Merge pull request #30 from avalluri/simplify-key-provisioning

Simplify key provisioning

Author: ipuustin

Diff for: api/v1alpha1/quoteattestation_types.go

@@ -33,20 +33,13 @@ const (
 
 	// ConditionStatusInit indicates the condition for object status
 	// has just initiated. This is just to allow manual status patching
-	// using kubctl, where no attestation-controller is running.
-	// NOTE: This mist be removed in near feature.
+	// using kubectl, where no attestation-controller is running.
+	// NOTE: This must be removed in near feature.
 	ConditionStatusInit ConditionType = "Init"
 
-	// ConditionQuoteVerified indicates the condition for quote verification
-	// Must be set by the attestation-controller to update the quote verification
-	// state.
-	ConditionQuoteVerified ConditionType = "QuoteVerified"
-	// ConditionCASecretReady indicates the condition for requested secret(s) are
-	// ready. This must be set by the attestation-controller when it fetches
-	// the CA encrypted key and certificate and prepared teh secret.
-	ConditionCASecretReady ConditionType = "CASecretReady"
-	// ConditionReady indicates the condition for the requested signer/CA(s)
-	// provision in to HSM token. This must be set by the attestation requester.
+	// ConditionReady indicates the condition for the request is ready
+	// This should be set by the attestation-controller upon request has
+	// been resolved, i.e. either success or failure.
 	ConditionReady ConditionType = "Ready"
 
 	ReasonTCSReconcile        ConditionReason = "TCSReconcile"

Diff for: api/v1alpha1/zz_generated.deepcopy.go

@@ -7,16 +7,25 @@ metadata:
   name: role
 rules:
 - apiGroups:
-  - '*'
+  - ""
   resources:
   - secrets
   verbs:
   - create
   - delete
   - get
   - list
+  - patch
   - update
   - watch
+- apiGroups:
+  - ""
+  resources:
+  - secrets/finalizers
+  verbs:
+  - get
+  - patch
+  - update
 - apiGroups:
   - cert-manager.io
   resources:

Diff for: config/rbac/role.yaml

@@ -70,7 +70,6 @@ func NewCertificateRequestReconciler(c client.Client, keyProvider keyprovider.Ke
 //+kubebuilder:rbac:groups=cert-manager.io,resources=certificaterequests,verbs=get;list;watch;update;patch
 //+kubebuilder:rbac:groups=cert-manager.io,resources=certificaterequests/status,verbs=get;update;patch
 //+kubebuilder:rbac:groups=cert-manager.io,resources=certificaterequests/finalizers,verbs=update
-//+kubebuilder:rbac:groups=*,resources=secrets,verbs=get;create;update;delete;list;watch
 
 func (r *CertificateRequestReconciler) Reconcile(ctx context.Context, req ctrl.Request) (result ctrl.Result, err error) {
 	if r == nil {

Diff for: controllers/certificate_request_controller.go

@@ -67,7 +67,6 @@ func NewCSRReconciler(c client.Client, scheme *runtime.Scheme, keyProvider keypr
 //+kubebuilder:rbac:groups=certificates.k8s.io,resources=certificatesigningrequests/status,verbs=get;update;patch
 //+kubebuilder:rbac:groups=certificates.k8s.io,resources=certificatesigningrequests/finalizers,verbs=update
 //+kubebuilder:rbac:groups=certificates.k8s.io,resources=signers,resourceNames=tcsissuer.tcs.intel.com/*;tcsclusterissuer.tcs.intel.com/*,verbs=sign
-//+kubebuilder:rbac:groups=*,resources=secrets,verbs=get;create;update;delete;list;watch
 
 func (r *CSRReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
 	if r == nil {

Diff for: controllers/csr_controller.go

@@ -58,6 +58,8 @@ func (r *IssuerReconciler) newIssuer() (client.Object, error) {
 
 //+kubebuilder:rbac:groups=tcs.intel.com,resources=tcsissuers;tcsclusterissuers,verbs=get;list;watch;update;patch
 //+kubebuilder:rbac:groups=tcs.intel.com,resources=tcsissuers/status;tcsclusterissuers/status,verbs=get;update;patch
+//+kubebuilder:rbac:groups="",resources=secrets,verbs=get;create;update;delete;patch;list;watch
+//+kubebuilder:rbac:groups="",resources=secrets/finalizers,verbs=get;update;patch
 
 func (r *IssuerReconciler) Reconcile(ctx context.Context, req ctrl.Request) (result ctrl.Result, err error) {
 	log := ctrl.LoggerFrom(ctx)

Diff for: controllers/issuer_controller.go

@@ -24,6 +24,7 @@ import (
 	"time"
 
 	"github.com/go-logr/logr"
+	"github.com/intel/trusted-certificate-issuer/internal/k8sutil"
 	"github.com/intel/trusted-certificate-issuer/internal/keyprovider"
 	"github.com/intel/trusted-certificate-issuer/internal/tlsutil"
 	corev1 "k8s.io/api/core/v1"
@@ -154,91 +155,62 @@ func (r *QuoteAttestationReconciler) Reconcile(ctx context.Context, req ctrl.Req
 		// object being deleted, just ignore
 		return ctrl.Result{}, nil
 	}
+	// Do not handle quote attestation request, that supposed to be
+	// handled by the signer (CSR, CR) controllers.
+	if attestReq.Spec.Type == v1alpha1.RequestTypeQuoteAttestation {
+		return ctrl.Result{}, nil
+	}
 
 	l.Info("Attestation", "status", attestReq.Status)
 
 	ready := attestReq.Status.GetCondition(v1alpha1.ConditionReady)
-	if ready != nil && ready.Status == v1.ConditionTrue {
-		// Nothing more to do, remove the quote attestaton CR.
-		if err := client.IgnoreNotFound(r.Delete(context.Background(), &attestReq)); err != nil {
-			l.V(2).Info("Failed to remove QuoteAtestation object. One has to cleanup it manually", "error", err)
-		}
-		return ctrl.Result{}, nil
+	if ready == nil || ready.Status == v1.ConditionUnknown {
+		l.V(3).Info("Still waiting for results")
+		return retry, nil
 	}
 
-	setSignerFailure := func(c *v1alpha1.QuoteAttestationCondition) {
+	if ready.Status == v1.ConditionFalse {
+		// Secret preperation failure at attestation-controller side
+		l.Info("CA secret failure", "reason", ready.Reason, "message", ready.Message)
 		for _, name := range attestReq.Spec.SignerNames {
-			s, err := r.KeyProvider.GetSignerForName(name)
-			if err != nil {
-				l.V(1).Info("failed to get signer to update the attestation failure", "signer", name, "error", err)
-			} else {
-				s.SetError(fmt.Errorf("%s:%s", c.Status, c.Message))
+			if s, _ := r.KeyProvider.GetSignerForName(name); s != nil {
+				s.SetError(fmt.Errorf("%s:%s", ready.Status, ready.Message))
 			}
 		}
+		return ctrl.Result{}, nil
 	}
 
-	secretsReady := attestReq.Status.GetCondition(v1alpha1.ConditionCASecretReady)
-	if secretsReady == nil {
-		verified := attestReq.Status.GetCondition(v1alpha1.ConditionQuoteVerified)
-		if verified == nil {
-			// Still quote is verification not verified, retry later
-			return retry, nil
+	gotAllSecrets := true
+	// attestation passed. Quote get verified
+	l.Info("Using provisioned secrets")
+	for _, signerName := range attestReq.Spec.SignerNames {
+		secret, ok := attestReq.Status.Secrets[signerName]
+		if !ok {
+			gotAllSecrets = false
+			l.Info("Secret not ready", "for signer", signerName)
+			continue
 		}
-		if verified.Status == v1.ConditionTrue {
-			l.V(3).Info("Quote verification success. Waiting for CA secrets get ready.")
-			return retry, nil
-		}
-
-		if verified.Status == v1.ConditionFalse {
-			l.V(3).Info("Quote verification failure", "reason", verified.Reason, "message", verified.Message)
-			setSignerFailure(verified)
-			return ctrl.Result{}, nil
+		var provisionError error
+		if secret.SecretType == KMRABased {
+			l.Info("Using KMRA based secret.", "secretName", secret.SecretName)
+			provisionError = r.loadSecret(ctx, signerName, secret.SecretName, req.Namespace)
+		} else {
+			provisionError = fmt.Errorf("unsupported secret type: %v", secret.SecretType)
 		}
-	} else if secretsReady.Status == v1.ConditionFalse && secretsReady.Reason != v1alpha1.ReasonTCSReconcile {
-		// Secret preperation failure at attestation-controller side
-		l.V(3).Info("CA secret failure", "reason", secretsReady.Reason, "message", secretsReady.Message)
-		setSignerFailure(secretsReady)
-		return ctrl.Result{}, nil
-	} else {
-		gotAllSecrets := true
-		// attestation passed. Quote get verified
-		l.Info("Using provisioned secrets")
-		for _, signerName := range attestReq.Spec.SignerNames {
-			secret, ok := attestReq.Status.Secrets[signerName]
-			if !ok {
-				gotAllSecrets = false
-				l.Info("Secret not ready", "for signer", signerName)
-				continue
-			}
-			var provisionError error
-			if secret.SecretType == KMRABased {
-				l.Info("Using KMRA based secret.", "secretName", secret.SecretName)
-				provisionError = r.loadSecret(ctx, signerName, secret.SecretName, req.Namespace)
-			} else {
-				provisionError = fmt.Errorf("unsupported secret type: %v", secret.SecretType)
-			}
-			if provisionError != nil {
-				l.Info("CA provisioning", "error", provisionError)
-				s, _ := r.KeyProvider.GetSignerForName(signerName)
+		if provisionError != nil {
+			l.Info("CA provisioning", "error", provisionError)
+			if s, _ := r.KeyProvider.GetSignerForName(signerName); s != nil {
 				s.SetError(provisionError)
-				reqCopy := attestReq.DeepCopy()
-				attestReq.Status.SetCondition(v1alpha1.ConditionCASecretReady, v1.ConditionFalse, v1alpha1.ReasonTCSReconcile, provisionError.Error())
-				if err := r.Status().Patch(context.TODO(), &attestReq, client.MergeFrom(reqCopy)); err != nil {
-					r.Log.V(3).Info("Failed to update attestation status", "error", err)
-				}
-				return retry, nil
-			}
-		}
-		if gotAllSecrets {
-			r.done()
-			l.V(1).Info("Attestation passed. Private key(s) saved to enclave")
-			reqCopy := attestReq.DeepCopy()
-			attestReq.Status.SetCondition(v1alpha1.ConditionReady, v1.ConditionTrue, v1alpha1.ReasonTCSReconcile, "All CA keys and certificates stored in Enclace.")
-			if err := r.Status().Patch(context.TODO(), &attestReq, client.MergeFrom(reqCopy)); err != nil {
-				r.Log.V(3).Info("Failed to update attestation status", "error", err)
 			}
+			return retry, nil
 		}
-		return retry, nil
+	}
+	if gotAllSecrets {
+		r.done()
+		l.V(1).Info("Attestation passed. Private key(s) saved to enclave")
+		func() {
+			k8sutil.QuoteAttestationDelete(context.Background(), r.Client, attestReq.Name, attestReq.Namespace)
+		}()
 	}
 
 	return ctrl.Result{}, nil