2 * ============LICENSE_START=======================================================
3 * oom-certservice-k8s-external-provider
4 * ================================================================================
5 * Copyright (c) 2019 Smallstep Labs, Inc.
6 * Copyright (C) 2020-2021 Nokia. All rights reserved.
7 * ================================================================================
8 * This source code was copied from the following git repository:
9 * https://github.com/smallstep/step-issuer
10 * The source code was modified for usage in the ONAP project.
11 * ================================================================================
12 * Licensed under the Apache License, Version 2.0 (the "License");
13 * you may not use this file except in compliance with the License.
14 * You may obtain a copy of the License at
16 * http://www.apache.org/licenses/LICENSE-2.0
18 * Unless required by applicable law or agreed to in writing, software
19 * distributed under the License is distributed on an "AS IS" BASIS,
20 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
21 * See the License for the specific language governing permissions and
22 * limitations under the License.
23 * ============LICENSE_END=========================================================
26 package cmpv2provisioner
31 "k8s.io/apimachinery/pkg/types"
33 "onap.org/oom-certservice/k8s-external-provider/src/certserviceclient"
34 "onap.org/oom-certservice/k8s-external-provider/src/cmpv2api"
35 "onap.org/oom-certservice/k8s-external-provider/src/leveledlogger"
36 "onap.org/oom-certservice/k8s-external-provider/src/model"
39 var collection = new(sync.Map)
41 type CertServiceCA struct {
48 certServiceClient certserviceclient.CertServiceClient
51 func New(cmpv2Issuer *cmpv2api.CMPv2Issuer, certServiceClient certserviceclient.CertServiceClient) (*CertServiceCA, error) {
54 ca.name = cmpv2Issuer.Name
55 ca.url = cmpv2Issuer.Spec.URL
56 ca.caName = cmpv2Issuer.Spec.CaName
57 ca.healthEndpoint = cmpv2Issuer.Spec.HealthEndpoint
58 ca.certEndpoint = cmpv2Issuer.Spec.CertEndpoint
59 ca.updateEndpoint = cmpv2Issuer.Spec.UpdateEndpoint
60 ca.certServiceClient = certServiceClient
62 log := leveledlogger.GetLoggerWithName("cmpv2-provisioner")
63 log.Info("Configuring CA: ", "name", ca.name, "url", ca.url, "caName", ca.caName, "healthEndpoint", ca.healthEndpoint, "certEndpoint", ca.certEndpoint, "updateEndpoint", ca.updateEndpoint)
68 func (ca *CertServiceCA) CheckHealth() error {
69 log := leveledlogger.GetLoggerWithName("cmpv2-provisioner")
70 log.Info("Checking health of CMPv2 issuer: ", "name", ca.name)
71 return ca.certServiceClient.CheckHealth()
74 func Load(namespacedName types.NamespacedName) (*CertServiceCA, bool) {
75 provisioner, ok := collection.Load(namespacedName)
79 certServiceCAprovisioner, ok := provisioner.(*CertServiceCA)
80 return certServiceCAprovisioner, ok
83 func Store(namespacedName types.NamespacedName, provisioner *CertServiceCA) {
84 collection.Store(namespacedName, provisioner)
87 func (ca *CertServiceCA) Sign(
88 signCertificateModel model.SignCertificateModel,
89 ) (signedCertificateChain []byte, trustedCertificates []byte, err error) {
90 log := leveledlogger.GetLoggerWithName("certservice-provisioner")
92 certificateRequest := signCertificateModel.CertificateRequest
93 log.Info("Signing certificate: ", "cert-name", certificateRequest.Name)
94 log.Info("CA: ", "name", ca.name, "url", ca.url)
96 var response *certserviceclient.CertificatesResponse
98 if ca.isCertificateUpdate(signCertificateModel) {
99 log.Debug("Certificate will be updated.", "old-certificate", signCertificateModel.OldCertificateBytes)
100 log.Info("Attempt to send certificate update request")
101 response, errAPI = ca.certServiceClient.UpdateCertificate(signCertificateModel)
103 log.Info("Attempt to send certificate request")
104 response, errAPI = ca.certServiceClient.GetCertificates(signCertificateModel)
108 return nil, nil, errAPI
110 log.Info("Successfully received response from CertService API")
111 log.Debug("Certificate Chain", "cert-chain", response.CertificateChain)
112 log.Debug("Trusted Certificates", "trust-certs", response.TrustedCertificates)
114 log.Info("Start parsing response")
115 signedCertificateChain, trustedCertificates, signErr := parseResponseToBytes(response)
118 log.Error(signErr, "Cannot parse response from CertService API")
119 return nil, nil, signErr
121 log.Info("Successfully signed: ", "cert-name", certificateRequest.Name)
122 log.Debug("Signed cert PEM: ", "bytes", signedCertificateChain)
123 log.Debug("Trusted CA PEM: ", "bytes", trustedCertificates)
125 return signedCertificateChain, trustedCertificates, nil
128 func (ca *CertServiceCA) updateEndpointIsConfigured() bool {
129 log := leveledlogger.GetLoggerWithName("certservice-provisioner")
130 isConfigured := ca.updateEndpoint != ""
132 log.Info("Missing 'update endpoint' configuration. Certificates will received by certificate request instead of certificate update request")
137 func (ca *CertServiceCA) isCertificateUpdate(signCertificateModel model.SignCertificateModel) bool {
138 return len(signCertificateModel.OldCertificateBytes) > 0 &&
139 len(signCertificateModel.OldPrivateKeyBytes) > 0 &&
140 ca.updateEndpointIsConfigured()