X-Git-Url: https://gerrit.onap.org/r/gitweb?a=blobdiff_plain;f=certServiceK8sExternalProvider%2Fsrc%2Fcmpv2controller%2Fcertificate_request_controller.go;h=d526bbc8402e5324939c904b647ebaf631f20b1a;hb=ee23e5f54f96807b1f1fff0b45238a247d3dd8e0;hp=54b4b1031d77bba81411cfc065e8ba5a88db5fd2;hpb=aa23960c5d444dea307e0934b446f12ab0256689;p=oom%2Fplatform%2Fcert-service.git

diff --git a/certServiceK8sExternalProvider/src/cmpv2controller/certificate_request_controller.go b/certServiceK8sExternalProvider/src/cmpv2controller/certificate_request_controller.go
index 54b4b103..d526bbc8 100644
--- a/certServiceK8sExternalProvider/src/cmpv2controller/certificate_request_controller.go
+++ b/certServiceK8sExternalProvider/src/cmpv2controller/certificate_request_controller.go
@@ -44,6 +44,11 @@ import (
 	provisioners "onap.org/oom-certservice/k8s-external-provider/src/cmpv2provisioner"
 )
 
+const (
+	privateKeySecretNameAnnotation = "cert-manager.io/private-key-secret-name"
+	privateKeySecretKey = "tls.key"
+)
+
 // CertificateRequestController reconciles a CMPv2Issuer object.
 type CertificateRequestController struct {
 	client.Client
@@ -104,14 +109,27 @@ func (controller *CertificateRequestController) Reconcile(k8sRequest ctrl.Reques
 		return ctrl.Result{}, err
 	}
 
-	// 7. Sign CertificateRequest
-	signedPEM, trustedCAs, err := provisioner.Sign(ctx, certificateRequest)
+	// 7. Get private key matching CertificateRequest
+	privateKeySecretName := certificateRequest.ObjectMeta.Annotations[privateKeySecretNameAnnotation]
+	privateKeySecretNamespaceName := types.NamespacedName{
+		Namespace: k8sRequest.Namespace,
+		Name:      privateKeySecretName,
+	}
+	var privateKeySecret core.Secret
+	if err := controller.Client.Get(ctx, privateKeySecretNamespaceName, &privateKeySecret); err != nil {
+		controller.handleErrorGettingPrivateKey(ctx, log, err, certificateRequest, privateKeySecretNamespaceName)
+		return ctrl.Result{}, err
+	}
+	privateKeyBytes := privateKeySecret.Data[privateKeySecretKey]
+
+	// 8. Sign CertificateRequest
+	signedPEM, trustedCAs, err := provisioner.Sign(ctx, certificateRequest, privateKeyBytes)
 	if err != nil {
 		controller.handleErrorFailedToSignCertificate(ctx, log, err, certificateRequest)
 		return ctrl.Result{}, err
 	}
 
-	// 8. Store signed certificates in CertificateRequest
+	// 9. Store signed certificates in CertificateRequest
 	certificateRequest.Status.Certificate = signedPEM
 	certificateRequest.Status.CA = trustedCAs
 	if err := controller.updateCertificateRequestWithSignedCerficates(ctx, certificateRequest); err != nil {
@@ -188,6 +206,11 @@ func (controller *CertificateRequestController) handleErrorGettingCMPv2Issuer(ct
 	_ = controller.setStatus(ctx, certificateRequest, cmmeta.ConditionFalse, cmapi.CertificateRequestReasonPending, "Failed to retrieve CMPv2Issuer resource %s: %v", issuerNamespaceName, err)
 }
 
+func (controller *CertificateRequestController) handleErrorGettingPrivateKey(ctx context.Context, log logr.Logger, err error, certificateRequest *cmapi.CertificateRequest, pkSecretNamespacedName types.NamespacedName) {
+	log.Error(err, "Failed to retrieve private key secret for certificate request", "namespace", pkSecretNamespacedName.Namespace, "name", pkSecretNamespacedName.Name)
+	_ = controller.setStatus(ctx, certificateRequest, cmmeta.ConditionFalse, cmapi.CertificateRequestReasonPending, "Failed to retrieve private key secret: %v", err)
+}
+
 func (controller *CertificateRequestController) handleErrorFailedToSignCertificate(ctx context.Context, log logr.Logger, err error, certificateRequest *cmapi.CertificateRequest) {
 	log.Error(err, "Failed to sign certificate request")
 	_ = controller.setStatus(ctx, certificateRequest, cmmeta.ConditionFalse, cmapi.CertificateRequestReasonFailed, "Failed to sign certificate request: %v", err)