allow ec keys as well as rsa

Azure · Jun 10, 2020 · 81d50d3 · 81d50d3
1 parent 63715f1
commit 81d50d3
Show file tree

Hide file tree

Showing 3 changed files with 29 additions and 1 deletion.
diff --git a/api/v1alpha1/keyvaultkey_types.go b/api/v1alpha1/keyvaultkey_types.go
@@ -20,6 +20,7 @@ type KeyVaultKeySpec struct {
 	KeyVault      string                      `json:"keyVault,omitempty"`
 	KeySize       int32                       `json:"keySize,omitempty"`
 	Type          kvops.JSONWebKeyType        `json:"type,omitempty"`
+	Curve         kvops.JSONWebKeyCurveName   `json:"curve,omitempty"`
 	Operations    []kvops.JSONWebKeyOperation `json:"operations,omitempty"`
 }
 

diff --git a/config/samples/azure_v1alpha1_keyvaultkey.yaml b/config/samples/azure_v1alpha1_keyvaultkey.yaml
@@ -6,7 +6,12 @@ spec:
   resourceGroup: resourcegroup-azure-operators
   location: westus
   keyVault: keyvaultsample123
-  keySize: 4096
+  # type can be RSA, RSAHSM, EC, ECHSM
   type: RSA
+  # if RSA
+  keySize: 4096
+  # If EC
+  # type: EC
+  # curve: P-256 #Possible values include: 'P256', 'P384', 'P521', 'P256K'
   #optional: defaults to all operations
   #operations: ["encrypt", "wrap", "unwrap"]
diff --git a/pkg/resourcemanager/keyvaults/keyops.go b/pkg/resourcemanager/keyvaults/keyops.go
@@ -81,6 +81,28 @@ func (k *KeyvaultKeyClient) Ensure(ctx context.Context, obj runtime.Object, opts
 		KeyOps:        &instance.Spec.Operations,
 		KeyAttributes: &katts,
 	}
+
+	switch instance.Spec.Type {
+	case kvops.RSA, kvops.RSAHSM:
+		if instance.Spec.KeySize == 0 {
+			instance.Status.Message = "no keysize provided for rsa key"
+			instance.Status.FailedProvisioning = true
+			instance.Status.Provisioned = false
+			instance.Status.Provisioning = false
+			return true, nil
+		}
+		params.KeySize = &instance.Spec.KeySize
+	case kvops.EC, kvops.ECHSM:
+		if instance.Spec.Curve == "" {
+			instance.Status.Message = "no curve provided for ec key"
+			instance.Status.FailedProvisioning = true
+			instance.Status.Provisioned = false
+			instance.Status.Provisioning = false
+			return true, nil
+		}
+		params.Curve = instance.Spec.Curve
+	}
+
 	req, err := kvopsclient.CreateKey(ctx, vaultBaseURL, instance.Name, params)
 	if err != nil {
 		instance.Status.Message = err.Error()