2 * ============LICENSE_START=======================================================
3 * oom-certservice-k8s-external-provider
4 * ================================================================================
5 * Copyright (c) 2019 Smallstep Labs, Inc.
6 * Modifications copyright (C) 2020 Nokia. All rights reserved.
7 * ================================================================================
8 * This source code was copied from the following git repository:
9 * https://github.com/smallstep/step-issuer
10 * The source code was modified for usage in the ONAP project.
11 * ================================================================================
12 * Licensed under the Apache License, Version 2.0 (the "License");
13 * you may not use this file except in compliance with the License.
14 * You may obtain a copy of the License at
16 * http://www.apache.org/licenses/LICENSE-2.0
18 * Unless required by applicable law or agreed to in writing, software
19 * distributed under the License is distributed on an "AS IS" BASIS,
20 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
21 * See the License for the specific language governing permissions and
22 * limitations under the License.
23 * ============LICENSE_END=========================================================
26 package cmpv2controller
32 core "k8s.io/api/core/v1"
33 apierrors "k8s.io/apimachinery/pkg/api/errors"
34 "k8s.io/apimachinery/pkg/runtime"
35 "k8s.io/apimachinery/pkg/types"
36 "k8s.io/client-go/tools/record"
38 ctrl "sigs.k8s.io/controller-runtime"
39 "sigs.k8s.io/controller-runtime/pkg/client"
41 "onap.org/oom-certservice/k8s-external-provider/src/cmpv2api"
42 provisioners "onap.org/oom-certservice/k8s-external-provider/src/cmpv2provisioner"
43 "onap.org/oom-certservice/k8s-external-provider/src/leveledlogger"
46 // CMPv2IssuerController reconciles a CMPv2Issuer object
47 type CMPv2IssuerController struct {
49 Log leveledlogger.Logger
51 Recorder record.EventRecorder
52 ProvisionerFactory provisioners.ProvisionerFactory
55 // Reconcile will read and validate the CMPv2Issuer resources, it will set the
56 // status condition ready to true if everything is right.
57 func (controller *CMPv2IssuerController) Reconcile(req ctrl.Request) (ctrl.Result, error) {
58 ctx := context.Background()
59 log := leveledlogger.GetLoggerWithValues("cmpv2-issuer-controller", req.NamespacedName)
61 // 1. Load CMPv2Issuer
62 issuer := new(cmpv2api.CMPv2Issuer)
63 if err := controller.loadResource(ctx, req.NamespacedName, issuer); err != nil {
64 handleErrorLoadingCMPv2Issuer(log, err)
65 return ctrl.Result{}, client.IgnoreNotFound(err)
67 log.Info("CMPv2Issuer loaded: ", "issuer", issuer)
69 // 2. Validate CMPv2Issuer
70 statusUpdater := newStatusUpdater(controller, issuer, log)
71 if err := validateCMPv2IssuerSpec(issuer.Spec); err != nil {
72 handleErrorCMPv2IssuerValidation(ctx, log, err, statusUpdater)
73 return ctrl.Result{}, err
76 // 3. Load keystore and truststore information form k8s secret
77 var secret core.Secret
78 secretNamespaceName := types.NamespacedName{
79 Namespace: req.Namespace,
80 Name: issuer.Spec.CertSecretRef.Name,
82 if err := controller.loadResource(ctx, secretNamespaceName, &secret); err != nil {
83 handleErrorInvalidSecret(ctx, log, err, statusUpdater, secretNamespaceName)
84 return ctrl.Result{}, err
87 // 4. Create CMPv2 provisioner
88 provisioner, err := controller.ProvisionerFactory.CreateProvisioner(issuer, secret)
90 log.Error(err, "failed to initialize provisioner")
91 statusUpdater.UpdateNoError(ctx, cmpv2api.ConditionFalse, "Error", "Failed to initialize provisioner: %v", err)
92 handleErrorProvisionerInitialization(ctx, log, err, statusUpdater)
93 return ctrl.Result{}, err
96 // 5. Check health of the provisioner and store the instance for further use
97 if err := provisioner.CheckHealth(); err != nil {
98 return ctrl.Result{}, err
100 provisioners.Store(req.NamespacedName, provisioner)
102 // 6. Update the status of CMPv2Issuer to 'Validated'
103 if err := updateCMPv2IssuerStatusToVerified(statusUpdater, ctx, log); err != nil {
104 handleErrorUpdatingCMPv2IssuerStatus(log, err)
105 return ctrl.Result{}, err
108 return ctrl.Result{}, nil
111 func (controller *CMPv2IssuerController) SetupWithManager(manager ctrl.Manager) error {
112 return ctrl.NewControllerManagedBy(manager).
113 For(&cmpv2api.CMPv2Issuer{}).
117 func (controller *CMPv2IssuerController) loadResource(ctx context.Context, key client.ObjectKey, obj runtime.Object) error {
118 return controller.Client.Get(ctx, key, obj)
121 func validateCMPv2IssuerSpec(issuerSpec cmpv2api.CMPv2IssuerSpec) error {
123 case issuerSpec.URL == "":
124 return fmt.Errorf("spec.url cannot be empty")
125 case issuerSpec.CaName == "":
126 return fmt.Errorf("spec.caName cannot be empty")
127 case issuerSpec.CertSecretRef.Name == "":
128 return fmt.Errorf("spec.certSecretRef.name cannot be empty")
129 case issuerSpec.CertSecretRef.KeyRef == "":
130 return fmt.Errorf("spec.certSecretRef.keyRef cannot be empty")
131 case issuerSpec.CertSecretRef.CertRef == "":
132 return fmt.Errorf("spec.certSecretRef.certRef cannot be empty")
133 case issuerSpec.CertSecretRef.CacertRef == "":
134 return fmt.Errorf("spec.certSecretRef.cacertRef cannot be empty")
140 func updateCMPv2IssuerStatusToVerified(statusUpdater *CMPv2IssuerStatusUpdater, ctx context.Context, log leveledlogger.Logger) error {
141 log.Info("CMPv2 provisioner created -> updating status to of CMPv2Issuer resource to: Verified")
142 return statusUpdater.Update(ctx, cmpv2api.ConditionTrue, Verified, "CMPv2Issuer verified and ready to sign certificates")
147 func handleErrorUpdatingCMPv2IssuerStatus(log leveledlogger.Logger, err error) {
148 log.Error(err, "Failed to update CMPv2Issuer status")
151 func handleErrorLoadingCMPv2Issuer(log leveledlogger.Logger, err error) {
152 log.Error(err, "Failed to retrieve CMPv2Issuer resource")
155 func handleErrorProvisionerInitialization(ctx context.Context, log leveledlogger.Logger, err error, statusUpdater *CMPv2IssuerStatusUpdater) {
156 log.Error(err, "Failed to initialize provisioner")
157 statusUpdater.UpdateNoError(ctx, cmpv2api.ConditionFalse, Error, "Failed to initialize provisioner: %v", err)
160 func handleErrorCMPv2IssuerValidation(ctx context.Context, log leveledlogger.Logger, err error, statusUpdater *CMPv2IssuerStatusUpdater) {
161 log.Error(err, "Failed to validate CMPv2Issuer resource")
162 statusUpdater.UpdateNoError(ctx, cmpv2api.ConditionFalse, ValidationFailed, "Failed to validate resource: %v", err)
165 func handleErrorInvalidSecret(ctx context.Context, log leveledlogger.Logger, err error, statusUpdater *CMPv2IssuerStatusUpdater, secretNamespaceName types.NamespacedName) {
166 log.Error(err, "Failed to retrieve CMPv2Issuer provisioner secret", "namespace", secretNamespaceName.Namespace, "name", secretNamespaceName.Name)
167 if apierrors.IsNotFound(err) {
168 statusUpdater.UpdateNoError(ctx, cmpv2api.ConditionFalse, NotFound, "Failed to retrieve provisioner secret: %v", err)
170 statusUpdater.UpdateNoError(ctx, cmpv2api.ConditionFalse, Error, "Failed to retrieve provisioner secret: %v", err)