* oom-certservice-k8s-external-provider
* ================================================================================
* Copyright 2019 The cert-manager authors.
- * Modifications copyright (C) 2020 Nokia. All rights reserved.
+ * Copyright (C) 2020-2021 Nokia. All rights reserved.
* ================================================================================
* This source code was copied from the following git repository:
* https://github.com/smallstep/step-issuer
"context"
"fmt"
- "github.com/go-logr/logr"
- apiutil "github.com/jetstack/cert-manager/pkg/api/util"
cmapi "github.com/jetstack/cert-manager/pkg/apis/certmanager/v1"
- cmmeta "github.com/jetstack/cert-manager/pkg/apis/meta/v1"
core "k8s.io/api/core/v1"
apierrors "k8s.io/apimachinery/pkg/api/errors"
"k8s.io/apimachinery/pkg/types"
"sigs.k8s.io/controller-runtime/pkg/client"
"onap.org/oom-certservice/k8s-external-provider/src/cmpv2api"
+ "onap.org/oom-certservice/k8s-external-provider/src/cmpv2controller/logger"
+ "onap.org/oom-certservice/k8s-external-provider/src/cmpv2controller/updater"
+ "onap.org/oom-certservice/k8s-external-provider/src/cmpv2controller/util"
provisioners "onap.org/oom-certservice/k8s-external-provider/src/cmpv2provisioner"
+ "onap.org/oom-certservice/k8s-external-provider/src/leveledlogger"
+ "onap.org/oom-certservice/k8s-external-provider/src/model"
+ x509utils "onap.org/oom-certservice/k8s-external-provider/src/x509"
+)
+
+const (
+ privateKeySecretNameAnnotation = "cert-manager.io/private-key-secret-name"
+ privateKeySecretKey = "tls.key"
)
// CertificateRequestController reconciles a CMPv2Issuer object.
type CertificateRequestController struct {
- client.Client
- Log logr.Logger
+ Client client.Client
Recorder record.EventRecorder
+ Log leveledlogger.Logger
}
// Reconcile will read and validate a CMPv2Issuer resource associated to the
// provisioner in the CMPv2Issuer.
func (controller *CertificateRequestController) Reconcile(k8sRequest ctrl.Request) (ctrl.Result, error) {
ctx := context.Background()
- log := controller.Log.WithValues("certificate-request-controller", k8sRequest.NamespacedName)
+ log := leveledlogger.GetLoggerWithValues("certificate-request-controller", k8sRequest.NamespacedName)
// 1. Fetch the CertificateRequest resource being reconciled.
certificateRequest := new(cmapi.CertificateRequest)
+ certUpdater := updater.NewCertificateRequestUpdater(controller.Client, controller.Recorder, certificateRequest, ctx, log)
+
+ log.Info("Registered new certificate sign request: ", "cert-name", certificateRequest.Name)
if err := controller.Client.Get(ctx, k8sRequest.NamespacedName, certificateRequest); err != nil {
err = handleErrorResourceNotFound(log, err)
return ctrl.Result{}, err
// 2. Check if CertificateRequest is meant for CMPv2Issuer (if not ignore)
if !isCMPv2CertificateRequest(certificateRequest) {
- log.V(4).Info("Certificate request is not meant for CMPv2Issuer (ignoring)",
+ log.Info("Certificate request is not meant for CMPv2Issuer (ignoring)",
"group", certificateRequest.Spec.IssuerRef.Group,
"kind", certificateRequest.Spec.IssuerRef.Kind)
return ctrl.Result{}, nil
// 3. If the certificate data is already set then we skip this request as it
// has already been completed in the past.
if len(certificateRequest.Status.Certificate) > 0 {
- log.V(4).Info("Existing certificate data found in status, skipping already completed CertificateRequest")
+ log.Info("Existing certificate data found in status, skipping already completed CertificateRequest")
return ctrl.Result{}, nil
}
Name: certificateRequest.Spec.IssuerRef.Name,
}
if err := controller.Client.Get(ctx, issuerNamespaceName, &issuer); err != nil {
- controller.handleErrorGettingCMPv2Issuer(ctx, log, err, certificateRequest, issuerNamespaceName, k8sRequest)
- return ctrl.Result{}, err
+ controller.handleErrorGettingCMPv2Issuer(certUpdater, log, err, certificateRequest, issuerNamespaceName, k8sRequest)
+ return ctrl.Result{}, client.IgnoreNotFound(err)
}
// 5. Check if CMPv2Issuer is ready to sing certificates
if !isCMPv2IssuerReady(issuer) {
- err := controller.handleErrorCMPv2IssuerIsNotReady(ctx, log, issuerNamespaceName, certificateRequest, k8sRequest)
+ err := controller.handleErrorCMPv2IssuerIsNotReady(certUpdater, log, issuerNamespaceName, certificateRequest, k8sRequest)
return ctrl.Result{}, err
}
// 6. Load the provisioner that will sign the CertificateRequest
provisioner, ok := provisioners.Load(issuerNamespaceName)
if !ok {
- err := controller.handleErrorCouldNotLoadCMPv2Provisioner(ctx, log, issuerNamespaceName, certificateRequest)
+ err := controller.handleErrorCouldNotLoadCMPv2Provisioner(certUpdater, log, issuerNamespaceName)
+ return ctrl.Result{}, client.IgnoreNotFound(err)
+ }
+
+ // 7. Get private key matching CertificateRequest
+ privateKeySecretName := certificateRequest.ObjectMeta.Annotations[privateKeySecretNameAnnotation]
+ privateKeySecretNamespaceName := types.NamespacedName{
+ Namespace: k8sRequest.Namespace,
+ Name: privateKeySecretName,
+ }
+ var privateKeySecret core.Secret
+ if err := controller.Client.Get(ctx, privateKeySecretNamespaceName, &privateKeySecret); err != nil {
+ controller.handleErrorGettingPrivateKey(certUpdater, log, err, privateKeySecretNamespaceName)
return ctrl.Result{}, err
}
+ privateKeyBytes := privateKeySecret.Data[privateKeySecretKey]
- // 7. Sign CertificateRequest
- signedPEM, trustedCAs, err := provisioner.Sign(ctx, certificateRequest)
+ // 8. Decode CSR
+ log.Info("Decoding CSR...")
+ csr, err := x509utils.DecodeCSR(certificateRequest.Spec.Request)
if err != nil {
- controller.handleErrorFailedToSignCertificate(ctx, log, err, certificateRequest)
+ controller.handleErrorFailedToDecodeCSR(certUpdater, log, err)
return ctrl.Result{}, err
}
- // 8. Store signed certificates in CertificateRequest
+ // 9. Log Certificate Request properties not supported or overridden by CertService API
+ logger.LogCertRequestProperties(leveledlogger.GetLoggerWithName("CSR details:"), certificateRequest, csr)
+
+ // 10. Check if CertificateRequest is an update request
+ isUpdateRevision, oldCertificate, oldPrivateKey := util.CheckIfCertificateUpdateAndRetrieveOldCertificateAndPk(
+ controller.Client, certificateRequest, ctx)
+ if isUpdateRevision {
+ log.Info("Update revision detected")
+ }
+ signCertificateModel := model.SignCertificateModel{
+ CertificateRequest: certificateRequest,
+ PrivateKeyBytes: privateKeyBytes,
+ IsUpdateRevision: isUpdateRevision,
+ OldCertificate: oldCertificate,
+ OldPrivateKey: oldPrivateKey,
+ }
+
+ // 11. Sign CertificateRequest
+ signedPEM, trustedCAs, err := provisioner.Sign(ctx, signCertificateModel)
+ if err != nil {
+ controller.handleErrorFailedToSignCertificate(certUpdater, log, err)
+ return ctrl.Result{}, nil
+ }
+
+ // 12. Store signed certificates in CertificateRequest
certificateRequest.Status.Certificate = signedPEM
certificateRequest.Status.CA = trustedCAs
- if err := controller.updateCertificateRequestWithSignedCerficates(ctx, certificateRequest); err != nil {
+ if err := certUpdater.UpdateCertificateRequestWithSignedCertificates(); err != nil {
return ctrl.Result{}, err
}
return ctrl.Result{}, nil
}
-func (controller *CertificateRequestController) updateCertificateRequestWithSignedCerficates(ctx context.Context, certificateRequest *cmapi.CertificateRequest) error {
- return controller.setStatus(ctx, certificateRequest, cmmeta.ConditionTrue, cmapi.CertificateRequestReasonIssued, "Certificate issued")
-}
-
func (controller *CertificateRequestController) SetupWithManager(manager ctrl.Manager) error {
return ctrl.NewControllerManagedBy(manager).
For(&cmapi.CertificateRequest{}).
Complete(controller)
}
-func (controller *CertificateRequestController) setStatus(ctx context.Context, certificateRequest *cmapi.CertificateRequest, status cmmeta.ConditionStatus, reason, message string, args ...interface{}) error {
- completeMessage := fmt.Sprintf(message, args...)
- apiutil.SetCertificateRequestCondition(certificateRequest, cmapi.CertificateRequestConditionReady, status, reason, completeMessage)
-
- // Fire an Event to additionally inform users of the change
- eventType := core.EventTypeNormal
- if status == cmmeta.ConditionFalse {
- eventType = core.EventTypeWarning
- }
- controller.Recorder.Event(certificateRequest, eventType, reason, completeMessage)
-
- return controller.Client.Status().Update(ctx, certificateRequest)
-}
-
func isCMPv2IssuerReady(issuer cmpv2api.CMPv2Issuer) bool {
condition := cmpv2api.CMPv2IssuerCondition{Type: cmpv2api.ConditionReady, Status: cmpv2api.ConditionTrue}
return hasCondition(issuer, condition)
// Error handling
-func (controller *CertificateRequestController) handleErrorCouldNotLoadCMPv2Provisioner(ctx context.Context, log logr.Logger, issuerNamespaceName types.NamespacedName, certificateRequest *cmapi.CertificateRequest) error {
+func (controller *CertificateRequestController) handleErrorCouldNotLoadCMPv2Provisioner(updater *updater.CertificateRequestStatusUpdater, log leveledlogger.Logger, issuerNamespaceName types.NamespacedName) error {
err := fmt.Errorf("provisioner %s not found", issuerNamespaceName)
log.Error(err, "Failed to load CMPv2 Provisioner resource")
- _ = controller.setStatus(ctx, certificateRequest, cmmeta.ConditionFalse, cmapi.CertificateRequestReasonPending, "Failed to load provisioner for CMPv2Issuer resource %s", issuerNamespaceName)
+ _ = updater.UpdateStatusWithEventTypeWarning(cmapi.CertificateRequestReasonPending, "Failed to load provisioner for CMPv2Issuer resource %s", issuerNamespaceName)
return err
}
-func (controller *CertificateRequestController) handleErrorCMPv2IssuerIsNotReady(ctx context.Context, log logr.Logger, issuerNamespaceName types.NamespacedName, certificateRequest *cmapi.CertificateRequest, req ctrl.Request) error {
+func (controller *CertificateRequestController) handleErrorCMPv2IssuerIsNotReady(updater *updater.CertificateRequestStatusUpdater, log leveledlogger.Logger, issuerNamespaceName types.NamespacedName, certificateRequest *cmapi.CertificateRequest, req ctrl.Request) error {
err := fmt.Errorf("resource %s is not ready", issuerNamespaceName)
log.Error(err, "CMPv2Issuer not ready", "namespace", req.Namespace, "name", certificateRequest.Spec.IssuerRef.Name)
- _ = controller.setStatus(ctx, certificateRequest, cmmeta.ConditionFalse, cmapi.CertificateRequestReasonPending, "CMPv2Issuer resource %s is not Ready", issuerNamespaceName)
+ _ = updater.UpdateStatusWithEventTypeWarning(cmapi.CertificateRequestReasonPending, "CMPv2Issuer resource %s is not Ready", issuerNamespaceName)
return err
}
-func (controller *CertificateRequestController) handleErrorGettingCMPv2Issuer(ctx context.Context, log logr.Logger, err error, certificateRequest *cmapi.CertificateRequest, issuerNamespaceName types.NamespacedName, req ctrl.Request) {
+func (controller *CertificateRequestController) handleErrorGettingCMPv2Issuer(updater *updater.CertificateRequestStatusUpdater, log leveledlogger.Logger, err error, certificateRequest *cmapi.CertificateRequest, issuerNamespaceName types.NamespacedName, req ctrl.Request) {
log.Error(err, "Failed to retrieve CMPv2Issuer resource", "namespace", req.Namespace, "name", certificateRequest.Spec.IssuerRef.Name)
- _ = controller.setStatus(ctx, certificateRequest, cmmeta.ConditionFalse, cmapi.CertificateRequestReasonPending, "Failed to retrieve CMPv2Issuer resource %s: %v", issuerNamespaceName, err)
+ _ = updater.UpdateStatusWithEventTypeWarning(cmapi.CertificateRequestReasonPending, "Failed to retrieve CMPv2Issuer resource %s: %v", issuerNamespaceName, err)
+}
+
+func (controller *CertificateRequestController) handleErrorGettingPrivateKey(updater *updater.CertificateRequestStatusUpdater, log leveledlogger.Logger, err error, pkSecretNamespacedName types.NamespacedName) {
+ log.Error(err, "Failed to retrieve private key secret for certificate request", "namespace", pkSecretNamespacedName.Namespace, "name", pkSecretNamespacedName.Name)
+ _ = updater.UpdateStatusWithEventTypeWarning(cmapi.CertificateRequestReasonPending, "Failed to retrieve private key secret: %v", err)
}
-func (controller *CertificateRequestController) handleErrorFailedToSignCertificate(ctx context.Context, log logr.Logger, err error, certificateRequest *cmapi.CertificateRequest) {
+func (controller *CertificateRequestController) handleErrorFailedToSignCertificate(updater *updater.CertificateRequestStatusUpdater, log leveledlogger.Logger, err error) {
log.Error(err, "Failed to sign certificate request")
- _ = controller.setStatus(ctx, certificateRequest, cmmeta.ConditionFalse, cmapi.CertificateRequestReasonFailed, "Failed to sign certificate request: %v", err)
+ _ = updater.UpdateStatusWithEventTypeWarning(cmapi.CertificateRequestReasonFailed, "Failed to sign certificate request: %v", err)
}
-func handleErrorResourceNotFound(log logr.Logger, err error) error {
+func (controller *CertificateRequestController) handleErrorFailedToDecodeCSR(updater *updater.CertificateRequestStatusUpdater, log leveledlogger.Logger, err error) {
+ log.Error(err, "Failed to decode certificate sign request")
+ _ = updater.UpdateStatusWithEventTypeWarning(cmapi.CertificateRequestReasonFailed, "Failed to decode CSR: %v", err)
+}
+
+func handleErrorResourceNotFound(log leveledlogger.Logger, err error) error {
if apierrors.IsNotFound(err) {
log.Error(err, "CertificateRequest resource not found")
+ return nil
} else {
log.Error(err, "Failed to retrieve CertificateRequest resource")
+ return err
}
- return err
}