From 6acb667812dd68cc50a5f33d5bc1324b2d30aba1 Mon Sep 17 00:00:00 2001 From: Marco Carletti Date: Thu, 9 Jan 2025 14:24:54 +0100 Subject: [PATCH] cert-manager: using cert manager client for CR --- system-x/services/cert-manager/pom.xml | 18 +++-- .../tnb/certmanager/service/CertManager.java | 13 +++- .../validation/CertManagerValidation.java | 77 +++++++++++-------- .../cert-manager/certificate-template.vm | 34 -------- 4 files changed, 65 insertions(+), 77 deletions(-) delete mode 100644 system-x/services/cert-manager/src/main/resources/cert-manager/certificate-template.vm diff --git a/system-x/services/cert-manager/pom.xml b/system-x/services/cert-manager/pom.xml index a7a994070..1610e7945 100644 --- a/system-x/services/cert-manager/pom.xml +++ b/system-x/services/cert-manager/pom.xml @@ -18,17 +18,21 @@ - org.apache.velocity - velocity-engine-core - ${velocity.version} + io.fabric8 + certmanager-client + ${kubernetes.client.version} - org.apache.commons - commons-lang3 + io.fabric8 + certmanager-model-v1alpha2 - org.slf4j - slf4j-api + io.fabric8 + certmanager-model-v1alpha3 + + + io.fabric8 + certmanager-model-v1beta1 diff --git a/system-x/services/cert-manager/src/main/java/software/tnb/certmanager/service/CertManager.java b/system-x/services/cert-manager/src/main/java/software/tnb/certmanager/service/CertManager.java index f3517587c..bf723394a 100644 --- a/system-x/services/cert-manager/src/main/java/software/tnb/certmanager/service/CertManager.java +++ b/system-x/services/cert-manager/src/main/java/software/tnb/certmanager/service/CertManager.java @@ -2,17 +2,24 @@ import software.tnb.certmanager.validation.CertManagerValidation; import software.tnb.common.account.NoAccount; -import software.tnb.common.client.NoClient; +import software.tnb.common.openshift.OpenshiftClient; import software.tnb.common.service.Service; import java.util.Optional; -public abstract class CertManager extends Service { +import io.fabric8.certmanager.client.CertManagerClient; + +public abstract class CertManager extends Service { @Override public CertManagerValidation validation() { validation = Optional.ofNullable(validation) - .orElseGet(CertManagerValidation::new); + .orElseGet(() -> new CertManagerValidation(client())); return validation; } + + @Override + protected CertManagerClient client() { + return OpenshiftClient.get().adapt(CertManagerClient.class); + } } diff --git a/system-x/services/cert-manager/src/main/java/software/tnb/certmanager/validation/CertManagerValidation.java b/system-x/services/cert-manager/src/main/java/software/tnb/certmanager/validation/CertManagerValidation.java index c66d8b86f..12e25ea7b 100644 --- a/system-x/services/cert-manager/src/main/java/software/tnb/certmanager/validation/CertManagerValidation.java +++ b/system-x/services/cert-manager/src/main/java/software/tnb/certmanager/validation/CertManagerValidation.java @@ -3,19 +3,16 @@ import software.tnb.common.openshift.OpenshiftClient; import software.tnb.common.validation.Validation; -import org.apache.velocity.Template; -import org.apache.velocity.VelocityContext; -import org.apache.velocity.app.VelocityEngine; -import org.apache.velocity.runtime.RuntimeConstants; -import org.apache.velocity.runtime.resource.loader.ClasspathResourceLoader; -import org.yaml.snakeyaml.Yaml; - -import java.io.StringWriter; +import java.text.ParseException; import java.util.ArrayList; import java.util.Arrays; import java.util.List; import java.util.Map; +import io.fabric8.certmanager.api.model.v1.Certificate; +import io.fabric8.certmanager.api.model.v1.CertificateBuilder; +import io.fabric8.certmanager.client.CertManagerClient; +import io.fabric8.kubernetes.api.model.Duration; import io.fabric8.kubernetes.api.model.GenericKubernetesResourceBuilder; import io.fabric8.kubernetes.api.model.ServiceAccount; import io.fabric8.kubernetes.api.model.ServiceAccountBuilder; @@ -31,6 +28,8 @@ public class CertManagerValidation implements Validation { + private final CertManagerClient client; + private static final CustomResourceDefinitionContext ISSUER_CTX = new CustomResourceDefinitionContext .Builder() .withGroup("cert-manager.io") @@ -51,6 +50,10 @@ public class CertManagerValidation implements Validation { .withVersion("v1") .build(); + public CertManagerValidation(CertManagerClient client) { + this.client = client; + } + /** * Creates self-signed issuer in the current namespace */ @@ -81,33 +84,41 @@ public void createSelfSignedIssuer() { */ public void createSelfSignedCertificate(String name, String secretName, String commonName, List usages , List dnsNames, String passwordSecretName) { - VelocityEngine engine = new VelocityEngine(); - engine.setProperty(RuntimeConstants.RESOURCE_LOADER, "classpath"); - engine.setProperty("classpath.resource.loader.class", ClasspathResourceLoader.class.getName()); - engine.init(); - Template template = engine.getTemplate("cert-manager/certificate-template.vm"); - VelocityContext context = new VelocityContext(); - context.put("name", name); - context.put("secretName", secretName); - context.put("commonName", commonName); - context.put("namespace", OpenshiftClient.get().getNamespace()); - context.put("usagesList", usages); - context.put("dnsNameList", dnsNames); - context.put("passwordSecretRef", passwordSecretName); - StringWriter writer = new StringWriter(); - template.merge(context, writer); - Map spec = new Yaml().load(writer.toString()); - - OpenshiftClient.get().genericKubernetesResources(CERTIFICATE_CTX) - .inNamespace(OpenshiftClient.get().getNamespace()) - .resource(new GenericKubernetesResourceBuilder() - .withKind(CERTIFICATE_CTX.getKind()) + + try { + // @formatter:off + Certificate certificate = new CertificateBuilder() .withNewMetadata() - .withName(name) + .withName(name) .endMetadata() - .withAdditionalProperties(spec) - .build() - ).serverSideApply(); + .withNewSpec() + .withSecretName(secretName) + .withDuration(Duration.parse("2160h")) + .withRenewBefore(Duration.parse("360h")) + .withNewSubject() + .withOrganizations(OpenshiftClient.get().getNamespace()) + .endSubject() + .withCommonName(commonName) + .withIsCA(Boolean.FALSE) + .withNewPrivateKey("RSA", "PKCS1", null, 2048) + .withUsages(usages) + .withDnsNames(dnsNames) + .withNewIssuerRef("cert-manager.io", "Issuer", "selfsigned-issuer") + .withNewKeystores() + .withNewJks() + .withCreate(true) + .withNewPasswordSecretRef("password", passwordSecretName) + .endJks() + .endKeystores() + .endSpec() + .build(); + // @formatter:on + + client.v1().certificates().inNamespace(OpenshiftClient.get().getNamespace()) + .resource(certificate).create(); + } catch (ParseException e) { + throw new RuntimeException(e); + } } /** diff --git a/system-x/services/cert-manager/src/main/resources/cert-manager/certificate-template.vm b/system-x/services/cert-manager/src/main/resources/cert-manager/certificate-template.vm deleted file mode 100644 index 44b5236cb..000000000 --- a/system-x/services/cert-manager/src/main/resources/cert-manager/certificate-template.vm +++ /dev/null @@ -1,34 +0,0 @@ -spec: - secretName: $secretName - duration: 2160h - renewBefore: 360h - subject: - organizations: - - $namespace - - commonName: $commonName - isCA: false - privateKey: - algorithm: RSA - encoding: PKCS1 - size: 2048 - usages: - #foreach($usage in $usagesList) - - $usage - #end - - dnsNames: - #foreach($dnsName in $dnsNameList) - - $dnsName - #end - issuerRef: - name: selfsigned-issuer - kind: Issuer - group: cert-manager.io - - keystores: - jks: - create: true - passwordSecretRef: - name: $passwordSecretRef - key: password