From 591f8b690ff0c786e92e7aeddd8f622ecfa8e6ca Mon Sep 17 00:00:00 2001 From: James Munnelly Date: Thu, 28 Feb 2019 21:12:06 +0000 Subject: [PATCH] Update CA issuer Signed-off-by: James Munnelly --- pkg/issuer/ca/BUILD.bazel | 2 +- pkg/issuer/ca/issue.go | 23 ++++++++++++++++++----- pkg/issuer/ca/setup.go | 13 ++++++++----- 3 files changed, 27 insertions(+), 11 deletions(-) diff --git a/pkg/issuer/ca/BUILD.bazel b/pkg/issuer/ca/BUILD.bazel index 1beb6e7d5..e5178e3cc 100644 --- a/pkg/issuer/ca/BUILD.bazel +++ b/pkg/issuer/ca/BUILD.bazel @@ -14,13 +14,13 @@ go_library( "//pkg/apis/certmanager/v1alpha1:go_default_library", "//pkg/controller:go_default_library", "//pkg/issuer:go_default_library", + "//pkg/logs:go_default_library", "//pkg/util/errors:go_default_library", "//pkg/util/kube:go_default_library", "//pkg/util/pki:go_default_library", "//vendor/k8s.io/api/core/v1:go_default_library", "//vendor/k8s.io/apimachinery/pkg/api/errors:go_default_library", "//vendor/k8s.io/client-go/listers/core/v1:go_default_library", - "//vendor/k8s.io/klog:go_default_library", ], ) diff --git a/pkg/issuer/ca/issue.go b/pkg/issuer/ca/issue.go index 68de6077a..40f88f092 100644 --- a/pkg/issuer/ca/issue.go +++ b/pkg/issuer/ca/issue.go @@ -21,10 +21,10 @@ import ( corev1 "k8s.io/api/core/v1" k8sErrors "k8s.io/apimachinery/pkg/api/errors" - "k8s.io/klog" "github.com/jetstack/cert-manager/pkg/apis/certmanager/v1alpha1" "github.com/jetstack/cert-manager/pkg/issuer" + logf "github.com/jetstack/cert-manager/pkg/logs" "github.com/jetstack/cert-manager/pkg/util/errors" "github.com/jetstack/cert-manager/pkg/util/kube" "github.com/jetstack/cert-manager/pkg/util/pki" @@ -44,12 +44,17 @@ const ( // supporting resources, and to ensure we re-attempt issuance when these resources // are fixed, it always returns an error on any failure. func (c *CA) Issue(ctx context.Context, crt *v1alpha1.Certificate) (*issuer.IssueResponse, error) { + log := logf.FromContext(ctx, "issue") + log = logf.WithRelatedResourceName(log, crt.Spec.SecretName, crt.Namespace, "Secret") + // get a copy of the existing/currently issued Certificate's private key signeeKey, err := kube.SecretTLSKey(c.secretsLister, crt.Namespace, crt.Spec.SecretName) if k8sErrors.IsNotFound(err) || errors.IsInvalidData(err) { + log.Info("generating new private key") // if one does not already exist, generate a new one signeeKey, err = pki.GeneratePrivateKeyForCertificate(crt) if err != nil { + log.Error(err, "error generating private key") c.Recorder.Eventf(crt, corev1.EventTypeWarning, "PrivateKeyError", "Error generating certificate private key: %v", err) // don't trigger a retry. An error from this function implies some // invalid input parameters, and retrying without updating the @@ -58,28 +63,30 @@ func (c *CA) Issue(ctx context.Context, crt *v1alpha1.Certificate) (*issuer.Issu } } if err != nil { - klog.Errorf("Error getting private key %q for certificate: %v", crt.Spec.SecretName, err) + log.Error(err, "error getting private key for certificate") return nil, err } // extract the public component of the key signeePublicKey, err := pki.PublicKeyForPrivateKey(signeeKey) if err != nil { - klog.Errorf("Error getting public key from private key: %v", err) + log.Error(err, "error getting public key from private key") return nil, err } // get a copy of the CA certificate named on the Issuer caCerts, caKey, err := kube.SecretTLSKeyPair(c.secretsLister, c.resourceNamespace, c.issuer.GetSpec().CA.SecretName) if err != nil { - klog.Errorf("Error getting signing CA for Issuer: %v", err) + log := logf.WithRelatedResourceName(log, c.issuer.GetSpec().CA.SecretName, c.resourceNamespace, "Secret") + log.Info("error getting signing CA for Issuer") return nil, err } // generate a x509 certificate template for this Certificate template, err := pki.GenerateTemplate(crt) if err != nil { - c.Recorder.Eventf(crt, corev1.EventTypeWarning, "ErrorSigning", "Error signing certificate: %v", err) + log.Error(err, "error generating certificate template") + c.Recorder.Eventf(crt, corev1.EventTypeWarning, "ErrorSigning", "Error generating certificate template: %v", err) return nil, err } @@ -88,6 +95,7 @@ func (c *CA) Issue(ctx context.Context, crt *v1alpha1.Certificate) (*issuer.Issu // sign and encode the certificate certPem, _, err := pki.SignCertificate(template, caCert, signeePublicKey, caKey) if err != nil { + log.Error(err, "error signing certificate") c.Recorder.Eventf(crt, corev1.EventTypeWarning, "ErrorSigning", "Error signing certificate: %v", err) return nil, err } @@ -96,6 +104,7 @@ func (c *CA) Issue(ctx context.Context, crt *v1alpha1.Certificate) (*issuer.Issu // TODO: replace caCerts with caCerts[1:]? chainPem, err := pki.EncodeX509Chain(caCerts) if err != nil { + log.Error(err, "error encoding x509 certificate chain") return nil, err } @@ -104,6 +113,7 @@ func (c *CA) Issue(ctx context.Context, crt *v1alpha1.Certificate) (*issuer.Issu // Encode output private key and CA cert ready for return keyPem, err := pki.EncodePrivateKey(signeeKey) if err != nil { + log.Error(err, "error encoding private key") c.Recorder.Eventf(crt, corev1.EventTypeWarning, "ErrorPrivateKey", "Error encoding private key: %v", err) return nil, err } @@ -111,10 +121,13 @@ func (c *CA) Issue(ctx context.Context, crt *v1alpha1.Certificate) (*issuer.Issu // encode the CA certificate to be bundled in the output caPem, err := pki.EncodeX509(caCerts[0]) if err != nil { + log.Error(err, "error encoding certificate") c.Recorder.Eventf(crt, corev1.EventTypeWarning, "ErrorSigning", "Error encoding certificate: %v", err) return nil, err } + log.Info("certificate issued") + return &issuer.IssueResponse{ PrivateKey: keyPem, Certificate: certPem, diff --git a/pkg/issuer/ca/setup.go b/pkg/issuer/ca/setup.go index fd0f81c54..56ff0ff6c 100644 --- a/pkg/issuer/ca/setup.go +++ b/pkg/issuer/ca/setup.go @@ -20,10 +20,10 @@ import ( "context" "k8s.io/api/core/v1" - "k8s.io/klog" apiutil "github.com/jetstack/cert-manager/pkg/api/util" "github.com/jetstack/cert-manager/pkg/apis/certmanager/v1alpha1" + logf "github.com/jetstack/cert-manager/pkg/logs" "github.com/jetstack/cert-manager/pkg/util/kube" ) @@ -40,10 +40,12 @@ const ( ) func (c *CA) Setup(ctx context.Context) error { + log := logf.FromContext(ctx, "setup") + cert, err := kube.SecretTLSCert(c.secretsLister, c.resourceNamespace, c.issuer.GetSpec().CA.SecretName) if err != nil { + log.Error(err, "error getting signing CA TLS certificate") s := messageErrorGetKeyPair + err.Error() - klog.Info(s) c.Recorder.Event(c.issuer, v1.EventTypeWarning, errorGetKeyPair, s) apiutil.SetIssuerCondition(c.issuer, v1alpha1.IssuerConditionReady, v1alpha1.ConditionFalse, errorGetKeyPair, s) return err @@ -51,23 +53,24 @@ func (c *CA) Setup(ctx context.Context) error { _, err = kube.SecretTLSKey(c.secretsLister, c.resourceNamespace, c.issuer.GetSpec().CA.SecretName) if err != nil { + log.Error(err, "error getting signing CA private key") s := messageErrorGetKeyPair + err.Error() - klog.Info(s) c.Recorder.Event(c.issuer, v1.EventTypeWarning, errorGetKeyPair, s) apiutil.SetIssuerCondition(c.issuer, v1alpha1.IssuerConditionReady, v1alpha1.ConditionFalse, errorGetKeyPair, s) return err } + log = logf.WithRelatedResourceName(log, c.issuer.GetSpec().CA.SecretName, c.resourceNamespace, "Secret") if !cert.IsCA { s := messageErrorGetKeyPair + "certificate is not a CA" - klog.Info(s) + log.Error(nil, "signing certificate is not a CA") c.Recorder.Event(c.issuer, v1.EventTypeWarning, errorInvalidKeyPair, s) apiutil.SetIssuerCondition(c.issuer, v1alpha1.IssuerConditionReady, v1alpha1.ConditionFalse, errorInvalidKeyPair, s) // Don't return an error here as there is nothing more we can do return nil } - klog.Info(messageKeyPairVerified) + log.Info("signing CA verified") c.Recorder.Event(c.issuer, v1.EventTypeNormal, successKeyPairVerified, messageKeyPairVerified) apiutil.SetIssuerCondition(c.issuer, v1alpha1.IssuerConditionReady, v1alpha1.ConditionTrue, successKeyPairVerified, messageKeyPairVerified)