[OOM-K8S-CERT-EXTERNAL-PROVIDER] Add handling request when updateEnpoint is missing

Issue-ID: OOM-2753
Signed-off-by: Tomasz Wrobel <tomasz.wrobel@nokia.com>
Change-Id: I06fc3043787631b83cc776b1e446700bd13f9863

diff --git a/certServiceK8sExternalProvider/deploy/configuration.yaml b/certServiceK8sExternalProvider/deploy/configuration.yaml
index 5764a52..45fc5c4 100644 (file)
--- a/certServiceK8sExternalProvider/deploy/configuration.yaml
+++ b/certServiceK8sExternalProvider/deploy/configuration.yaml
@@ -31,6 +31,7 @@ spec:
   url: https://oom-cert-service:8443
   healthEndpoint: actuator/health
   certEndpoint: v1/certificate
+  updateEndpoint: v1/certificate-update
   caName: RA
   certSecretRef:
     name: cmpv2-issuer-secret

diff --git a/certServiceK8sExternalProvider/deploy/crd.yaml b/certServiceK8sExternalProvider/deploy/crd.yaml
index b14d806..71fb58e 100644 (file)
--- a/certServiceK8sExternalProvider/deploy/crd.yaml
+++ b/certServiceK8sExternalProvider/deploy/crd.yaml
@@ -66,6 +66,9 @@ spec:
                 certEndpoint:
                   description: Path of cerfificate signing enpoint.
                   type: string
+                updateEndpoint:
+                  description: Path of certificate update endpoint.
+                  type: string
                 caName:
                   description: Name of the external CA server configured on CertService API side.
                   type: string
@@ -99,6 +102,7 @@ spec:
                 - url
                 - healthEndpoint
                 - certEndpoint
+                - updateEndpoint
                 - caName
                 - certSecretRef
               type: object

diff --git a/certServiceK8sExternalProvider/src/cmpv2controller/util/certificate_update_util_test.go b/certServiceK8sExternalProvider/src/cmpv2controller/util/certificate_update_util_test.go
index f900527..a48cb60 100644 (file)
--- a/certServiceK8sExternalProvider/src/cmpv2controller/util/certificate_update_util_test.go
+++ b/certServiceK8sExternalProvider/src/cmpv2controller/util/certificate_update_util_test.go
@@ -35,8 +35,8 @@ import (
 )
 
 const (
-       testPrivateKeyData   = "test-private-key"
-       testCertificateData  = "test-certificate"
+       testPrivateKeyData  = "test-private-key"
+       testCertificateData = "test-certificate"
 )
 
 func Test_CheckIfCertificateUpdateAndRetrieveOldCertificateAndPk_revisionOne(t *testing.T) {
@@ -128,4 +128,3 @@ func Test_RetrieveOldCertificateAndPk_shouldBeEmptyWhenOldCertificateCannotBeUnm
        assert.Equal(t, []byte{}, certificate)
        assert.Equal(t, []byte{}, privateKey)
 }
-

diff --git a/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner.go b/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner.go
index 5393249..db171e3 100644 (file)
--- a/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner.go
+++ b/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner.go
@@ -43,6 +43,7 @@ type CertServiceCA struct {
        url               string
        healthEndpoint    string
        certEndpoint      string
+       updateEndpoint    string
        caName            string
        certServiceClient certserviceclient.CertServiceClient
 }
@@ -55,10 +56,11 @@ func New(cmpv2Issuer *cmpv2api.CMPv2Issuer, certServiceClient certserviceclient.
        ca.caName = cmpv2Issuer.Spec.CaName
        ca.healthEndpoint = cmpv2Issuer.Spec.HealthEndpoint
        ca.certEndpoint = cmpv2Issuer.Spec.CertEndpoint
+       ca.updateEndpoint = cmpv2Issuer.Spec.UpdateEndpoint
        ca.certServiceClient = certServiceClient
 
        log := leveledlogger.GetLoggerWithName("cmpv2-provisioner")
-       log.Info("Configuring CA: ", "name", ca.name, "url", ca.url, "caName", ca.caName, "healthEndpoint", ca.healthEndpoint, "certEndpoint", ca.certEndpoint)
+       log.Info("Configuring CA: ", "name", ca.name, "url", ca.url, "caName", ca.caName, "healthEndpoint", ca.healthEndpoint, "certEndpoint", ca.certEndpoint, "updateEndpoint", ca.updateEndpoint)
 
        return &ca, nil
 }
@@ -93,7 +95,6 @@ func (ca *CertServiceCA) Sign(
 
        var response *certserviceclient.CertificatesResponse
        var errAPI error
-
        if ca.isCertificateUpdate(signCertificateModel) {
                log.Debug("Certificate will be updated.", "old-certificate", signCertificateModel.OldCertificateBytes)
                log.Info("Attempt to send certificate update request")
@@ -124,7 +125,17 @@ func (ca *CertServiceCA) Sign(
        return signedCertificateChain, trustedCertificates, nil
 }
 
+func (ca *CertServiceCA) updateEndpointIsConfigured() bool {
+       log := leveledlogger.GetLoggerWithName("certservice-provisioner")
+       isConfigured := ca.updateEndpoint != ""
+       if !isConfigured {
+               log.Info("Missing 'update endpoint' configuration. Certificates will received by certificate request instead of certificate update request")
+       }
+       return isConfigured
+}
 
 func (ca *CertServiceCA) isCertificateUpdate(signCertificateModel model.SignCertificateModel) bool {
-       return len(signCertificateModel.OldCertificateBytes) > 0 && len(signCertificateModel.OldPrivateKeyBytes) > 0
+       return len(signCertificateModel.OldCertificateBytes) > 0 &&
+               len(signCertificateModel.OldPrivateKeyBytes) > 0 &&
+               ca.updateEndpointIsConfigured()
 }

diff --git a/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_test.go b/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_test.go
index e0b0c2e..39af8ec 100644 (file)
--- a/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_test.go
+++ b/certServiceK8sExternalProvider/src/cmpv2provisioner/cmpv2_provisioner_test.go
@@ -37,6 +37,7 @@ import (
 
 const ISSUER_NAME = "cmpv2-issuer"
 const ISSUER_URL = "issuer/url"
+const ISSUER_UPDATE_URL = "update-url"
 const ISSUER_NAMESPACE = "onap"
 
 func Test_shouldCreateCorrectCertServiceCA(t *testing.T) {
@@ -122,10 +123,41 @@ func Test_shouldReturnCorrectSignedPemsWhenParametersAreCorrectForUpdateCertific
        testdata.VerifyCertsAreEqualToExpected(t, signedPEM, trustedCAs)
 }
 
+func Test_shouldReturnCorrectSignedPemForCertificateRequestWhenUpdateEndpointConfigurationIsMissing(t *testing.T) {
+       issuer := createIssuerAndCerts(ISSUER_NAME, ISSUER_URL)
+       issuer.Spec.UpdateEndpoint = ""
+       provisionerFactory := ProvisionerFactoryMock{}
+       provisioner, err := provisionerFactory.CreateProvisioner(&issuer, apiv1.Secret{})
+
+       issuerNamespaceName := testdata.CreateIssuerNamespaceName(ISSUER_NAMESPACE, ISSUER_NAME)
+       Store(issuerNamespaceName, provisioner)
+
+       provisioner, ok := Load(issuerNamespaceName)
+
+       testdata.VerifyThatConditionIsTrue(ok, "Provisioner could not be loaded", t)
+
+       request := createCertificateRequest()
+       privateKeyBytes := getPrivateKeyBytes()
+
+       signCertificateModel := model.SignCertificateModel{
+               CertificateRequest:  request,
+               PrivateKeyBytes:     privateKeyBytes,
+               OldCertificateBytes: testdata.OldCertificateBytes,
+               OldPrivateKeyBytes:  testdata.OldPrivateKeyBytes,
+       }
+
+       signedPEM, trustedCAs, err := provisioner.Sign(signCertificateModel)
+
+       assert.Nil(t, err)
+
+       testdata.VerifyCertsAreEqualToExpected(t, signedPEM, trustedCAs)
+}
+
 func createIssuerAndCerts(name string, url string) cmpv2api.CMPv2Issuer {
        issuer := cmpv2api.CMPv2Issuer{}
        issuer.Name = name
        issuer.Spec.URL = url
+       issuer.Spec.UpdateEndpoint = ISSUER_UPDATE_URL
        return issuer
 }