From b151ffacf655f2e14f99c6850c53bee562c24e9e Mon Sep 17 00:00:00 2001 From: Tomasz Wrobel Date: Wed, 21 Jul 2021 15:37:56 +0200 Subject: [PATCH] [OOM-K8S-CERT-EXTERNAL-PROVIDER] Add handling request when updateEnpoint is missing Issue-ID: OOM-2753 Signed-off-by: Tomasz Wrobel Change-Id: I06fc3043787631b83cc776b1e446700bd13f9863 --- .../deploy/configuration.yaml | 1 + certServiceK8sExternalProvider/deploy/crd.yaml | 4 +++ .../util/certificate_update_util_test.go | 5 ++-- .../src/cmpv2provisioner/cmpv2_provisioner.go | 17 ++++++++++-- .../src/cmpv2provisioner/cmpv2_provisioner_test.go | 32 ++++++++++++++++++++++ 5 files changed, 53 insertions(+), 6 deletions(-) diff --git a/certServiceK8sExternalProvider/deploy/configuration.yaml b/certServiceK8sExternalProvider/deploy/configuration.yaml index 5764a52a..45fc5c4f 100644 --- a/certServiceK8sExternalProvider/deploy/configuration.yaml +++ b/certServiceK8sExternalProvider/deploy/configuration.yaml @@ -31,6 +31,7 @@ spec: url: https://oom-cert-service:8443 healthEndpoint: actuator/health certEndpoint: v1/certificate + updateEndpoint: v1/certificate-update caName: RA certSecretRef: name: cmpv2-issuer-secret diff --git a/certServiceK8sExternalProvider/deploy/crd.yaml b/certServiceK8sExternalProvider/deploy/crd.yaml index b14d8063..71fb58eb 100644 --- a/certServiceK8sExternalProvider/deploy/crd.yaml +++ b/certServiceK8sExternalProvider/deploy/crd.yaml @@ -66,6 +66,9 @@ spec: certEndpoint: description: Path of cerfificate signing enpoint. type: string + updateEndpoint: + description: Path of certificate update endpoint. + type: string caName: description: Name of the external CA server configured on CertService API side. type: string @@ -99,6 +102,7 @@ spec: - url - healthEndpoint - certEndpoint + - updateEndpoint - caName - certSecretRef type: object diff --git a/certServiceK8sExternalProvider/src/cmpv2controller/util/certificate_update_util_test.go b/certServiceK8sExternalProvider/src/cmpv2controller/util/certificate_update_util_test.go index f9005277..a48cb60f 100644 --- a/certServiceK8sExternalProvider/src/cmpv2controller/util/certificate_update_util_test.go +++ b/certServiceK8sExternalProvider/src/cmpv2controller/util/certificate_update_util_test.go @@ -35,8 +35,8 @@ import ( ) const ( - testPrivateKeyData = "test-private-key" - testCertificateData = "test-certificate" + testPrivateKeyData = "test-private-key" + testCertificateData = "test-certificate" ) func Test_CheckIfCertificateUpdateAndRetrieveOldCertificateAndPk_revisionOne(t *testing.T) { @@ -128,4 +128,3 @@ func Test_RetrieveOldCertificateAndPk_shouldBeEmptyWhenOldCertificateCannotBeUnm assert.Equal(t, []byte{}, certificate) assert.Equal(t, []byte{}, privateKey) } - diff --git a/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner.go b/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner.go index 53932494..db171e33 100644 --- a/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner.go +++ b/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner.go @@ -43,6 +43,7 @@ type CertServiceCA struct { url string healthEndpoint string certEndpoint string + updateEndpoint string caName string certServiceClient certserviceclient.CertServiceClient } @@ -55,10 +56,11 @@ func New(cmpv2Issuer *cmpv2api.CMPv2Issuer, certServiceClient certserviceclient. ca.caName = cmpv2Issuer.Spec.CaName ca.healthEndpoint = cmpv2Issuer.Spec.HealthEndpoint ca.certEndpoint = cmpv2Issuer.Spec.CertEndpoint + ca.updateEndpoint = cmpv2Issuer.Spec.UpdateEndpoint ca.certServiceClient = certServiceClient log := leveledlogger.GetLoggerWithName("cmpv2-provisioner") - log.Info("Configuring CA: ", "name", ca.name, "url", ca.url, "caName", ca.caName, "healthEndpoint", ca.healthEndpoint, "certEndpoint", ca.certEndpoint) + log.Info("Configuring CA: ", "name", ca.name, "url", ca.url, "caName", ca.caName, "healthEndpoint", ca.healthEndpoint, "certEndpoint", ca.certEndpoint, "updateEndpoint", ca.updateEndpoint) return &ca, nil } @@ -93,7 +95,6 @@ func (ca *CertServiceCA) Sign( var response *certserviceclient.CertificatesResponse var errAPI error - if ca.isCertificateUpdate(signCertificateModel) { log.Debug("Certificate will be updated.", "old-certificate", signCertificateModel.OldCertificateBytes) log.Info("Attempt to send certificate update request") @@ -124,7 +125,17 @@ func (ca *CertServiceCA) Sign( return signedCertificateChain, trustedCertificates, nil } +func (ca *CertServiceCA) updateEndpointIsConfigured() bool { + log := leveledlogger.GetLoggerWithName("certservice-provisioner") + isConfigured := ca.updateEndpoint != "" + if !isConfigured { + log.Info("Missing 'update endpoint' configuration. Certificates will received by certificate request instead of certificate update request") + } + return isConfigured +} func (ca *CertServiceCA) isCertificateUpdate(signCertificateModel model.SignCertificateModel) bool { - return len(signCertificateModel.OldCertificateBytes) > 0 && len(signCertificateModel.OldPrivateKeyBytes) > 0 + return len(signCertificateModel.OldCertificateBytes) > 0 && + len(signCertificateModel.OldPrivateKeyBytes) > 0 && + ca.updateEndpointIsConfigured() } diff --git a/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_test.go b/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_test.go index e0b0c2e9..39af8ec6 100644 --- a/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_test.go +++ b/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_test.go @@ -37,6 +37,7 @@ import ( const ISSUER_NAME = "cmpv2-issuer" const ISSUER_URL = "issuer/url" +const ISSUER_UPDATE_URL = "update-url" const ISSUER_NAMESPACE = "onap" func Test_shouldCreateCorrectCertServiceCA(t *testing.T) { @@ -122,10 +123,41 @@ func Test_shouldReturnCorrectSignedPemsWhenParametersAreCorrectForUpdateCertific testdata.VerifyCertsAreEqualToExpected(t, signedPEM, trustedCAs) } +func Test_shouldReturnCorrectSignedPemForCertificateRequestWhenUpdateEndpointConfigurationIsMissing(t *testing.T) { + issuer := createIssuerAndCerts(ISSUER_NAME, ISSUER_URL) + issuer.Spec.UpdateEndpoint = "" + provisionerFactory := ProvisionerFactoryMock{} + provisioner, err := provisionerFactory.CreateProvisioner(&issuer, apiv1.Secret{}) + + issuerNamespaceName := testdata.CreateIssuerNamespaceName(ISSUER_NAMESPACE, ISSUER_NAME) + Store(issuerNamespaceName, provisioner) + + provisioner, ok := Load(issuerNamespaceName) + + testdata.VerifyThatConditionIsTrue(ok, "Provisioner could not be loaded", t) + + request := createCertificateRequest() + privateKeyBytes := getPrivateKeyBytes() + + signCertificateModel := model.SignCertificateModel{ + CertificateRequest: request, + PrivateKeyBytes: privateKeyBytes, + OldCertificateBytes: testdata.OldCertificateBytes, + OldPrivateKeyBytes: testdata.OldPrivateKeyBytes, + } + + signedPEM, trustedCAs, err := provisioner.Sign(signCertificateModel) + + assert.Nil(t, err) + + testdata.VerifyCertsAreEqualToExpected(t, signedPEM, trustedCAs) +} + func createIssuerAndCerts(name string, url string) cmpv2api.CMPv2Issuer { issuer := cmpv2api.CMPv2Issuer{} issuer.Name = name issuer.Spec.URL = url + issuer.Spec.UpdateEndpoint = ISSUER_UPDATE_URL return issuer } -- 2.16.6