From a7bb3d59e71f7f7980f8b7db400df94cabd92c0a Mon Sep 17 00:00:00 2001 From: Jan Malkiewicz Date: Fri, 23 Oct 2020 09:46:13 +0200 Subject: [PATCH] [OOM-K8S-CERT-EXTERNAL-PROVIDER] Add health check of CMPv2 provisioner (cert-service-api) Issue-ID: OOM-2559 Signed-off-by: Jan Malkiewicz Change-Id: I81d4dcfcb10f71182ea667770bafb9556817b793 --- .../deploy/configuration.yaml | 4 +- certServiceK8sExternalProvider/deploy/crd.yaml | 8 +++ .../src/certserviceclient/cert_service_client.go | 22 +++++++++ .../cert_service_client_factory.go | 44 ++++++++++++----- .../cert_service_client_factory_test.go | 54 +++++++++++++++----- .../certserviceclient/cert_service_client_test.go | 57 ++++++++++++++++++++-- .../src/cmpv2api/cmpv2_issuer_crd_schema.go | 4 ++ .../certificate_request_controller.go | 5 +- .../src/cmpv2controller/cmpv2_issuer_controller.go | 9 +++- .../src/cmpv2provisioner/cmpv2_provisioner.go | 47 ++++++------------ .../cmpv2provisioner/cmpv2_provisioner_factory.go | 3 +- .../cmpv2_provisioner_factory_test.go | 6 +++ .../src/cmpv2provisioner/cmpv2_provisioner_test.go | 5 ++ 13 files changed, 204 insertions(+), 64 deletions(-) diff --git a/certServiceK8sExternalProvider/deploy/configuration.yaml b/certServiceK8sExternalProvider/deploy/configuration.yaml index 4a0f2dc6..5764a52a 100644 --- a/certServiceK8sExternalProvider/deploy/configuration.yaml +++ b/certServiceK8sExternalProvider/deploy/configuration.yaml @@ -28,7 +28,9 @@ metadata: name: cmpv2-issuer namespace: onap spec: - url: https://oom-cert-service:8443/v1/certificate/ + url: https://oom-cert-service:8443 + healthEndpoint: actuator/health + certEndpoint: v1/certificate caName: RA certSecretRef: name: cmpv2-issuer-secret diff --git a/certServiceK8sExternalProvider/deploy/crd.yaml b/certServiceK8sExternalProvider/deploy/crd.yaml index cc884388..b14d8063 100644 --- a/certServiceK8sExternalProvider/deploy/crd.yaml +++ b/certServiceK8sExternalProvider/deploy/crd.yaml @@ -60,6 +60,12 @@ spec: url: description: URL to CertService API. type: string + healthEndpoint: + description: Path of health check endpoint. + type: string + certEndpoint: + description: Path of cerfificate signing enpoint. + type: string caName: description: Name of the external CA server configured on CertService API side. type: string @@ -91,6 +97,8 @@ spec: type: object required: - url + - healthEndpoint + - certEndpoint - caName - certSecretRef type: object diff --git a/certServiceK8sExternalProvider/src/certserviceclient/cert_service_client.go b/certServiceK8sExternalProvider/src/certserviceclient/cert_service_client.go index 870a3eda..15b90624 100644 --- a/certServiceK8sExternalProvider/src/certserviceclient/cert_service_client.go +++ b/certServiceK8sExternalProvider/src/certserviceclient/cert_service_client.go @@ -23,6 +23,7 @@ package certserviceclient import ( "encoding/base64" "encoding/json" + "fmt" "net/http" ) @@ -33,9 +34,11 @@ const ( type CertServiceClient interface { GetCertificates(csr []byte, key []byte) (*CertificatesResponse, error) + CheckHealth() error } type CertServiceClientImpl struct { + healthUrl string certificationUrl string httpClient HTTPClient } @@ -49,6 +52,25 @@ type CertificatesResponse struct { TrustedCertificates []string `json:"trustedCertificates"` } +func (client *CertServiceClientImpl) CheckHealth() error { + request, err := http.NewRequest("GET", client.healthUrl, nil) + if err != nil { + return err + } + + response, err := client.httpClient.Do(request) + if err != nil { + return err + } + + if response.StatusCode != 200 { + return fmt.Errorf("health check retured status code [%d]", response.StatusCode) + } + + return nil +} + + func (client *CertServiceClientImpl) GetCertificates(csr []byte, key []byte) (*CertificatesResponse, error) { request, err := http.NewRequest("GET", client.certificationUrl, nil) diff --git a/certServiceK8sExternalProvider/src/certserviceclient/cert_service_client_factory.go b/certServiceK8sExternalProvider/src/certserviceclient/cert_service_client_factory.go index 198f2294..2c04b908 100644 --- a/certServiceK8sExternalProvider/src/certserviceclient/cert_service_client_factory.go +++ b/certServiceK8sExternalProvider/src/certserviceclient/cert_service_client_factory.go @@ -29,7 +29,8 @@ import ( "path" ) -func CreateCertServiceClient(baseUrl string, caName string, keyPemBase64 []byte, certPemBase64 []byte, cacertPemBase64 []byte) (*CertServiceClientImpl, error) { +func CreateCertServiceClient(baseUrl string, healthEndpoint string, certEndpoint string, caName string, + keyPemBase64 []byte, certPemBase64 []byte, cacertPemBase64 []byte) (*CertServiceClientImpl, error) { cert, err := tls.X509KeyPair(certPemBase64, keyPemBase64) if err != nil { return nil, err @@ -48,27 +49,48 @@ func CreateCertServiceClient(baseUrl string, caName string, keyPemBase64 []byte, }, }, } - certificationUrl, err := parseUrl(baseUrl, caName) + healthUrl, certificationUrl, err := validateAndParseUrls(baseUrl, healthEndpoint, certEndpoint, caName) if err != nil { return nil, err } client := CertServiceClientImpl{ - certificationUrl: certificationUrl.String(), + healthUrl: healthUrl, + certificationUrl: certificationUrl, httpClient: httpClient, } return &client, nil } -func parseUrl(baseUrl string, caName string) (*url.URL, error) { - parsedUrl, err := url.Parse(baseUrl) - if err != nil { - return nil, err +func validateAndParseUrls(baseUrl string, healthEndpoint string, certEndpoint string, caName string) (string, string, error) { + if err := validateUrls(baseUrl, healthEndpoint, certEndpoint, caName); err != nil { + return "", "", err + } + + certUrl, _ := url.Parse(baseUrl) + healthUrl, _ := url.Parse(baseUrl) + + certUrl.Path = path.Join(certEndpoint, caName) + healthUrl.Path = path.Join(healthEndpoint) + + return healthUrl.String(), certUrl.String(), nil +} + +func validateUrls(baseUrl string, healthEndpoint string, certEndpoint string, caName string) error { + if _, err := url.Parse(baseUrl); err != nil { + return err } if caName == "" { - return nil, fmt.Errorf("caName cannot be empty") + return fmt.Errorf("caName cannot be empty") } - - parsedUrl.Path = path.Join(parsedUrl.Path, caName) - return parsedUrl, nil + if _, err := url.Parse(caName); err != nil { + return err + } + if _, err := url.Parse(healthEndpoint); err != nil { + return err + } + if _, err := url.Parse(certEndpoint); err != nil { + return err + } + return nil } diff --git a/certServiceK8sExternalProvider/src/certserviceclient/cert_service_client_factory_test.go b/certServiceK8sExternalProvider/src/certserviceclient/cert_service_client_factory_test.go index 50a6d796..5d255a62 100644 --- a/certServiceK8sExternalProvider/src/certserviceclient/cert_service_client_factory_test.go +++ b/certServiceK8sExternalProvider/src/certserviceclient/cert_service_client_factory_test.go @@ -29,42 +29,70 @@ import ( ) const ( - validUrl = "https://oom-cert-service:8443/v1/certificate/" - validUrl2 = "https://oom-cert-service:8443/v1/certificate" - invalidUrl = "https://oom-cert service:8443/v1/certificate" + validUrl = "https://oom-cert-service:8443/" + validUrl2 = "https://oom-cert-service:8443" + invalidUrl = "https://oom-cert service:8443/" + healthEndpoint = "actuator/health" + healthEndpointInvalid = ":/actuator/health" + certEndpoint = "v1/certificate" + certEndpointInvalid = ":/v1/certificate" caName = "RA" + caNameInvalid = ":/RA" expectedCertificationUrl = "https://oom-cert-service:8443/v1/certificate/RA" + expectedHealthCheckUrl = "https://oom-cert-service:8443/actuator/health" ) func Test_shouldCreateCertServiceClient(t *testing.T) { - shouldCreateCertServiceClientWithExpectedUrl(t, expectedCertificationUrl, validUrl) - shouldCreateCertServiceClientWithExpectedUrl(t, expectedCertificationUrl, validUrl2) + shouldCreateCertServiceClientWithExpectedUrl(t, validUrl) + shouldCreateCertServiceClientWithExpectedUrl(t, validUrl2) } -func shouldCreateCertServiceClientWithExpectedUrl(t *testing.T, expectedCertificationUrl string, baseUrl string) { - client, err := CreateCertServiceClient(baseUrl, caName, testdata.KeyBytes, testdata.CertBytes, testdata.CacertBytes) +func shouldCreateCertServiceClientWithExpectedUrl(t *testing.T, baseUrl string) { + client, err := CreateCertServiceClient(baseUrl, healthEndpoint, certEndpoint, caName, testdata.KeyBytes, testdata.CertBytes, testdata.CacertBytes) assert.NotNil(t, client) assert.Nil(t, err) assert.Equal(t, expectedCertificationUrl, client.certificationUrl) + assert.Equal(t, expectedHealthCheckUrl, client.healthUrl) +} + +func Test_shouldReturnError_whenCaNameInvalid(t *testing.T) { + client, err := CreateCertServiceClient(validUrl, healthEndpoint, certEndpoint, caNameInvalid, testdata.KeyBytes, testdata.CertBytes, testdata.CacertBytes) + + assert.Nil(t, client) + assert.Error(t, err) +} + +func Test_shouldReturnError_whenHealthEndpointInvalid(t *testing.T) { + client, err := CreateCertServiceClient(validUrl, healthEndpointInvalid, certEndpoint, caName, testdata.KeyBytes, testdata.CertBytes, testdata.CacertBytes) + + assert.Nil(t, client) + assert.Error(t, err) +} + +func Test_shouldReturnError_whenCertEndpointInvalid(t *testing.T) { + client, err := CreateCertServiceClient(validUrl, healthEndpoint, certEndpointInvalid, caName, testdata.KeyBytes, testdata.CertBytes, testdata.CacertBytes) + + assert.Nil(t, client) + assert.Error(t, err) } func Test_shouldReturnError_whenUrlInvalid(t *testing.T) { - client, err := CreateCertServiceClient(invalidUrl, caName, testdata.KeyBytes, testdata.CertBytes, testdata.CacertBytes) + client, err := CreateCertServiceClient(invalidUrl, healthEndpoint, certEndpoint, caName, testdata.KeyBytes, testdata.CertBytes, testdata.CacertBytes) assert.Nil(t, client) assert.Error(t, err) } func Test_shouldReturnError_whenCanameEmpty(t *testing.T) { - client, err := CreateCertServiceClient(validUrl, "", testdata.KeyBytes, testdata.CertBytes, testdata.CacertBytes) + client, err := CreateCertServiceClient(validUrl, healthEndpoint, certEndpoint, "", testdata.KeyBytes, testdata.CertBytes, testdata.CacertBytes) assert.Nil(t, client) assert.Error(t, err) } func Test_shouldReturnError_whenKeyNotMatchingCert(t *testing.T) { - client, err := CreateCertServiceClient(validUrl, caName, testdata.NotMatchingKeyBytes, testdata.CertBytes, testdata.CacertBytes) + client, err := CreateCertServiceClient(validUrl, healthEndpoint, certEndpoint, caName, testdata.NotMatchingKeyBytes, testdata.CertBytes, testdata.CacertBytes) assert.Nil(t, client) assert.Error(t, err) @@ -72,7 +100,7 @@ func Test_shouldReturnError_whenKeyNotMatchingCert(t *testing.T) { func Test_shouldReturnError_whenKeyInvalid(t *testing.T) { //Cert used as key - client, err := CreateCertServiceClient(validUrl, caName, testdata.CertBytes, testdata.CertBytes, testdata.CacertBytes) + client, err := CreateCertServiceClient(validUrl, healthEndpoint, certEndpoint, caName, testdata.CertBytes, testdata.CertBytes, testdata.CacertBytes) assert.Nil(t, client) assert.Error(t, err) @@ -80,7 +108,7 @@ func Test_shouldReturnError_whenKeyInvalid(t *testing.T) { func Test_shouldReturnError_whenCertInvalid(t *testing.T) { //Cacert used as cert - client, err := CreateCertServiceClient(validUrl, caName, testdata.KeyBytes, testdata.CacertBytes, testdata.CacertBytes) + client, err := CreateCertServiceClient(validUrl, healthEndpoint, certEndpoint, caName, testdata.KeyBytes, testdata.CacertBytes, testdata.CacertBytes) assert.Nil(t, client) assert.Error(t, err) @@ -88,7 +116,7 @@ func Test_shouldReturnError_whenCertInvalid(t *testing.T) { func Test_shouldReturnError_whenCacertInvalid(t *testing.T) { //Key used as cacert - client, err := CreateCertServiceClient(validUrl, caName, testdata.KeyBytes, testdata.CertBytes, testdata.KeyBytes) + client, err := CreateCertServiceClient(validUrl, healthEndpoint, certEndpoint, caName, testdata.KeyBytes, testdata.CertBytes, testdata.KeyBytes) assert.Nil(t, client) assert.Error(t, err) diff --git a/certServiceK8sExternalProvider/src/certserviceclient/cert_service_client_test.go b/certServiceK8sExternalProvider/src/certserviceclient/cert_service_client_test.go index 1e15d43e..06fc4792 100644 --- a/certServiceK8sExternalProvider/src/certserviceclient/cert_service_client_test.go +++ b/certServiceK8sExternalProvider/src/certserviceclient/cert_service_client_test.go @@ -37,7 +37,7 @@ const ( ) -func Test_shouldParseCertificateResponseCorrectly(t *testing.T) { +func Test_GetCertificates_shouldParseCertificateResponseCorrectly(t *testing.T) { responseJson := `{"certificateChain": ["cert-0", "cert-1"], "trustedCertificates": ["trusted-cert-0", "trusted-cert-1"]}` responseJsonReader := ioutil.NopCloser(bytes.NewReader([]byte(responseJson))) client := CertServiceClientImpl{ @@ -56,7 +56,7 @@ func Test_shouldParseCertificateResponseCorrectly(t *testing.T) { assert.ElementsMatch(t, []string{"trusted-cert-0", "trusted-cert-1"}, response.TrustedCertificates) } -func Test_shouldReturnError_whenResponseIsNotJson(t *testing.T) { +func Test_GetCertificates_shouldReturnError_whenResponseIsNotJson(t *testing.T) { responseJson := `not a json` responseJsonReader := ioutil.NopCloser(bytes.NewReader([]byte(responseJson))) client := CertServiceClientImpl{ @@ -76,7 +76,7 @@ func Test_shouldReturnError_whenResponseIsNotJson(t *testing.T) { assert.Error(t, err) } -func Test_shouldReturnError_whenHttpClientReturnsError(t *testing.T) { +func Test_GetCertificates_shouldReturnError_whenHttpClientReturnsError(t *testing.T) { client := CertServiceClientImpl{ certificationUrl: certificationUrl, httpClient: &httpClientMock{ @@ -91,6 +91,57 @@ func Test_shouldReturnError_whenHttpClientReturnsError(t *testing.T) { assert.Error(t, err) } +func Test_CheckHealth_shouldReturnNil_whenHttpClientReturnsStatusCode200(t *testing.T) { + client := CertServiceClientImpl{ + certificationUrl: certificationUrl, + httpClient: &httpClientMock{ + DoFunc: func(req *http.Request) (response *http.Response, e error) { + mockedResponse := &http.Response{ + Body: nil, + StatusCode: 200, + } + return mockedResponse, nil + }, + }, + } + + err := client.CheckHealth() + + assert.Nil(t, err) +} + +func Test_CheckHealth_shouldReturnError_whenHttpClientReturnsStatusCode404(t *testing.T) { + client := CertServiceClientImpl{ + certificationUrl: certificationUrl, + httpClient: &httpClientMock{ + DoFunc: func(req *http.Request) (response *http.Response, e error) { + mockedResponse := &http.Response{ + Body: nil, + StatusCode: 404, + } + return mockedResponse, nil + }, + }, + } + + err := client.CheckHealth() + + assert.Error(t, err) +} + +func Test_CheckHealth_shouldReturnError_whenHttpClientReturnsError(t *testing.T) { + client := CertServiceClientImpl{ + certificationUrl: certificationUrl, + httpClient: &httpClientMock{ + DoFunc: func(req *http.Request) (response *http.Response, err error) { + return nil, fmt.Errorf("mock error") + }, + }, + } + err := client.CheckHealth() + + assert.Error(t, err) +} type httpClientMock struct { DoFunc func(*http.Request) (*http.Response, error) diff --git a/certServiceK8sExternalProvider/src/cmpv2api/cmpv2_issuer_crd_schema.go b/certServiceK8sExternalProvider/src/cmpv2api/cmpv2_issuer_crd_schema.go index f26dc876..73392060 100644 --- a/certServiceK8sExternalProvider/src/cmpv2api/cmpv2_issuer_crd_schema.go +++ b/certServiceK8sExternalProvider/src/cmpv2api/cmpv2_issuer_crd_schema.go @@ -37,6 +37,10 @@ func init() { type CMPv2IssuerSpec struct { // URL is the base URL for the CertService certificates instance. URL string `json:"url"` + // Path to health check endpoint. + HealthEndpoint string `json:"healthEndpoint"` + // Path to certificate signing endpoint. + CertEndpoint string `json:"certEndpoint"` // CaName is the name of the external CA server CaName string `json:"caName"` // KeyRef is a reference to a Secret containing the provisioner diff --git a/certServiceK8sExternalProvider/src/cmpv2controller/certificate_request_controller.go b/certServiceK8sExternalProvider/src/cmpv2controller/certificate_request_controller.go index d526bbc8..136d3eb4 100644 --- a/certServiceK8sExternalProvider/src/cmpv2controller/certificate_request_controller.go +++ b/certServiceK8sExternalProvider/src/cmpv2controller/certificate_request_controller.go @@ -65,6 +65,7 @@ func (controller *CertificateRequestController) Reconcile(k8sRequest ctrl.Reques // 1. Fetch the CertificateRequest resource being reconciled. certificateRequest := new(cmapi.CertificateRequest) + log.Info("Registered new certificate sign request: ", "cert-name", certificateRequest.Name) if err := controller.Client.Get(ctx, k8sRequest.NamespacedName, certificateRequest); err != nil { err = handleErrorResourceNotFound(log, err) return ctrl.Result{}, err @@ -72,7 +73,7 @@ func (controller *CertificateRequestController) Reconcile(k8sRequest ctrl.Reques // 2. Check if CertificateRequest is meant for CMPv2Issuer (if not ignore) if !isCMPv2CertificateRequest(certificateRequest) { - log.V(4).Info("Certificate request is not meant for CMPv2Issuer (ignoring)", + log.Info("Certificate request is not meant for CMPv2Issuer (ignoring)", "group", certificateRequest.Spec.IssuerRef.Group, "kind", certificateRequest.Spec.IssuerRef.Kind) return ctrl.Result{}, nil @@ -81,7 +82,7 @@ func (controller *CertificateRequestController) Reconcile(k8sRequest ctrl.Reques // 3. If the certificate data is already set then we skip this request as it // has already been completed in the past. if len(certificateRequest.Status.Certificate) > 0 { - log.V(4).Info("Existing certificate data found in status, skipping already completed CertificateRequest") + log.Info("Existing certificate data found in status, skipping already completed CertificateRequest") return ctrl.Result{}, nil } diff --git a/certServiceK8sExternalProvider/src/cmpv2controller/cmpv2_issuer_controller.go b/certServiceK8sExternalProvider/src/cmpv2controller/cmpv2_issuer_controller.go index 1b4e5312..c6e0e1da 100644 --- a/certServiceK8sExternalProvider/src/cmpv2controller/cmpv2_issuer_controller.go +++ b/certServiceK8sExternalProvider/src/cmpv2controller/cmpv2_issuer_controller.go @@ -83,7 +83,7 @@ func (controller *CMPv2IssuerController) Reconcile(req ctrl.Request) (ctrl.Resul return ctrl.Result{}, err } - // 4. Create CMPv2 provisioner and store the instance for further use + // 4. Create CMPv2 provisioner provisioner, err := provisioners.CreateProvisioner(issuer, secret) if err != nil { log.Error(err, "failed to initialize provisioner") @@ -91,9 +91,14 @@ func (controller *CMPv2IssuerController) Reconcile(req ctrl.Request) (ctrl.Resul handleErrorProvisionerInitialization(ctx, log, err, statusUpdater) return ctrl.Result{}, err } + + // 5. Check health of the provisioner and store the instance for further use + if err := provisioner.CheckHealth(); err != nil { + return ctrl.Result{}, err + } provisioners.Store(req.NamespacedName, provisioner) - // 5. Update the status of CMPv2Issuer to 'Validated' + // 6. Update the status of CMPv2Issuer to 'Validated' if err := updateCMPv2IssuerStatusToVerified(statusUpdater, ctx, log); err != nil { handleErrorUpdatingCMPv2IssuerStatus(log, err) return ctrl.Result{}, err diff --git a/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner.go b/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner.go index 67d719cc..c0304d7d 100644 --- a/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner.go +++ b/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner.go @@ -29,7 +29,6 @@ import ( "bytes" "context" "crypto/x509" - "encoding/base64" "encoding/pem" "fmt" "sync" @@ -47,6 +46,8 @@ var collection = new(sync.Map) type CertServiceCA struct { name string url string + healthEndpoint string + certEndpoint string caName string certServiceClient certserviceclient.CertServiceClient } @@ -57,14 +58,22 @@ func New(cmpv2Issuer *cmpv2api.CMPv2Issuer, certServiceClient certserviceclient. ca.name = cmpv2Issuer.Name ca.url = cmpv2Issuer.Spec.URL ca.caName = cmpv2Issuer.Spec.CaName + ca.healthEndpoint = cmpv2Issuer.Spec.HealthEndpoint + ca.certEndpoint = cmpv2Issuer.Spec.CertEndpoint ca.certServiceClient = certServiceClient log := ctrl.Log.WithName("cmpv2-provisioner") - log.Info("Configuring CA: ", "name", ca.name, "url", ca.url, "caName", ca.caName) + log.Info("Configuring CA: ", "name", ca.name, "url", ca.url, "caName", ca.caName, "healthEndpoint", ca.healthEndpoint, "certEndpoint", ca.certEndpoint) return &ca, nil } +func (ca *CertServiceCA) CheckHealth() error { + log := ctrl.Log.WithName("cmpv2-provisioner") + log.Info("Checking health of CMPv2 issuer: ", "name", ca.name) + return ca.certServiceClient.CheckHealth() +} + func Load(namespacedName types.NamespacedName) (*CertServiceCA, bool) { provisioner, ok := collection.Load(namespacedName) if !ok { @@ -99,30 +108,27 @@ func (ca *CertServiceCA) Sign(ctx context.Context, certificateRequest *certmanag log.Info("Certificate Chain", "cert-chain", response.CertificateChain) log.Info("Trusted Certificates", "trust-certs", response.TrustedCertificates) - cert := x509.Certificate{} - cert.Raw = csr.Raw // TODO - // write here code which will call CertServiceCA and sign CSR - // END - + // stored response as PEM + cert := x509.Certificate{} + cert.Raw = csr.Raw encodedPEM, err := encodeX509(&cert) if err != nil { return nil, nil, err } + // END signedPEM := encodedPEM trustedCA := encodedPEM - log.Info("Successfully signed: ", "cert-name", certificateRequest.Name) log.Info("Signed cert PEM: ", "bytes", signedPEM) log.Info("Trusted CA PEM: ", "bytes", trustedCA) + log.Info("Successfully signed: ", "cert-name", certificateRequest.Name) return signedPEM, trustedCA, nil } -// TODO JM utility methods - will be used in "real" implementation - // decodeCSR decodes a certificate request in PEM format and returns the func decodeCSR(data []byte) (*x509.CertificateRequest, error) { block, rest := pem.Decode(data) @@ -151,24 +157,3 @@ func encodeX509(cert *x509.Certificate) ([]byte, error) { } return caPem.Bytes(), nil } - -// generateSubject returns the first SAN that is not 127.0.0.1 or localhost. The -// CSRs generated by the Certificate resource have always those SANs. If no SANs -// are available `certservice-issuer-certificate` will be used as a subject is always -// required. -func generateSubject(sans []string) string { - if len(sans) == 0 { - return "certservice-issuer-certificate" - } - for _, s := range sans { - if s != "127.0.0.1" && s != "localhost" { - return s - } - } - return sans[0] -} - -func decode(cert string) []byte { - bytes, _ := base64.RawStdEncoding.DecodeString(cert) - return bytes -} diff --git a/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_factory.go b/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_factory.go index 125c1bc6..27f5c108 100644 --- a/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_factory.go +++ b/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_factory.go @@ -44,7 +44,8 @@ func CreateProvisioner(issuer *cmpv2api.CMPv2Issuer, secret v1.Secret) (*CertSer return nil, err } - certServiceClient, err := certserviceclient.CreateCertServiceClient(issuer.Spec.URL, issuer.Spec.CaName, keyBase64, certBase64, cacertBase64) + certServiceClient, err := certserviceclient.CreateCertServiceClient(issuer.Spec.URL, issuer.Spec.HealthEndpoint, issuer.Spec.CertEndpoint, + issuer.Spec.CaName, keyBase64, certBase64, cacertBase64) if err != nil { return nil, err } diff --git a/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_factory_test.go b/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_factory_test.go index 1e215d3f..3c0dbfd7 100644 --- a/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_factory_test.go +++ b/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_factory_test.go @@ -35,6 +35,8 @@ import ( const ( secretName = "issuer-cert-secret" url = "https://oom-cert-service:8443/v1/certificate/" + healthEndpoint = "actuator/health" + certEndpoint = "v1/certificate" caName = "RA" keySecretKey = "cmpv2Issuer-key.pem" certSecretKey = "cmpv2Issuer-cert.pem" @@ -49,6 +51,8 @@ func Test_shouldCreateProvisioner(t *testing.T) { assert.NotNil(t, provisioner) assert.Equal(t, url, provisioner.url) assert.Equal(t, caName, provisioner.caName) + assert.Equal(t, healthEndpoint, provisioner.healthEndpoint) + assert.Equal(t, certEndpoint, provisioner.certEndpoint) } func Test_shouldReturnError_whenSecretMissingKeyRef(t *testing.T) { @@ -103,6 +107,8 @@ func getValidIssuerAndSecret() (cmpv2api.CMPv2Issuer, v1.Secret) { issuer := cmpv2api.CMPv2Issuer{ Spec: cmpv2api.CMPv2IssuerSpec{ URL: url, + HealthEndpoint: healthEndpoint, + CertEndpoint: certEndpoint, CaName: caName, CertSecretRef: cmpv2api.SecretKeySelector{ Name: secretName, diff --git a/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_test.go b/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_test.go index 39e399b8..31f2bc26 100644 --- a/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_test.go +++ b/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_test.go @@ -167,3 +167,8 @@ type certServiceClientMock struct { func (client *certServiceClientMock) GetCertificates(csr []byte, key []byte) (*certserviceclient.CertificatesResponse, error) { return client.getCertificatesFunc(csr, key) } + +func (client *certServiceClientMock) CheckHealth() error { + return nil +} + -- 2.16.6