[OOM-K8S-CERT-EXTERNAL-PROVIDER] Add client for CertService API

[oom/platform/cert-service.git] / certServiceK8sExternalProvider / src / cmpv2controller / certificate_request_controller.go

diff --git a/certServiceK8sExternalProvider/src/cmpv2controller/certificate_request_controller.go b/certServiceK8sExternalProvider/src/cmpv2controller/certificate_request_controller.go
index 54b4b10..d526bbc 100644 (file)
--- a/certServiceK8sExternalProvider/src/cmpv2controller/certificate_request_controller.go
+++ b/certServiceK8sExternalProvider/src/cmpv2controller/certificate_request_controller.go
@@ -44,6 +44,11 @@ import (
        provisioners "onap.org/oom-certservice/k8s-external-provider/src/cmpv2provisioner"
 )
 
+const (
+       privateKeySecretNameAnnotation = "cert-manager.io/private-key-secret-name"
+       privateKeySecretKey = "tls.key"
+)
+
 // CertificateRequestController reconciles a CMPv2Issuer object.
 type CertificateRequestController struct {
        client.Client
@@ -104,14 +109,27 @@ func (controller *CertificateRequestController) Reconcile(k8sRequest ctrl.Reques
                return ctrl.Result{}, err
        }
 
-       // 7. Sign CertificateRequest
-       signedPEM, trustedCAs, err := provisioner.Sign(ctx, certificateRequest)
+       // 7. Get private key matching CertificateRequest
+       privateKeySecretName := certificateRequest.ObjectMeta.Annotations[privateKeySecretNameAnnotation]
+       privateKeySecretNamespaceName := types.NamespacedName{
+               Namespace: k8sRequest.Namespace,
+               Name:      privateKeySecretName,
+       }
+       var privateKeySecret core.Secret
+       if err := controller.Client.Get(ctx, privateKeySecretNamespaceName, &privateKeySecret); err != nil {
+               controller.handleErrorGettingPrivateKey(ctx, log, err, certificateRequest, privateKeySecretNamespaceName)
+               return ctrl.Result{}, err
+       }
+       privateKeyBytes := privateKeySecret.Data[privateKeySecretKey]
+
+       // 8. Sign CertificateRequest
+       signedPEM, trustedCAs, err := provisioner.Sign(ctx, certificateRequest, privateKeyBytes)
        if err != nil {
                controller.handleErrorFailedToSignCertificate(ctx, log, err, certificateRequest)
                return ctrl.Result{}, err
        }
 
-       // 8. Store signed certificates in CertificateRequest
+       // 9. Store signed certificates in CertificateRequest
        certificateRequest.Status.Certificate = signedPEM
        certificateRequest.Status.CA = trustedCAs
        if err := controller.updateCertificateRequestWithSignedCerficates(ctx, certificateRequest); err != nil {
@@ -188,6 +206,11 @@ func (controller *CertificateRequestController) handleErrorGettingCMPv2Issuer(ct
        _ = controller.setStatus(ctx, certificateRequest, cmmeta.ConditionFalse, cmapi.CertificateRequestReasonPending, "Failed to retrieve CMPv2Issuer resource %s: %v", issuerNamespaceName, err)
 }
 
+func (controller *CertificateRequestController) handleErrorGettingPrivateKey(ctx context.Context, log logr.Logger, err error, certificateRequest *cmapi.CertificateRequest, pkSecretNamespacedName types.NamespacedName) {
+       log.Error(err, "Failed to retrieve private key secret for certificate request", "namespace", pkSecretNamespacedName.Namespace, "name", pkSecretNamespacedName.Name)
+       _ = controller.setStatus(ctx, certificateRequest, cmmeta.ConditionFalse, cmapi.CertificateRequestReasonPending, "Failed to retrieve private key secret: %v", err)
+}
+
 func (controller *CertificateRequestController) handleErrorFailedToSignCertificate(ctx context.Context, log logr.Logger, err error, certificateRequest *cmapi.CertificateRequest) {
        log.Error(err, "Failed to sign certificate request")
        _ = controller.setStatus(ctx, certificateRequest, cmmeta.ConditionFalse, cmapi.CertificateRequestReasonFailed, "Failed to sign certificate request: %v", err)