From 18281263c73949ed9fae0ff334d713d97fcedcb9 Mon Sep 17 00:00:00 2001 From: Hayden Roszell Date: Thu, 14 Dec 2023 11:26:16 -0700 Subject: [PATCH] chore(comments): Write function comments and update license header --- api/v1alpha1/clusterissuer_types.go | 2 +- api/v1alpha1/groupversion_info.go | 2 +- api/v1alpha1/issuer_types.go | 2 +- .../controllers/certificaterequest_controller.go | 2 ++ .../certificaterequest_controller_test.go | 2 +- internal/controllers/fake_configclient_test.go | 2 +- internal/controllers/issuer_controller.go | 5 +++-- internal/controllers/issuer_controller_test.go | 2 +- internal/controllers/suite_test.go | 2 +- internal/issuer/signer/signer.go | 14 ++++++++++++++ internal/issuer/signer/signer_test.go | 2 +- internal/issuer/util/configclient.go | 14 +++++++++++++- internal/issuer/util/configclient_test.go | 2 +- internal/issuer/util/util.go | 6 +++++- main.go | 2 +- 15 files changed, 47 insertions(+), 14 deletions(-) diff --git a/api/v1alpha1/clusterissuer_types.go b/api/v1alpha1/clusterissuer_types.go index a4b83a1..7df7fd5 100644 --- a/api/v1alpha1/clusterissuer_types.go +++ b/api/v1alpha1/clusterissuer_types.go @@ -1,5 +1,5 @@ /* -Copyright 2023 The Keyfactor Command Authors. +Copyright © 2023 Keyfactor Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/api/v1alpha1/groupversion_info.go b/api/v1alpha1/groupversion_info.go index 04038ea..235a9d6 100644 --- a/api/v1alpha1/groupversion_info.go +++ b/api/v1alpha1/groupversion_info.go @@ -1,5 +1,5 @@ /* -Copyright 2023 The Keyfactor Command Authors. +Copyright © 2023 Keyfactor Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/api/v1alpha1/issuer_types.go b/api/v1alpha1/issuer_types.go index 4ed0944..159f3b7 100644 --- a/api/v1alpha1/issuer_types.go +++ b/api/v1alpha1/issuer_types.go @@ -1,5 +1,5 @@ /* -Copyright 2023 The Keyfactor Command Authors. +Copyright © 2023 Keyfactor Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/internal/controllers/certificaterequest_controller.go b/internal/controllers/certificaterequest_controller.go index ab4d84f..a544ca4 100644 --- a/internal/controllers/certificaterequest_controller.go +++ b/internal/controllers/certificaterequest_controller.go @@ -268,6 +268,8 @@ func (r *CertificateRequestReconciler) Reconcile(ctx context.Context, req ctrl.R return ctrl.Result{}, nil } +// SetupWithManager registers the CertificateRequestReconciler with the controller manager. +// It configures controller-runtime to reconcile cert-manager CertificateRequests in the cluster. func (r *CertificateRequestReconciler) SetupWithManager(mgr ctrl.Manager) error { return ctrl.NewControllerManagedBy(mgr). For(&cmapi.CertificateRequest{}). diff --git a/internal/controllers/certificaterequest_controller_test.go b/internal/controllers/certificaterequest_controller_test.go index 075cb03..46cc9ba 100644 --- a/internal/controllers/certificaterequest_controller_test.go +++ b/internal/controllers/certificaterequest_controller_test.go @@ -1,5 +1,5 @@ /* -Copyright 2023 The Keyfactor Command Authors. +Copyright © 2023 Keyfactor Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/internal/controllers/fake_configclient_test.go b/internal/controllers/fake_configclient_test.go index 6143d36..a654654 100644 --- a/internal/controllers/fake_configclient_test.go +++ b/internal/controllers/fake_configclient_test.go @@ -1,5 +1,5 @@ /* -Copyright 2023 The Keyfactor Command Authors. +Copyright © 2023 Keyfactor Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/internal/controllers/issuer_controller.go b/internal/controllers/issuer_controller.go index 10a0809..a2c8e53 100644 --- a/internal/controllers/issuer_controller.go +++ b/internal/controllers/issuer_controller.go @@ -1,5 +1,5 @@ /* -Copyright 2023 The Keyfactor Command Authors. +Copyright © 2023 Keyfactor Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. @@ -162,7 +162,8 @@ func (r *IssuerReconciler) Reconcile(ctx context.Context, req ctrl.Request) (res return ctrl.Result{RequeueAfter: defaultHealthCheckInterval}, nil } -// SetupWithManager sets up the controller with the Manager. +// SetupWithManager registers the IssuerReconciler with the controller manager. +// It configures controller-runtime to reconcile Keyfactor Command Issuers/ClusterIssuers in the cluster. func (r *IssuerReconciler) SetupWithManager(mgr ctrl.Manager) error { issuerType, err := r.newIssuer() if err != nil { diff --git a/internal/controllers/issuer_controller_test.go b/internal/controllers/issuer_controller_test.go index 12c2c54..074b024 100644 --- a/internal/controllers/issuer_controller_test.go +++ b/internal/controllers/issuer_controller_test.go @@ -1,5 +1,5 @@ /* -Copyright 2023 The Keyfactor Command Authors. +Copyright © 2023 Keyfactor Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/internal/controllers/suite_test.go b/internal/controllers/suite_test.go index 86c9493..f01a64c 100644 --- a/internal/controllers/suite_test.go +++ b/internal/controllers/suite_test.go @@ -1,5 +1,5 @@ /* -Copyright 2023 The Keyfactor Command Authors. +Copyright © 2023 Keyfactor Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/internal/issuer/signer/signer.go b/internal/issuer/signer/signer.go index 187f55d..2e41281 100644 --- a/internal/issuer/signer/signer.go +++ b/internal/issuer/signer/signer.go @@ -66,6 +66,7 @@ type Signer interface { Sign(context.Context, []byte, K8sMetadata) ([]byte, []byte, error) } +// CommandHealthCheckerFromIssuerAndSecretData creates a new HealthChecker instance using the provided issuer spec and secret data func CommandHealthCheckerFromIssuerAndSecretData(ctx context.Context, spec *commandissuer.IssuerSpec, authSecretData map[string][]byte, caSecretData map[string][]byte) (HealthChecker, error) { signer := commandSigner{} @@ -79,10 +80,13 @@ func CommandHealthCheckerFromIssuerAndSecretData(ctx context.Context, spec *comm return &signer, nil } +// CommandSignerFromIssuerAndSecretData is a wrapper for commandSignerFromIssuerAndSecretData that returns a Signer interface +// given the provided issuer spec and secret data func CommandSignerFromIssuerAndSecretData(ctx context.Context, spec *commandissuer.IssuerSpec, annotations map[string]string, authSecretData map[string][]byte, caSecretData map[string][]byte) (Signer, error) { return commandSignerFromIssuerAndSecretData(ctx, spec, annotations, authSecretData, caSecretData) } +// commandSignerFromIssuerAndSecretData creates a new Signer instance using the provided issuer spec and secret data func commandSignerFromIssuerAndSecretData(ctx context.Context, spec *commandissuer.IssuerSpec, annotations map[string]string, authSecretData map[string][]byte, caSecretData map[string][]byte) (*commandSigner, error) { k8sLog := log.FromContext(ctx) @@ -132,6 +136,7 @@ func commandSignerFromIssuerAndSecretData(ctx context.Context, spec *commandissu return &signer, nil } +// extractMetadataFromAnnotations extracts metadata from the provided annotations func extractMetadataFromAnnotations(annotations map[string]string) map[string]interface{} { metadata := make(map[string]interface{}) @@ -144,6 +149,7 @@ func extractMetadataFromAnnotations(annotations map[string]string) map[string]in return metadata } +// Check checks the health of the signer by verifying that the "POST /Enrollment/CSR" endpoint exists func (s *commandSigner) Check() error { endpoints, _, err := s.client.StatusApi.StatusGetEndpoints(context.Background()).Execute() if err != nil { @@ -169,6 +175,7 @@ func (s *commandSigner) Check() error { return errors.New("missing \"POST /Enrollment/CSR\" endpoint") } +// Sign signs the provided CSR using the Keyfactor Command API func (s *commandSigner) Sign(ctx context.Context, csrBytes []byte, k8sMeta K8sMetadata) ([]byte, []byte, error) { k8sLog := log.FromContext(ctx) @@ -255,6 +262,8 @@ func (s *commandSigner) Sign(ctx context.Context, csrBytes []byte, k8sMeta K8sMe return compileCertificatesToPemBytes(certAndChain) } +// getCertificatesFromCertificateInformation takes a keyfactor.ModelsPkcs10CertificateResponse object and +// returns a slice of x509 certificates func getCertificatesFromCertificateInformation(commandResp *keyfactor.ModelsPkcs10CertificateResponse) ([]*x509.Certificate, error) { var certBytes []byte @@ -314,6 +323,7 @@ const ( CommandMetaCertificateSigningRequestNamespace = "Certificate-Signing-Request-Namespace" ) +// createCommandClientFromSecretData creates a new Keyfactor Command client using the provided issuer spec and secret data func createCommandClientFromSecretData(ctx context.Context, spec *commandissuer.IssuerSpec, authSecretData map[string][]byte, caSecretData map[string][]byte) (*keyfactor.APIClient, error) { k8sLogger := log.FromContext(ctx) @@ -383,6 +393,7 @@ func createCommandClientFromSecretData(ctx context.Context, spec *commandissuer. return client, nil } +// decodePEMBytes takes a byte array containing PEM encoded data and returns a slice of PEM blocks and a private key PEM block func decodePEMBytes(buf []byte) ([]*pem.Block, *pem.Block) { var privKey *pem.Block var certificates []*pem.Block @@ -400,6 +411,7 @@ func decodePEMBytes(buf []byte) ([]*pem.Block, *pem.Block) { return certificates, privKey } +// parseCSR takes a byte array containing a PEM encoded CSR and returns a x509.CertificateRequest object func parseCSR(pemBytes []byte) (*x509.CertificateRequest, error) { // extract PEM from request object block, _ := pem.Decode(pemBytes) @@ -409,6 +421,7 @@ func parseCSR(pemBytes []byte) (*x509.CertificateRequest, error) { return x509.ParseCertificateRequest(block.Bytes) } +// generateRandomString generates a random string of the specified length func generateRandomString(length int) string { rand.Seed(time.Now().UnixNano()) letters := []rune("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ") @@ -419,6 +432,7 @@ func generateRandomString(length int) string { return string(b) } +// ptr returns a pointer to the provided value func ptr[T any](v T) *T { return &v } diff --git a/internal/issuer/signer/signer_test.go b/internal/issuer/signer/signer_test.go index 375ec9a..4ff4869 100644 --- a/internal/issuer/signer/signer_test.go +++ b/internal/issuer/signer/signer_test.go @@ -1,5 +1,5 @@ /* -Copyright 2023 The Keyfactor Command Authors. +Copyright © 2023 Keyfactor Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/internal/issuer/util/configclient.go b/internal/issuer/util/configclient.go index 990e9a1..db86470 100644 --- a/internal/issuer/util/configclient.go +++ b/internal/issuer/util/configclient.go @@ -1,5 +1,5 @@ /* -Copyright 2023 The Keyfactor Command Authors. +Copyright © 2023 Keyfactor Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. @@ -28,6 +28,7 @@ import ( ctrl "sigs.k8s.io/controller-runtime" ) +// ConfigClient is an interface for a K8s REST client. type ConfigClient interface { SetContext(ctx context.Context) GetConfigMap(name types.NamespacedName, out *corev1.ConfigMap) error @@ -43,6 +44,7 @@ type configClient struct { verifyAccessFunc func(apiResource string, resource types.NamespacedName) error } +// NewConfigClient creates a new K8s REST client using the configuration from the controller-runtime. func NewConfigClient(ctx context.Context) (ConfigClient, error) { config := ctrl.GetConfigOrDie() @@ -64,11 +66,15 @@ func NewConfigClient(ctx context.Context) (ConfigClient, error) { return client, nil } +// SetContext sets the context for the client. func (c *configClient) SetContext(ctx context.Context) { c.ctx = ctx c.logger = klog.FromContext(ctx) } +// verifyAccessToResource verifies that the client has access to a given resource in a given namespace +// by creating a SelfSubjectAccessReview. This is done to avoid errors when the client does not have +// access to the resource. func (c *configClient) verifyAccessToResource(apiResource string, resource types.NamespacedName) error { verbs := []string{"get", "list", "watch"} @@ -101,6 +107,7 @@ func (c *configClient) verifyAccessToResource(apiResource string, resource types return nil } +// GetConfigMap gets the configmap with the given name and namespace and copies it into the out parameter. func (c *configClient) GetConfigMap(name types.NamespacedName, out *corev1.ConfigMap) error { if c == nil { return fmt.Errorf("config client is nil") @@ -108,6 +115,8 @@ func (c *configClient) GetConfigMap(name types.NamespacedName, out *corev1.Confi // Check if the client has access to the configmap resource if _, ok := c.accessCache[name.String()]; !ok { + // If this is the first time the client is accessing the resource and it does have + // permission, add it to the access cache so that it does not need to be checked again. err := c.verifyAccessFunc("configmaps", name) if err != nil { return err @@ -126,6 +135,7 @@ func (c *configClient) GetConfigMap(name types.NamespacedName, out *corev1.Confi return nil } +// GetSecret gets the secret with the given name and namespace and copies it into the out parameter. func (c *configClient) GetSecret(name types.NamespacedName, out *corev1.Secret) error { if c == nil { return fmt.Errorf("config client is nil") @@ -133,6 +143,8 @@ func (c *configClient) GetSecret(name types.NamespacedName, out *corev1.Secret) // Check if the client has access to the secret resource if _, ok := c.accessCache[name.String()]; !ok { + // If this is the first time the client is accessing the resource and it does have + // permission, add it to the access cache so that it does not need to be checked again. err := c.verifyAccessFunc("secrets", name) if err != nil { return err diff --git a/internal/issuer/util/configclient_test.go b/internal/issuer/util/configclient_test.go index e57f922..5c30aad 100644 --- a/internal/issuer/util/configclient_test.go +++ b/internal/issuer/util/configclient_test.go @@ -1,5 +1,5 @@ /* -Copyright 2023 The Keyfactor Command Authors. +Copyright © 2023 Keyfactor Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/internal/issuer/util/util.go b/internal/issuer/util/util.go index f7477cc..4d513c2 100644 --- a/internal/issuer/util/util.go +++ b/internal/issuer/util/util.go @@ -1,5 +1,5 @@ /* -Copyright 2023 The Keyfactor Command Authors. +Copyright © 2023 Keyfactor Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. @@ -29,6 +29,7 @@ import ( const inClusterNamespacePath = "/var/run/secrets/kubernetes.io/serviceaccount/namespace" +// GetSpecAndStatus is a helper function that returns the Spec and Status of an Issuer object. func GetSpecAndStatus(issuer client.Object) (*commandissuer.IssuerSpec, *commandissuer.IssuerStatus, error) { switch t := issuer.(type) { case *commandissuer.Issuer: @@ -40,6 +41,7 @@ func GetSpecAndStatus(issuer client.Object) (*commandissuer.IssuerSpec, *command } } +// SetReadyCondition is a helper function that sets the Ready condition on an IssuerStatus. func SetReadyCondition(status *commandissuer.IssuerStatus, conditionStatus commandissuer.ConditionStatus, reason, message string) { ready := GetReadyCondition(status) if ready == nil { @@ -64,6 +66,7 @@ func SetReadyCondition(status *commandissuer.IssuerStatus, conditionStatus comma } } +// GetReadyCondition is a helper function that returns the Ready condition from an IssuerStatus. func GetReadyCondition(status *commandissuer.IssuerStatus) *commandissuer.IssuerCondition { for _, c := range status.Conditions { if c.Type == commandissuer.IssuerConditionReady { @@ -73,6 +76,7 @@ func GetReadyCondition(status *commandissuer.IssuerStatus) *commandissuer.Issuer return nil } +// IsReady is a helper function that returns true if the Ready condition is set to True. func IsReady(status *commandissuer.IssuerStatus) bool { if c := GetReadyCondition(status); c != nil { return c.Status == commandissuer.ConditionTrue diff --git a/main.go b/main.go index 88fda9c..f51db11 100644 --- a/main.go +++ b/main.go @@ -1,5 +1,5 @@ /* -Copyright 2023 The Keyfactor Command Authors. +Copyright © 2023 Keyfactor Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License.