"bytes"
"context"
"crypto/x509"
- "encoding/base64"
"encoding/pem"
"fmt"
"sync"
type CertServiceCA struct {
name string
url string
+ healthEndpoint string
+ certEndpoint string
caName string
certServiceClient certserviceclient.CertServiceClient
}
ca.name = cmpv2Issuer.Name
ca.url = cmpv2Issuer.Spec.URL
ca.caName = cmpv2Issuer.Spec.CaName
+ ca.healthEndpoint = cmpv2Issuer.Spec.HealthEndpoint
+ ca.certEndpoint = cmpv2Issuer.Spec.CertEndpoint
ca.certServiceClient = certServiceClient
log := ctrl.Log.WithName("cmpv2-provisioner")
- log.Info("Configuring CA: ", "name", ca.name, "url", ca.url, "caName", ca.caName)
+ log.Info("Configuring CA: ", "name", ca.name, "url", ca.url, "caName", ca.caName, "healthEndpoint", ca.healthEndpoint, "certEndpoint", ca.certEndpoint)
return &ca, nil
}
+func (ca *CertServiceCA) CheckHealth() error {
+ log := ctrl.Log.WithName("cmpv2-provisioner")
+ log.Info("Checking health of CMPv2 issuer: ", "name", ca.name)
+ return ca.certServiceClient.CheckHealth()
+}
+
func Load(namespacedName types.NamespacedName) (*CertServiceCA, bool) {
provisioner, ok := collection.Load(namespacedName)
if !ok {
log.Info("Certificate Chain", "cert-chain", response.CertificateChain)
log.Info("Trusted Certificates", "trust-certs", response.TrustedCertificates)
- cert := x509.Certificate{}
- cert.Raw = csr.Raw
// TODO
- // write here code which will call CertServiceCA and sign CSR
- // END
-
+ // stored response as PEM
+ cert := x509.Certificate{}
+ cert.Raw = csr.Raw
encodedPEM, err := encodeX509(&cert)
if err != nil {
return nil, nil, err
}
+ // END
signedPEM := encodedPEM
trustedCA := encodedPEM
- log.Info("Successfully signed: ", "cert-name", certificateRequest.Name)
log.Info("Signed cert PEM: ", "bytes", signedPEM)
log.Info("Trusted CA PEM: ", "bytes", trustedCA)
+ log.Info("Successfully signed: ", "cert-name", certificateRequest.Name)
return signedPEM, trustedCA, nil
}
-// TODO JM utility methods - will be used in "real" implementation
-
// decodeCSR decodes a certificate request in PEM format and returns the
func decodeCSR(data []byte) (*x509.CertificateRequest, error) {
block, rest := pem.Decode(data)
}
return caPem.Bytes(), nil
}
-
-// generateSubject returns the first SAN that is not 127.0.0.1 or localhost. The
-// CSRs generated by the Certificate resource have always those SANs. If no SANs
-// are available `certservice-issuer-certificate` will be used as a subject is always
-// required.
-func generateSubject(sans []string) string {
- if len(sans) == 0 {
- return "certservice-issuer-certificate"
- }
- for _, s := range sans {
- if s != "127.0.0.1" && s != "localhost" {
- return s
- }
- }
- return sans[0]
-}
-
-func decode(cert string) []byte {
- bytes, _ := base64.RawStdEncoding.DecodeString(cert)
- return bytes
-}
Code Review / oom / platform / cert-service.git / blobdiff