* oom-certservice-k8s-external-provider
* ================================================================================
* Copyright (c) 2019 Smallstep Labs, Inc.
- * Modifications copyright (C) 2020 Nokia. All rights reserved.
+ * Copyright (C) 2020-2021 Nokia. All rights reserved.
* ================================================================================
* This source code was copied from the following git repository:
* https://github.com/smallstep/step-issuer
package cmpv2provisioner
import (
- "context"
- "crypto/x509"
"sync"
- certmanager "github.com/jetstack/cert-manager/pkg/apis/certmanager/v1"
"k8s.io/apimachinery/pkg/types"
- ctrl "sigs.k8s.io/controller-runtime"
"onap.org/oom-certservice/k8s-external-provider/src/certserviceclient"
"onap.org/oom-certservice/k8s-external-provider/src/cmpv2api"
- x509utils "onap.org/oom-certservice/k8s-external-provider/src/x509"
+ "onap.org/oom-certservice/k8s-external-provider/src/leveledlogger"
+ "onap.org/oom-certservice/k8s-external-provider/src/model"
)
var collection = new(sync.Map)
ca.certEndpoint = cmpv2Issuer.Spec.CertEndpoint
ca.certServiceClient = certServiceClient
- log := ctrl.Log.WithName("cmpv2-provisioner")
+ log := leveledlogger.GetLoggerWithName("cmpv2-provisioner")
log.Info("Configuring CA: ", "name", ca.name, "url", ca.url, "caName", ca.caName, "healthEndpoint", ca.healthEndpoint, "certEndpoint", ca.certEndpoint)
return &ca, nil
}
func (ca *CertServiceCA) CheckHealth() error {
- log := ctrl.Log.WithName("cmpv2-provisioner")
+ log := leveledlogger.GetLoggerWithName("cmpv2-provisioner")
log.Info("Checking health of CMPv2 issuer: ", "name", ca.name)
return ca.certServiceClient.CheckHealth()
}
collection.Store(namespacedName, provisioner)
}
-func (ca *CertServiceCA) Sign(ctx context.Context, certificateRequest *certmanager.CertificateRequest, privateKeyBytes []byte) ([]byte, []byte, error) {
- log := ctrl.Log.WithName("certservice-provisioner")
- log.Info("Signing certificate: ", "cert-name", certificateRequest.Name)
+func (ca *CertServiceCA) Sign(
+ signCertificateModel model.SignCertificateModel,
+) (signedCertificateChain []byte, trustedCertificates []byte, err error) {
+ log := leveledlogger.GetLoggerWithName("certservice-provisioner")
+ certificateRequest := signCertificateModel.CertificateRequest
+ log.Info("Signing certificate: ", "cert-name", certificateRequest.Name)
log.Info("CA: ", "name", ca.name, "url", ca.url)
- csrBytes := certificateRequest.Spec.Request
- log.Info("Csr PEM: ", "bytes", csrBytes)
+ var response *certserviceclient.CertificatesResponse
+ var errAPI error
- csr, err := x509utils.DecodeCSR(csrBytes)
- if err != nil {
- return nil, nil, err
+ if ca.isCertificateUpdate(signCertificateModel) {
+ log.Debug("Certificate will be updated.", "old-certificate", signCertificateModel.OldCertificateBytes)
+ log.Info("Attempt to send certificate update request")
+ response, errAPI = ca.certServiceClient.UpdateCertificate(signCertificateModel)
+ } else {
+ log.Info("Attempt to send certificate request")
+ response, errAPI = ca.certServiceClient.GetCertificates(signCertificateModel)
}
- response, err := ca.certServiceClient.GetCertificates(csrBytes, privateKeyBytes)
- if err != nil {
- return nil, nil, err
+ if errAPI != nil {
+ return nil, nil, errAPI
}
- log.Info("Certificate Chain", "cert-chain", response.CertificateChain)
- log.Info("Trusted Certificates", "trust-certs", response.TrustedCertificates)
+ log.Info("Successfully received response from CertService API")
+ log.Debug("Certificate Chain", "cert-chain", response.CertificateChain)
+ log.Debug("Trusted Certificates", "trust-certs", response.TrustedCertificates)
+ log.Info("Start parsing response")
+ signedCertificateChain, trustedCertificates, signErr := parseResponseToBytes(response)
- // TODO
- // stored response as PEM
- cert := x509.Certificate{}
- cert.Raw = csr.Raw
- encodedPEM, err := x509utils.EncodeX509(&cert)
- if err != nil {
- return nil, nil, err
+ if signErr != nil {
+ log.Error(signErr, "Cannot parse response from CertService API")
+ return nil, nil, signErr
}
- // END
+ log.Info("Successfully signed: ", "cert-name", certificateRequest.Name)
+ log.Debug("Signed cert PEM: ", "bytes", signedCertificateChain)
+ log.Debug("Trusted CA PEM: ", "bytes", trustedCertificates)
- signedPEM := encodedPEM
- trustedCA := encodedPEM
+ return signedCertificateChain, trustedCertificates, nil
+}
- log.Info("Signed cert PEM: ", "bytes", signedPEM)
- log.Info("Trusted CA PEM: ", "bytes", trustedCA)
- log.Info("Successfully signed: ", "cert-name", certificateRequest.Name)
- return signedPEM, trustedCA, nil
+func (ca *CertServiceCA) isCertificateUpdate(signCertificateModel model.SignCertificateModel) bool {
+ return len(signCertificateModel.OldCertificateBytes) > 0 && len(signCertificateModel.OldPrivateKeyBytes) > 0
}