name: cmpv2-issuer
namespace: onap
spec:
- url: https://oom-cert-service:8443/v1/certificate/
+ url: https://oom-cert-service:8443
+ healthEndpoint: actuator/health
+ certEndpoint: v1/certificate
caName: RA
certSecretRef:
name: cmpv2-issuer-secret
url:
description: URL to CertService API.
type: string
+ healthEndpoint:
+ description: Path of health check endpoint.
+ type: string
+ certEndpoint:
+ description: Path of cerfificate signing enpoint.
+ type: string
caName:
description: Name of the external CA server configured on CertService API side.
type: string
type: object
required:
- url
+ - healthEndpoint
+ - certEndpoint
- caName
- certSecretRef
type: object
import (
"encoding/base64"
"encoding/json"
+ "fmt"
"net/http"
)
type CertServiceClient interface {
GetCertificates(csr []byte, key []byte) (*CertificatesResponse, error)
+ CheckHealth() error
}
type CertServiceClientImpl struct {
+ healthUrl string
certificationUrl string
httpClient HTTPClient
}
TrustedCertificates []string `json:"trustedCertificates"`
}
+func (client *CertServiceClientImpl) CheckHealth() error {
+ request, err := http.NewRequest("GET", client.healthUrl, nil)
+ if err != nil {
+ return err
+ }
+
+ response, err := client.httpClient.Do(request)
+ if err != nil {
+ return err
+ }
+
+ if response.StatusCode != 200 {
+ return fmt.Errorf("health check retured status code [%d]", response.StatusCode)
+ }
+
+ return nil
+}
+
+
func (client *CertServiceClientImpl) GetCertificates(csr []byte, key []byte) (*CertificatesResponse, error) {
request, err := http.NewRequest("GET", client.certificationUrl, nil)
"path"
)
-func CreateCertServiceClient(baseUrl string, caName string, keyPemBase64 []byte, certPemBase64 []byte, cacertPemBase64 []byte) (*CertServiceClientImpl, error) {
+func CreateCertServiceClient(baseUrl string, healthEndpoint string, certEndpoint string, caName string,
+ keyPemBase64 []byte, certPemBase64 []byte, cacertPemBase64 []byte) (*CertServiceClientImpl, error) {
cert, err := tls.X509KeyPair(certPemBase64, keyPemBase64)
if err != nil {
return nil, err
},
},
}
- certificationUrl, err := parseUrl(baseUrl, caName)
+ healthUrl, certificationUrl, err := validateAndParseUrls(baseUrl, healthEndpoint, certEndpoint, caName)
if err != nil {
return nil, err
}
client := CertServiceClientImpl{
- certificationUrl: certificationUrl.String(),
+ healthUrl: healthUrl,
+ certificationUrl: certificationUrl,
httpClient: httpClient,
}
return &client, nil
}
-func parseUrl(baseUrl string, caName string) (*url.URL, error) {
- parsedUrl, err := url.Parse(baseUrl)
- if err != nil {
- return nil, err
+func validateAndParseUrls(baseUrl string, healthEndpoint string, certEndpoint string, caName string) (string, string, error) {
+ if err := validateUrls(baseUrl, healthEndpoint, certEndpoint, caName); err != nil {
+ return "", "", err
+ }
+
+ certUrl, _ := url.Parse(baseUrl)
+ healthUrl, _ := url.Parse(baseUrl)
+
+ certUrl.Path = path.Join(certEndpoint, caName)
+ healthUrl.Path = path.Join(healthEndpoint)
+
+ return healthUrl.String(), certUrl.String(), nil
+}
+
+func validateUrls(baseUrl string, healthEndpoint string, certEndpoint string, caName string) error {
+ if _, err := url.Parse(baseUrl); err != nil {
+ return err
}
if caName == "" {
- return nil, fmt.Errorf("caName cannot be empty")
+ return fmt.Errorf("caName cannot be empty")
}
-
- parsedUrl.Path = path.Join(parsedUrl.Path, caName)
- return parsedUrl, nil
+ if _, err := url.Parse(caName); err != nil {
+ return err
+ }
+ if _, err := url.Parse(healthEndpoint); err != nil {
+ return err
+ }
+ if _, err := url.Parse(certEndpoint); err != nil {
+ return err
+ }
+ return nil
}
)
const (
- validUrl = "https://oom-cert-service:8443/v1/certificate/"
- validUrl2 = "https://oom-cert-service:8443/v1/certificate"
- invalidUrl = "https://oom-cert service:8443/v1/certificate"
+ validUrl = "https://oom-cert-service:8443/"
+ validUrl2 = "https://oom-cert-service:8443"
+ invalidUrl = "https://oom-cert service:8443/"
+ healthEndpoint = "actuator/health"
+ healthEndpointInvalid = ":/actuator/health"
+ certEndpoint = "v1/certificate"
+ certEndpointInvalid = ":/v1/certificate"
caName = "RA"
+ caNameInvalid = ":/RA"
expectedCertificationUrl = "https://oom-cert-service:8443/v1/certificate/RA"
+ expectedHealthCheckUrl = "https://oom-cert-service:8443/actuator/health"
)
func Test_shouldCreateCertServiceClient(t *testing.T) {
- shouldCreateCertServiceClientWithExpectedUrl(t, expectedCertificationUrl, validUrl)
- shouldCreateCertServiceClientWithExpectedUrl(t, expectedCertificationUrl, validUrl2)
+ shouldCreateCertServiceClientWithExpectedUrl(t, validUrl)
+ shouldCreateCertServiceClientWithExpectedUrl(t, validUrl2)
}
-func shouldCreateCertServiceClientWithExpectedUrl(t *testing.T, expectedCertificationUrl string, baseUrl string) {
- client, err := CreateCertServiceClient(baseUrl, caName, testdata.KeyBytes, testdata.CertBytes, testdata.CacertBytes)
+func shouldCreateCertServiceClientWithExpectedUrl(t *testing.T, baseUrl string) {
+ client, err := CreateCertServiceClient(baseUrl, healthEndpoint, certEndpoint, caName, testdata.KeyBytes, testdata.CertBytes, testdata.CacertBytes)
assert.NotNil(t, client)
assert.Nil(t, err)
assert.Equal(t, expectedCertificationUrl, client.certificationUrl)
+ assert.Equal(t, expectedHealthCheckUrl, client.healthUrl)
+}
+
+func Test_shouldReturnError_whenCaNameInvalid(t *testing.T) {
+ client, err := CreateCertServiceClient(validUrl, healthEndpoint, certEndpoint, caNameInvalid, testdata.KeyBytes, testdata.CertBytes, testdata.CacertBytes)
+
+ assert.Nil(t, client)
+ assert.Error(t, err)
+}
+
+func Test_shouldReturnError_whenHealthEndpointInvalid(t *testing.T) {
+ client, err := CreateCertServiceClient(validUrl, healthEndpointInvalid, certEndpoint, caName, testdata.KeyBytes, testdata.CertBytes, testdata.CacertBytes)
+
+ assert.Nil(t, client)
+ assert.Error(t, err)
+}
+
+func Test_shouldReturnError_whenCertEndpointInvalid(t *testing.T) {
+ client, err := CreateCertServiceClient(validUrl, healthEndpoint, certEndpointInvalid, caName, testdata.KeyBytes, testdata.CertBytes, testdata.CacertBytes)
+
+ assert.Nil(t, client)
+ assert.Error(t, err)
}
func Test_shouldReturnError_whenUrlInvalid(t *testing.T) {
- client, err := CreateCertServiceClient(invalidUrl, caName, testdata.KeyBytes, testdata.CertBytes, testdata.CacertBytes)
+ client, err := CreateCertServiceClient(invalidUrl, healthEndpoint, certEndpoint, caName, testdata.KeyBytes, testdata.CertBytes, testdata.CacertBytes)
assert.Nil(t, client)
assert.Error(t, err)
}
func Test_shouldReturnError_whenCanameEmpty(t *testing.T) {
- client, err := CreateCertServiceClient(validUrl, "", testdata.KeyBytes, testdata.CertBytes, testdata.CacertBytes)
+ client, err := CreateCertServiceClient(validUrl, healthEndpoint, certEndpoint, "", testdata.KeyBytes, testdata.CertBytes, testdata.CacertBytes)
assert.Nil(t, client)
assert.Error(t, err)
}
func Test_shouldReturnError_whenKeyNotMatchingCert(t *testing.T) {
- client, err := CreateCertServiceClient(validUrl, caName, testdata.NotMatchingKeyBytes, testdata.CertBytes, testdata.CacertBytes)
+ client, err := CreateCertServiceClient(validUrl, healthEndpoint, certEndpoint, caName, testdata.NotMatchingKeyBytes, testdata.CertBytes, testdata.CacertBytes)
assert.Nil(t, client)
assert.Error(t, err)
func Test_shouldReturnError_whenKeyInvalid(t *testing.T) {
//Cert used as key
- client, err := CreateCertServiceClient(validUrl, caName, testdata.CertBytes, testdata.CertBytes, testdata.CacertBytes)
+ client, err := CreateCertServiceClient(validUrl, healthEndpoint, certEndpoint, caName, testdata.CertBytes, testdata.CertBytes, testdata.CacertBytes)
assert.Nil(t, client)
assert.Error(t, err)
func Test_shouldReturnError_whenCertInvalid(t *testing.T) {
//Cacert used as cert
- client, err := CreateCertServiceClient(validUrl, caName, testdata.KeyBytes, testdata.CacertBytes, testdata.CacertBytes)
+ client, err := CreateCertServiceClient(validUrl, healthEndpoint, certEndpoint, caName, testdata.KeyBytes, testdata.CacertBytes, testdata.CacertBytes)
assert.Nil(t, client)
assert.Error(t, err)
func Test_shouldReturnError_whenCacertInvalid(t *testing.T) {
//Key used as cacert
- client, err := CreateCertServiceClient(validUrl, caName, testdata.KeyBytes, testdata.CertBytes, testdata.KeyBytes)
+ client, err := CreateCertServiceClient(validUrl, healthEndpoint, certEndpoint, caName, testdata.KeyBytes, testdata.CertBytes, testdata.KeyBytes)
assert.Nil(t, client)
assert.Error(t, err)
)
-func Test_shouldParseCertificateResponseCorrectly(t *testing.T) {
+func Test_GetCertificates_shouldParseCertificateResponseCorrectly(t *testing.T) {
responseJson := `{"certificateChain": ["cert-0", "cert-1"], "trustedCertificates": ["trusted-cert-0", "trusted-cert-1"]}`
responseJsonReader := ioutil.NopCloser(bytes.NewReader([]byte(responseJson)))
client := CertServiceClientImpl{
assert.ElementsMatch(t, []string{"trusted-cert-0", "trusted-cert-1"}, response.TrustedCertificates)
}
-func Test_shouldReturnError_whenResponseIsNotJson(t *testing.T) {
+func Test_GetCertificates_shouldReturnError_whenResponseIsNotJson(t *testing.T) {
responseJson := `not a json`
responseJsonReader := ioutil.NopCloser(bytes.NewReader([]byte(responseJson)))
client := CertServiceClientImpl{
assert.Error(t, err)
}
-func Test_shouldReturnError_whenHttpClientReturnsError(t *testing.T) {
+func Test_GetCertificates_shouldReturnError_whenHttpClientReturnsError(t *testing.T) {
client := CertServiceClientImpl{
certificationUrl: certificationUrl,
httpClient: &httpClientMock{
assert.Error(t, err)
}
+func Test_CheckHealth_shouldReturnNil_whenHttpClientReturnsStatusCode200(t *testing.T) {
+ client := CertServiceClientImpl{
+ certificationUrl: certificationUrl,
+ httpClient: &httpClientMock{
+ DoFunc: func(req *http.Request) (response *http.Response, e error) {
+ mockedResponse := &http.Response{
+ Body: nil,
+ StatusCode: 200,
+ }
+ return mockedResponse, nil
+ },
+ },
+ }
+
+ err := client.CheckHealth()
+
+ assert.Nil(t, err)
+}
+
+func Test_CheckHealth_shouldReturnError_whenHttpClientReturnsStatusCode404(t *testing.T) {
+ client := CertServiceClientImpl{
+ certificationUrl: certificationUrl,
+ httpClient: &httpClientMock{
+ DoFunc: func(req *http.Request) (response *http.Response, e error) {
+ mockedResponse := &http.Response{
+ Body: nil,
+ StatusCode: 404,
+ }
+ return mockedResponse, nil
+ },
+ },
+ }
+
+ err := client.CheckHealth()
+
+ assert.Error(t, err)
+}
+
+func Test_CheckHealth_shouldReturnError_whenHttpClientReturnsError(t *testing.T) {
+ client := CertServiceClientImpl{
+ certificationUrl: certificationUrl,
+ httpClient: &httpClientMock{
+ DoFunc: func(req *http.Request) (response *http.Response, err error) {
+ return nil, fmt.Errorf("mock error")
+ },
+ },
+ }
+ err := client.CheckHealth()
+
+ assert.Error(t, err)
+}
type httpClientMock struct {
DoFunc func(*http.Request) (*http.Response, error)
type CMPv2IssuerSpec struct {
// URL is the base URL for the CertService certificates instance.
URL string `json:"url"`
+ // Path to health check endpoint.
+ HealthEndpoint string `json:"healthEndpoint"`
+ // Path to certificate signing endpoint.
+ CertEndpoint string `json:"certEndpoint"`
// CaName is the name of the external CA server
CaName string `json:"caName"`
// KeyRef is a reference to a Secret containing the provisioner
// 1. Fetch the CertificateRequest resource being reconciled.
certificateRequest := new(cmapi.CertificateRequest)
+ log.Info("Registered new certificate sign request: ", "cert-name", certificateRequest.Name)
if err := controller.Client.Get(ctx, k8sRequest.NamespacedName, certificateRequest); err != nil {
err = handleErrorResourceNotFound(log, err)
return ctrl.Result{}, err
// 2. Check if CertificateRequest is meant for CMPv2Issuer (if not ignore)
if !isCMPv2CertificateRequest(certificateRequest) {
- log.V(4).Info("Certificate request is not meant for CMPv2Issuer (ignoring)",
+ log.Info("Certificate request is not meant for CMPv2Issuer (ignoring)",
"group", certificateRequest.Spec.IssuerRef.Group,
"kind", certificateRequest.Spec.IssuerRef.Kind)
return ctrl.Result{}, nil
// 3. If the certificate data is already set then we skip this request as it
// has already been completed in the past.
if len(certificateRequest.Status.Certificate) > 0 {
- log.V(4).Info("Existing certificate data found in status, skipping already completed CertificateRequest")
+ log.Info("Existing certificate data found in status, skipping already completed CertificateRequest")
return ctrl.Result{}, nil
}
return ctrl.Result{}, err
}
- // 4. Create CMPv2 provisioner and store the instance for further use
+ // 4. Create CMPv2 provisioner
provisioner, err := provisioners.CreateProvisioner(issuer, secret)
if err != nil {
log.Error(err, "failed to initialize provisioner")
handleErrorProvisionerInitialization(ctx, log, err, statusUpdater)
return ctrl.Result{}, err
}
+
+ // 5. Check health of the provisioner and store the instance for further use
+ if err := provisioner.CheckHealth(); err != nil {
+ return ctrl.Result{}, err
+ }
provisioners.Store(req.NamespacedName, provisioner)
- // 5. Update the status of CMPv2Issuer to 'Validated'
+ // 6. Update the status of CMPv2Issuer to 'Validated'
if err := updateCMPv2IssuerStatusToVerified(statusUpdater, ctx, log); err != nil {
handleErrorUpdatingCMPv2IssuerStatus(log, err)
return ctrl.Result{}, err
"bytes"
"context"
"crypto/x509"
- "encoding/base64"
"encoding/pem"
"fmt"
"sync"
type CertServiceCA struct {
name string
url string
+ healthEndpoint string
+ certEndpoint string
caName string
certServiceClient certserviceclient.CertServiceClient
}
ca.name = cmpv2Issuer.Name
ca.url = cmpv2Issuer.Spec.URL
ca.caName = cmpv2Issuer.Spec.CaName
+ ca.healthEndpoint = cmpv2Issuer.Spec.HealthEndpoint
+ ca.certEndpoint = cmpv2Issuer.Spec.CertEndpoint
ca.certServiceClient = certServiceClient
log := ctrl.Log.WithName("cmpv2-provisioner")
- log.Info("Configuring CA: ", "name", ca.name, "url", ca.url, "caName", ca.caName)
+ log.Info("Configuring CA: ", "name", ca.name, "url", ca.url, "caName", ca.caName, "healthEndpoint", ca.healthEndpoint, "certEndpoint", ca.certEndpoint)
return &ca, nil
}
+func (ca *CertServiceCA) CheckHealth() error {
+ log := ctrl.Log.WithName("cmpv2-provisioner")
+ log.Info("Checking health of CMPv2 issuer: ", "name", ca.name)
+ return ca.certServiceClient.CheckHealth()
+}
+
func Load(namespacedName types.NamespacedName) (*CertServiceCA, bool) {
provisioner, ok := collection.Load(namespacedName)
if !ok {
log.Info("Certificate Chain", "cert-chain", response.CertificateChain)
log.Info("Trusted Certificates", "trust-certs", response.TrustedCertificates)
- cert := x509.Certificate{}
- cert.Raw = csr.Raw
// TODO
- // write here code which will call CertServiceCA and sign CSR
- // END
-
+ // stored response as PEM
+ cert := x509.Certificate{}
+ cert.Raw = csr.Raw
encodedPEM, err := encodeX509(&cert)
if err != nil {
return nil, nil, err
}
+ // END
signedPEM := encodedPEM
trustedCA := encodedPEM
- log.Info("Successfully signed: ", "cert-name", certificateRequest.Name)
log.Info("Signed cert PEM: ", "bytes", signedPEM)
log.Info("Trusted CA PEM: ", "bytes", trustedCA)
+ log.Info("Successfully signed: ", "cert-name", certificateRequest.Name)
return signedPEM, trustedCA, nil
}
-// TODO JM utility methods - will be used in "real" implementation
-
// decodeCSR decodes a certificate request in PEM format and returns the
func decodeCSR(data []byte) (*x509.CertificateRequest, error) {
block, rest := pem.Decode(data)
}
return caPem.Bytes(), nil
}
-
-// generateSubject returns the first SAN that is not 127.0.0.1 or localhost. The
-// CSRs generated by the Certificate resource have always those SANs. If no SANs
-// are available `certservice-issuer-certificate` will be used as a subject is always
-// required.
-func generateSubject(sans []string) string {
- if len(sans) == 0 {
- return "certservice-issuer-certificate"
- }
- for _, s := range sans {
- if s != "127.0.0.1" && s != "localhost" {
- return s
- }
- }
- return sans[0]
-}
-
-func decode(cert string) []byte {
- bytes, _ := base64.RawStdEncoding.DecodeString(cert)
- return bytes
-}
return nil, err
}
- certServiceClient, err := certserviceclient.CreateCertServiceClient(issuer.Spec.URL, issuer.Spec.CaName, keyBase64, certBase64, cacertBase64)
+ certServiceClient, err := certserviceclient.CreateCertServiceClient(issuer.Spec.URL, issuer.Spec.HealthEndpoint, issuer.Spec.CertEndpoint,
+ issuer.Spec.CaName, keyBase64, certBase64, cacertBase64)
if err != nil {
return nil, err
}
const (
secretName = "issuer-cert-secret"
url = "https://oom-cert-service:8443/v1/certificate/"
+ healthEndpoint = "actuator/health"
+ certEndpoint = "v1/certificate"
caName = "RA"
keySecretKey = "cmpv2Issuer-key.pem"
certSecretKey = "cmpv2Issuer-cert.pem"
assert.NotNil(t, provisioner)
assert.Equal(t, url, provisioner.url)
assert.Equal(t, caName, provisioner.caName)
+ assert.Equal(t, healthEndpoint, provisioner.healthEndpoint)
+ assert.Equal(t, certEndpoint, provisioner.certEndpoint)
}
func Test_shouldReturnError_whenSecretMissingKeyRef(t *testing.T) {
issuer := cmpv2api.CMPv2Issuer{
Spec: cmpv2api.CMPv2IssuerSpec{
URL: url,
+ HealthEndpoint: healthEndpoint,
+ CertEndpoint: certEndpoint,
CaName: caName,
CertSecretRef: cmpv2api.SecretKeySelector{
Name: secretName,
func (client *certServiceClientMock) GetCertificates(csr []byte, key []byte) (*certserviceclient.CertificatesResponse, error) {
return client.getCertificatesFunc(csr, key)
}
+
+func (client *certServiceClientMock) CheckHealth() error {
+ return nil
+}
+
Code Review / oom / platform / cert-service.git / commitdiff