctrl "sigs.k8s.io/controller-runtime"
43 "sigs.k8s.io/controller-runtime/pkg/client"
46 // CertificateRequestController reconciles a CMPv2Issuer object.
47 type CertificateRequestController struct {
50 Recorder record.EventRecorder
53 // Reconcile will read and validate a CMPv2Issuer resource associated to the
54 // CertificateRequest resource, and it will sign the CertificateRequest with the
55 // provisioner in the CMPv2Issuer.
56 func (controller *CertificateRequestController) Reconcile(req ctrl.Request) (ctrl.Result, error) {
57 ctx := context.Background()
58 log := controller.Log.WithValues("certificate-request-controller", req.NamespacedName)
60 // Fetch the CertificateRequest resource being reconciled.
61 // Just ignore the request if the certificate request has been deleted.
62 certificateRequest := new(cmapi.CertificateRequest)
63 if err := controller.Client.Get(ctx, req.NamespacedName, certificateRequest); err != nil {
64 if apierrors.IsNotFound(err) {
65 return ctrl.Result{}, nil
68 log.Error(err, "failed to retrieve CertificateRequest resource")
69 return ctrl.Result{}, err
72 if !isCMPv2CertificateRequest(certificateRequest) {
73 log.V(4).Info("certificate request is not CMPv2",
74 "group", certificateRequest.Spec.IssuerRef.Group,
75 "kind", certificateRequest.Spec.IssuerRef.Kind)
76 return ctrl.Result{}, nil
79 // If the certificate data is already set then we skip this request as it
80 // has already been completed in the past.
81 if len(certificateRequest.Status.Certificate) > 0 {
82 log.V(4).Info("existing certificate data found in status, skipping already completed CertificateRequest")
83 return ctrl.Result{}, nil
86 // Fetch the CMPv2Issuer resource
87 issuer := cmpv2api.CMPv2Issuer{}
88 issuerNamespaceName := types.NamespacedName{
89 Namespace: req.Namespace,
90 Name: certificateRequest.Spec.IssuerRef.Name,
92 if err := controller.Client.Get(ctx, issuerNamespaceName, &issuer); err != nil {
93 log.Error(err, "failed to retrieve CMPv2Issuer resource", "namespace", req.Namespace, "name", certificateRequest.Spec.IssuerRef.Name)
94 _ = controller.setStatus(ctx, certificateRequest, cmmeta.ConditionFalse, cmapi.CertificateRequestReasonPending, "Failed to retrieve CMPv2Issuer resource %s: %v", issuerNamespaceName, err)
95 return ctrl.Result{}, err
98 // Check if the CMPv2Issuer resource has been marked Ready
99 if !cmpv2IssuerHasCondition(issuer, cmpv2api.CMPv2IssuerCondition{Type: cmpv2api.ConditionReady, Status: cmpv2api.ConditionTrue}) {
100 err := fmt.Errorf("resource %s is not ready", issuerNamespaceName)
101 log.Error(err, "failed to retrieve CMPv2Issuer resource", "namespace", req.Namespace, "name", certificateRequest.Spec.IssuerRef.Name)
102 _ = controller.setStatus(ctx, certificateRequest, cmmeta.ConditionFalse, cmapi.CertificateRequestReasonPending, "CMPv2Issuer resource %s is not Ready", issuerNamespaceName)
103 return ctrl.Result{}, err
106 // Load the provisioner that will sign the CertificateRequest
107 provisioner, ok := provisioners.Load(issuerNamespaceName)
109 err := fmt.Errorf("provisioner %s not found", issuerNamespaceName)
110 log.Error(err, "failed to provisioner for CMPv2Issuer resource")
111 _ = controller.setStatus(ctx, certificateRequest, cmmeta.ConditionFalse, cmapi.CertificateRequestReasonPending, "Failed to load provisioner for CMPv2Issuer resource %s", issuerNamespaceName)
112 return ctrl.Result{}, err
115 // Sign CertificateRequest
116 signedPEM, trustedCAs, err := provisioner.Sign(ctx, certificateRequest)
118 log.Error(err, "failed to sign certificate request")
119 return ctrl.Result{}, controller.setStatus(ctx, certificateRequest, cmmeta.ConditionFalse, cmapi.CertificateRequestReasonFailed, "Failed to sign certificate request: %v", err)
121 certificateRequest.Status.Certificate = signedPEM
122 certificateRequest.Status.CA = trustedCAs
124 return ctrl.Result{}, controller.setStatus(ctx, certificateRequest, cmmeta.ConditionTrue, cmapi.CertificateRequestReasonIssued, "Certificate issued")
127 // SetupWithManager initializes the CertificateRequest controller into the
128 // controller runtime.
129 func (controller *CertificateRequestController) SetupWithManager(manager ctrl.Manager) error {
130 return ctrl.NewControllerManagedBy(manager).
131 For(&cmapi.CertificateRequest{}).
135 // cmpv2IssuerHasCondition will return true if the given CMPv2Issuer resource has
136 // a condition matching the provided CMPv2IssuerCondition. Only the Type and
137 // Status field will be used in the comparison, meaning that this function will
138 // return 'true' even if the Reason, Message and LastTransitionTime fields do
140 func cmpv2IssuerHasCondition(issuer cmpv2api.CMPv2Issuer, condition cmpv2api.CMPv2IssuerCondition) bool {
141 existingConditions := issuer.Status.Conditions
142 for _, cond := range existingConditions {
143 if condition.Type == cond.Type && condition.Status == cond.Status {
150 func isCMPv2CertificateRequest(certificateRequest *cmapi.CertificateRequest) bool {
151 return certificateRequest.Spec.IssuerRef.Group != "" &&
152 certificateRequest.Spec.IssuerRef.Group == cmpv2api.GroupVersion.Group &&
153 certificateRequest.Spec.IssuerRef.Kind == cmpv2api.CMPv2IssuerKind
157 func (controller *CertificateRequestController) setStatus(ctx context.Context, certificateRequest *cmapi.CertificateRequest, status cmmeta.ConditionStatus, reason, message string, args ...interface{}) error {
158 completeMessage := fmt.Sprintf(message, args...)
159 apiutil.SetCertificateRequestCondition(certificateRequest, cmapi.CertificateRequestConditionReady, status, reason, completeMessage)
161 // Fire an Event to additionally inform users of the change
162 eventType := core.EventTypeNormal
163 if status == cmmeta.ConditionFalse {
164 eventType = core.EventTypeWarning
166 controller.Recorder.Event(certificateRequest, eventType, reason, completeMessage)
168 return controller.Client.Status().Update(ctx, certificateRequest)