-
Notifications
You must be signed in to change notification settings - Fork 2.8k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
docs(samples): added samples and tests for updating and monitoring CA (…
…#274) * docs(samples): added samples and tests for updating and monitoring CA * 🦉 Updates from OwlBot See https://github.com/googleapis/repo-automation-bots/blob/main/packages/owl-bot/README.md * docs(samples): added review comments * 🦉 Updates from OwlBot See https://github.com/googleapis/repo-automation-bots/blob/main/packages/owl-bot/README.md * 🦉 Updates from OwlBot See https://github.com/googleapis/repo-automation-bots/blob/main/packages/owl-bot/README.md Co-authored-by: Owl Bot <gcf-owl-bot[bot]@users.noreply.github.com>
- Loading branch information
1 parent
ff2799e
commit 9344d74
Showing
4 changed files
with
207 additions
and
0 deletions.
There are no files selected for viewing
91 changes: 91 additions & 0 deletions
91
privateca/cloud-client/src/main/java/privateca/MonitorCertificateAuthority.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,91 @@ | ||
/* | ||
* Copyright 2021 Google LLC | ||
* | ||
* Licensed under the Apache License, Version 2.0 (the "License"); | ||
* you may not use this file except in compliance with the License. | ||
* You may obtain a copy of the License at | ||
* | ||
* https://www.apache.org/licenses/LICENSE-2.0 | ||
* | ||
* Unless required by applicable law or agreed to in writing, software | ||
* distributed under the License is distributed on an "AS IS" BASIS, | ||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
* See the License for the specific language governing permissions and | ||
* limitations under the License. | ||
*/ | ||
package privateca; | ||
|
||
// [START privateca_monitor_ca_expiry] | ||
|
||
import com.google.cloud.monitoring.v3.AlertPolicyServiceClient; | ||
import com.google.cloud.monitoring.v3.NotificationChannelServiceClient; | ||
import com.google.monitoring.v3.AlertPolicy; | ||
import com.google.monitoring.v3.AlertPolicy.Condition; | ||
import com.google.monitoring.v3.AlertPolicy.Condition.MonitoringQueryLanguageCondition; | ||
import com.google.monitoring.v3.AlertPolicy.ConditionCombinerType; | ||
import com.google.monitoring.v3.NotificationChannel; | ||
import com.google.monitoring.v3.ProjectName; | ||
import java.io.IOException; | ||
|
||
public class MonitorCertificateAuthority { | ||
|
||
public static void main(String[] args) throws IOException { | ||
// TODO(developer): Replace these variables before running the sample. | ||
String project = "your-project-id"; | ||
createCaMonitoringPolicy(project); | ||
} | ||
|
||
// Creates a monitoring policy that notifies you 30 days before a managed CA expires. | ||
public static void createCaMonitoringPolicy(String project) throws IOException { | ||
/* Initialize client that will be used to send requests. This client only needs to be created | ||
once, and can be reused for multiple requests. After completing all of your requests, call | ||
the `client.close()` method on the client to safely | ||
clean up any remaining background resources. */ | ||
try (AlertPolicyServiceClient client = AlertPolicyServiceClient.create(); | ||
NotificationChannelServiceClient notificationClient = | ||
NotificationChannelServiceClient.create()) { | ||
|
||
String policyName = "policy-name"; | ||
|
||
/* Query which indicates the resource to monitor and the constraints. | ||
Here, the alert policy notifies you 30 days before a managed CA expires. | ||
For more info on creating queries, see: https://cloud.google.com/monitoring/mql/alerts */ | ||
String query = | ||
"fetch privateca.googleapis.com/CertificateAuthority" | ||
+ "| metric 'privateca.googleapis.com/ca/cert_chain_expiration'" | ||
+ "| group_by 5m," | ||
+ "[value_cert_chain_expiration_mean: mean(value.cert_chain_expiration)]" | ||
+ "| every 5m" | ||
+ "| condition val() < 2.592e+06 's'"; | ||
|
||
// Create a notification channel. | ||
NotificationChannel notificationChannel = | ||
NotificationChannel.newBuilder() | ||
.setType("email") | ||
.putLabels("email_address", "[email protected]") | ||
.build(); | ||
NotificationChannel channel = | ||
notificationClient.createNotificationChannel( | ||
ProjectName.of(project), notificationChannel); | ||
|
||
// Set the query and notification channel. | ||
AlertPolicy alertPolicy = | ||
AlertPolicy.newBuilder() | ||
.setDisplayName(policyName) | ||
.addConditions( | ||
Condition.newBuilder() | ||
.setDisplayName("ca-cert-chain-expiration") | ||
.setConditionMonitoringQueryLanguage( | ||
MonitoringQueryLanguageCondition.newBuilder().setQuery(query).build()) | ||
.build()) | ||
.setCombiner(ConditionCombinerType.AND) | ||
.addNotificationChannels(channel.getName()) | ||
.build(); | ||
|
||
AlertPolicy policy = client.createAlertPolicy(ProjectName.of(project), alertPolicy); | ||
|
||
System.out.println("Monitoring policy successfully created !" + policy.getName()); | ||
} | ||
} | ||
} | ||
// [END privateca_monitor_ca_expiry] |
99 changes: 99 additions & 0 deletions
99
privateca/cloud-client/src/main/java/privateca/UpdateCertificateAuthority.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,99 @@ | ||
/* | ||
* Copyright 2021 Google LLC | ||
* | ||
* Licensed under the Apache License, Version 2.0 (the "License"); | ||
* you may not use this file except in compliance with the License. | ||
* You may obtain a copy of the License at | ||
* | ||
* https://www.apache.org/licenses/LICENSE-2.0 | ||
* | ||
* Unless required by applicable law or agreed to in writing, software | ||
* distributed under the License is distributed on an "AS IS" BASIS, | ||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
* See the License for the specific language governing permissions and | ||
* limitations under the License. | ||
*/ | ||
package privateca; | ||
|
||
// [START privateca_update_ca_label] | ||
|
||
import com.google.api.core.ApiFuture; | ||
import com.google.cloud.security.privateca.v1.CertificateAuthority; | ||
import com.google.cloud.security.privateca.v1.CertificateAuthorityName; | ||
import com.google.cloud.security.privateca.v1.CertificateAuthorityServiceClient; | ||
import com.google.cloud.security.privateca.v1.UpdateCertificateAuthorityRequest; | ||
import com.google.longrunning.Operation; | ||
import com.google.protobuf.FieldMask; | ||
import java.io.IOException; | ||
import java.util.concurrent.ExecutionException; | ||
import java.util.concurrent.TimeUnit; | ||
import java.util.concurrent.TimeoutException; | ||
|
||
public class UpdateCertificateAuthority { | ||
|
||
public static void main(String[] args) | ||
throws IOException, ExecutionException, InterruptedException, TimeoutException { | ||
// TODO(developer): Replace these variables before running the sample. | ||
// location: For a list of locations, see: | ||
// https://cloud.google.com/certificate-authority-service/docs/locations | ||
// pool_Id: Set it to the CA Pool under which the CA should be created. | ||
// certificateAuthorityName: Unique name for the CA. | ||
String project = "your-project-id"; | ||
String location = "ca-location"; | ||
String pool_Id = "ca-pool-id"; | ||
String certificateAuthorityName = "certificate-authority-name"; | ||
|
||
updateCaLabel(project, location, pool_Id, certificateAuthorityName); | ||
} | ||
|
||
// Updates the labels in a certificate authority. | ||
public static void updateCaLabel( | ||
String project, String location, String pool_Id, String certificateAuthorityName) | ||
throws IOException, ExecutionException, InterruptedException, TimeoutException { | ||
/* Initialize client that will be used to send requests. This client only needs to be created | ||
once, and can be reused for multiple requests. After completing all of your requests, call | ||
the `certificateAuthorityServiceClient.close()` method on the client to safely | ||
clean up any remaining background resources. */ | ||
try (CertificateAuthorityServiceClient certificateAuthorityServiceClient = | ||
CertificateAuthorityServiceClient.create()) { | ||
|
||
// Set the parent path and the new labels. | ||
String certificateAuthorityParent = | ||
CertificateAuthorityName.of(project, location, pool_Id, certificateAuthorityName) | ||
.toString(); | ||
CertificateAuthority certificateAuthority = | ||
CertificateAuthority.newBuilder() | ||
.setName(certificateAuthorityParent) | ||
.putLabels("env", "test") | ||
.build(); | ||
|
||
// Create a request to update the CA. | ||
UpdateCertificateAuthorityRequest request = | ||
UpdateCertificateAuthorityRequest.newBuilder() | ||
.setCertificateAuthority(certificateAuthority) | ||
.setUpdateMask(FieldMask.newBuilder().addPaths("labels").build()) | ||
.build(); | ||
|
||
// Update the CA and wait for the operation to complete. | ||
ApiFuture<Operation> futureCall = | ||
certificateAuthorityServiceClient | ||
.updateCertificateAuthorityCallable() | ||
.futureCall(request); | ||
Operation operation = futureCall.get(60, TimeUnit.SECONDS); | ||
|
||
// Check for errors. | ||
if (operation.hasError()) { | ||
System.out.println("Error in updating labels ! " + operation.getError()); | ||
} | ||
|
||
// Get the updated CA and check if it contains the new label. | ||
CertificateAuthority response = | ||
certificateAuthorityServiceClient.getCertificateAuthority(certificateAuthorityParent); | ||
if (response.getLabelsMap().containsKey("env") | ||
&& response.getLabelsMap().get("env").equalsIgnoreCase("test")) { | ||
System.out.println("Successfully updated the labels ! "); | ||
} | ||
} | ||
} | ||
} | ||
// [END privateca_update_ca_label] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters