github.com/IBM-Blockchain/fabric-operator@v1.0.4/pkg/offering/common/secret.go (about) 1 /* 2 * Copyright contributors to the Hyperledger Fabric Operator project 3 * 4 * SPDX-License-Identifier: Apache-2.0 5 * 6 * Licensed under the Apache License, Version 2.0 (the "License"); 7 * you may not use this file except in compliance with the License. 8 * You may obtain a copy of the License at: 9 * 10 * http://www.apache.org/licenses/LICENSE-2.0 11 * 12 * Unless required by applicable law or agreed to in writing, software 13 * distributed under the License is distributed on an "AS IS" BASIS, 14 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 15 * See the License for the specific language governing permissions and 16 * limitations under the License. 17 */ 18 19 package common 20 21 import ( 22 "context" 23 "encoding/base64" 24 "errors" 25 "fmt" 26 27 "github.com/IBM-Blockchain/fabric-operator/pkg/initializer/common" 28 k8sclient "github.com/IBM-Blockchain/fabric-operator/pkg/k8s/controllerclient" 29 corev1 "k8s.io/api/core/v1" 30 k8serrors "k8s.io/apimachinery/pkg/api/errors" 31 v1 "k8s.io/apimachinery/pkg/apis/meta/v1" 32 "k8s.io/apimachinery/pkg/types" 33 ) 34 35 func GetTLSSignCertEncoded(client k8sclient.Client, instance v1.Object) (string, error) { 36 return getSignCertEncoded("tls", client, instance) 37 } 38 39 func GetTLSKeystoreEncoded(client k8sclient.Client, instance v1.Object) (string, error) { 40 return getKeystoreEncoded("tls", client, instance) 41 } 42 43 func GetTLSCACertEncoded(client k8sclient.Client, instance v1.Object) ([]string, error) { 44 return getCACertEncoded("tls", client, instance) 45 } 46 47 func GetEcertSignCertEncoded(client k8sclient.Client, instance v1.Object) (string, error) { 48 return getSignCertEncoded("ecert", client, instance) 49 } 50 51 func GetEcertKeystoreEncoded(client k8sclient.Client, instance v1.Object) (string, error) { 52 return getKeystoreEncoded("ecert", client, instance) 53 } 54 55 func GetEcertCACertEncoded(client k8sclient.Client, instance v1.Object) ([]string, error) { 56 return getCACertEncoded("ecert", client, instance) 57 } 58 59 func GetEcertAdmincertEncoded(client k8sclient.Client, instance v1.Object) ([]string, error) { 60 return getAdmincertEncoded("ecert", client, instance) 61 } 62 63 func GetEcertIntercertEncoded(client k8sclient.Client, instance v1.Object) ([]string, error) { 64 return getIntermediateCertEncoded("ecert", client, instance) 65 } 66 67 func GetTLSIntercertEncoded(client k8sclient.Client, instance v1.Object) ([]string, error) { 68 return getIntermediateCertEncoded("tls", client, instance) 69 } 70 71 func getSignCertBytes(prefix common.SecretType, client k8sclient.Client, instance v1.Object) ([]byte, error) { 72 secretName := fmt.Sprintf("%s-%s-signcert", prefix, instance.GetName()) 73 namespacedName := types.NamespacedName{ 74 Name: secretName, 75 Namespace: instance.GetNamespace(), 76 } 77 78 secret := &corev1.Secret{} 79 err := client.Get(context.TODO(), namespacedName, secret) 80 if err != nil { 81 return nil, err 82 } 83 84 if secret.Data == nil || len(secret.Data) == 0 { 85 return nil, fmt.Errorf("%s signcert secret is blank", prefix) 86 } 87 88 if secret.Data["cert.pem"] != nil { 89 return secret.Data["cert.pem"], nil 90 } 91 92 return nil, fmt.Errorf("cannot get %s signcert", prefix) 93 } 94 95 func getKeystoreBytes(prefix common.SecretType, client k8sclient.Client, instance v1.Object) ([]byte, error) { 96 secretName := fmt.Sprintf("%s-%s-keystore", prefix, instance.GetName()) 97 namespacedName := types.NamespacedName{ 98 Name: secretName, 99 Namespace: instance.GetNamespace(), 100 } 101 102 secret := &corev1.Secret{} 103 err := client.Get(context.TODO(), namespacedName, secret) 104 if err != nil { 105 return nil, err 106 } 107 108 if secret.Data == nil || len(secret.Data) == 0 { 109 return nil, fmt.Errorf("%s keystore secret is blank", prefix) 110 } 111 112 if secret.Data["key.pem"] != nil { 113 return secret.Data["key.pem"], nil 114 } 115 116 return nil, fmt.Errorf("cannot get %s keystore", prefix) 117 } 118 119 func getCACertBytes(prefix common.SecretType, client k8sclient.Client, instance v1.Object) ([][]byte, error) { 120 secretName := fmt.Sprintf("%s-%s-cacerts", prefix, instance.GetName()) 121 namespacedName := types.NamespacedName{ 122 Name: secretName, 123 Namespace: instance.GetNamespace(), 124 } 125 126 secret := &corev1.Secret{} 127 err := client.Get(context.TODO(), namespacedName, secret) 128 if err != nil { 129 return nil, err 130 } 131 132 if secret.Data == nil || len(secret.Data) == 0 { 133 return nil, errors.New(fmt.Sprintf("%s cacert secret is blank", prefix)) 134 } 135 136 var certs [][]byte 137 for _, cert := range secret.Data { 138 if cert != nil { 139 certs = append(certs, cert) 140 } 141 } 142 143 return certs, nil 144 } 145 146 func getAdmincertBytes(prefix common.SecretType, client k8sclient.Client, instance v1.Object) ([][]byte, error) { 147 secretName := fmt.Sprintf("%s-%s-admincerts", prefix, instance.GetName()) 148 namespacedName := types.NamespacedName{ 149 Name: secretName, 150 Namespace: instance.GetNamespace(), 151 } 152 153 secret := &corev1.Secret{} 154 err := client.Get(context.TODO(), namespacedName, secret) 155 if err != nil { 156 // if admincert secret is not found, admincerts dont exist 157 if k8serrors.IsNotFound(err) { 158 return nil, nil 159 } 160 return nil, err 161 } 162 163 if secret.Data == nil || len(secret.Data) == 0 { 164 // do not throw error 165 return nil, nil // errors.New("Ecert admincert secret is blank") 166 } 167 168 var certs [][]byte 169 for _, cert := range secret.Data { 170 if cert != nil { 171 certs = append(certs, cert) 172 } 173 } 174 175 return certs, nil 176 } 177 178 func getIntermediateCertBytes(prefix common.SecretType, client k8sclient.Client, instance v1.Object) ([][]byte, error) { 179 secretName := fmt.Sprintf("%s-%s-intercerts", prefix, instance.GetName()) 180 namespacedName := types.NamespacedName{ 181 Name: secretName, 182 Namespace: instance.GetNamespace(), 183 } 184 185 secret := &corev1.Secret{} 186 err := client.Get(context.TODO(), namespacedName, secret) 187 if err != nil { 188 // if intercert secret is not found, intercerts dont exist 189 if k8serrors.IsNotFound(err) { 190 return nil, nil 191 } 192 return nil, err 193 } 194 195 if secret.Data == nil || len(secret.Data) == 0 { 196 // do not throw error 197 return nil, nil 198 } 199 200 var certs [][]byte 201 for _, cert := range secret.Data { 202 if cert != nil { 203 certs = append(certs, cert) 204 } 205 } 206 207 return certs, nil 208 } 209 210 func getSignCertEncoded(prefix common.SecretType, client k8sclient.Client, instance v1.Object) (string, error) { 211 certBytes, err := getSignCertBytes(prefix, client, instance) 212 if err != nil { 213 return "", err 214 } 215 216 cert := base64.StdEncoding.EncodeToString(certBytes) 217 return cert, nil 218 } 219 220 func getKeystoreEncoded(prefix common.SecretType, client k8sclient.Client, instance v1.Object) (string, error) { 221 keyBytes, err := getKeystoreBytes(prefix, client, instance) 222 if err != nil { 223 return "", err 224 } 225 226 cert := base64.StdEncoding.EncodeToString(keyBytes) 227 return cert, nil 228 } 229 230 func getCACertEncoded(prefix common.SecretType, client k8sclient.Client, instance v1.Object) ([]string, error) { 231 certBytes, err := getCACertBytes(prefix, client, instance) 232 if err != nil { 233 return nil, err 234 } 235 236 var certs []string 237 for _, certByte := range certBytes { 238 cert := base64.StdEncoding.EncodeToString(certByte) 239 certs = append(certs, cert) 240 } 241 return certs, nil 242 } 243 244 func getAdmincertEncoded(prefix common.SecretType, client k8sclient.Client, instance v1.Object) ([]string, error) { 245 certBytes, err := getAdmincertBytes(prefix, client, instance) 246 if err != nil { 247 return nil, err 248 } 249 250 var certs []string 251 for _, certByte := range certBytes { 252 cert := base64.StdEncoding.EncodeToString(certByte) 253 certs = append(certs, cert) 254 } 255 return certs, nil 256 } 257 258 func getIntermediateCertEncoded(prefix common.SecretType, client k8sclient.Client, instance v1.Object) ([]string, error) { 259 certBytes, err := getIntermediateCertBytes(prefix, client, instance) 260 if err != nil { 261 return nil, err 262 } 263 264 var certs []string 265 for _, certByte := range certBytes { 266 cert := base64.StdEncoding.EncodeToString(certByte) 267 certs = append(certs, cert) 268 } 269 return certs, nil 270 } 271 272 type CACryptoBytes struct { 273 Cert []byte 274 Key []byte 275 OperationsCert []byte 276 OperationsKey []byte 277 TLSCert []byte 278 TLSKey []byte 279 } 280 281 func GetCACryptoBytes(client k8sclient.Client, instance v1.Object) (*CACryptoBytes, error) { 282 secretName := fmt.Sprintf("%s-ca-crypto", instance.GetName()) 283 namespacedName := types.NamespacedName{ 284 Name: secretName, 285 Namespace: instance.GetNamespace(), 286 } 287 288 secret := &corev1.Secret{} 289 err := client.Get(context.TODO(), namespacedName, secret) 290 if err != nil { 291 return nil, err 292 } 293 294 if secret.Data == nil || len(secret.Data) == 0 { 295 return nil, errors.New("CA crypto secret is blank") 296 } 297 298 if secret.Data["tls-cert.pem"] == nil { 299 return nil, errors.New("cannot get tlscert") 300 } 301 302 return &CACryptoBytes{ 303 TLSCert: secret.Data["tls-cert.pem"], 304 TLSKey: secret.Data["tls-key.pem"], 305 Cert: secret.Data["cert.pem"], 306 Key: secret.Data["key.pem"], 307 OperationsCert: secret.Data["operations-cert.pem"], 308 OperationsKey: secret.Data["operations-key.pem"], 309 }, nil 310 } 311 312 func GetTLSCACryptoBytes(client k8sclient.Client, instance v1.Object) (*CACryptoBytes, error) { 313 secretName := fmt.Sprintf("%s-tlsca-crypto", instance.GetName()) 314 namespacedName := types.NamespacedName{ 315 Name: secretName, 316 Namespace: instance.GetNamespace(), 317 } 318 319 secret := &corev1.Secret{} 320 err := client.Get(context.TODO(), namespacedName, secret) 321 if err != nil { 322 return nil, err 323 } 324 325 if secret.Data == nil || len(secret.Data) == 0 { 326 return nil, errors.New("TLSCA crypto secret is blank") 327 } 328 if secret.Data["cert.pem"] == nil { 329 return nil, errors.New("cannot get root TLSCA cert") 330 } 331 return &CACryptoBytes{ 332 Cert: secret.Data["cert.pem"], 333 Key: secret.Data["key.pem"], 334 }, nil 335 } 336 337 type CACryptoEncoded struct { 338 Cert string 339 Key string 340 OperationsCert string 341 OperationsKey string 342 TLSCert string 343 TLSKey string 344 } 345 346 func GetCACryptoEncoded(client k8sclient.Client, instance v1.Object) (*CACryptoEncoded, error) { 347 bytes, err := GetCACryptoBytes(client, instance) 348 if err != nil { 349 return nil, err 350 } 351 352 encoded := &CACryptoEncoded{} 353 encoded.Cert = base64.StdEncoding.EncodeToString(bytes.Cert) 354 encoded.Key = base64.StdEncoding.EncodeToString(bytes.Key) 355 encoded.OperationsCert = base64.StdEncoding.EncodeToString(bytes.OperationsCert) 356 encoded.OperationsKey = base64.StdEncoding.EncodeToString(bytes.OperationsKey) 357 encoded.TLSCert = base64.StdEncoding.EncodeToString(bytes.TLSCert) 358 encoded.TLSKey = base64.StdEncoding.EncodeToString(bytes.TLSKey) 359 360 return encoded, err 361 } 362 363 func GetTLSCACryptoEncoded(client k8sclient.Client, instance v1.Object) (*CACryptoEncoded, error) { 364 bytes, err := GetTLSCACryptoBytes(client, instance) 365 if err != nil { 366 return nil, err 367 } 368 369 encoded := &CACryptoEncoded{} 370 encoded.Cert = base64.StdEncoding.EncodeToString(bytes.Cert) 371 encoded.Key = base64.StdEncoding.EncodeToString(bytes.Key) 372 373 return encoded, err 374 }