Update CA issuer to return the CA cert pem
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
This commit is contained in:
Max Ehrlich
parent
280382e6ce
commit
58efbc068c
@ -18,6 +18,7 @@ package ca
|
||||
|
||||
import (
|
||||
"context"
|
||||
"crypto/x509"
|
||||
"fmt"
|
||||
|
||||
k8sErrors "k8s.io/apimachinery/pkg/api/errors"
|
||||
@ -44,7 +45,7 @@ const (
|
||||
messageCertIssued = "Certificate issued successfully"
|
||||
)
|
||||
|
||||
func (c *CA) Issue(ctx context.Context, crt *v1alpha1.Certificate) ([]byte, []byte, error) {
|
||||
func (c *CA) Issue(ctx context.Context, crt *v1alpha1.Certificate) ([]byte, []byte, []byte, error) {
|
||||
signeeKey, err := kube.SecretTLSKey(c.secretsLister, crt.Namespace, crt.Spec.SecretName)
|
||||
|
||||
if k8sErrors.IsNotFound(err) || errors.IsInvalidData(err) {
|
||||
@ -54,22 +55,27 @@ func (c *CA) Issue(ctx context.Context, crt *v1alpha1.Certificate) ([]byte, []by
|
||||
if err != nil {
|
||||
s := messageErrorGetCertKeyPair + err.Error()
|
||||
crt.UpdateStatusCondition(v1alpha1.CertificateConditionReady, v1alpha1.ConditionFalse, errorGetCertKeyPair, s, false)
|
||||
return nil, nil, err
|
||||
return nil, nil, nil, err
|
||||
}
|
||||
|
||||
publicKey, err := pki.PublicKeyForPrivateKey(signeeKey)
|
||||
if err != nil {
|
||||
s := messageErrorPublicKey + err.Error()
|
||||
crt.UpdateStatusCondition(v1alpha1.CertificateConditionReady, v1alpha1.ConditionFalse, errorGetPublicKey, s, false)
|
||||
return nil, nil, err
|
||||
return nil, nil, nil, err
|
||||
}
|
||||
|
||||
certPem, err := c.obtainCertificate(crt, publicKey)
|
||||
caCert, err := kube.SecretTLSCert(c.secretsLister, c.resourceNamespace, c.issuer.GetSpec().CA.SecretName)
|
||||
if err != nil {
|
||||
return nil, nil, nil, err
|
||||
}
|
||||
|
||||
certPem, err := c.obtainCertificate(crt, publicKey, caCert)
|
||||
|
||||
if err != nil {
|
||||
s := messageErrorIssueCert + err.Error()
|
||||
crt.UpdateStatusCondition(v1alpha1.CertificateConditionReady, v1alpha1.ConditionFalse, errorIssueCert, s, false)
|
||||
return nil, nil, err
|
||||
return nil, nil, nil, err
|
||||
}
|
||||
|
||||
crt.UpdateStatusCondition(v1alpha1.CertificateConditionReady, v1alpha1.ConditionTrue, successCertIssued, messageCertIssued, true)
|
||||
@ -78,24 +84,24 @@ func (c *CA) Issue(ctx context.Context, crt *v1alpha1.Certificate) ([]byte, []by
|
||||
if err != nil {
|
||||
s := messageErrorEncodePrivateKey + err.Error()
|
||||
crt.UpdateStatusCondition(v1alpha1.CertificateConditionReady, v1alpha1.ConditionFalse, errorEncodePrivateKey, s, false)
|
||||
return nil, nil, err
|
||||
return nil, nil, nil, err
|
||||
}
|
||||
|
||||
return keyPem, certPem, nil
|
||||
caPem, err := pki.EncodeX509(caCert)
|
||||
if err != nil {
|
||||
return nil, nil, nil, err
|
||||
}
|
||||
|
||||
return keyPem, certPem, caPem, nil
|
||||
}
|
||||
|
||||
func (c *CA) obtainCertificate(crt *v1alpha1.Certificate, signeeKey interface{}) ([]byte, error) {
|
||||
func (c *CA) obtainCertificate(crt *v1alpha1.Certificate, signeeKey interface{}, signerCert *x509.Certificate) ([]byte, error) {
|
||||
commonName := crt.Spec.CommonName
|
||||
altNames := crt.Spec.DNSNames
|
||||
if len(commonName) == 0 && len(altNames) == 0 {
|
||||
return nil, fmt.Errorf("no domains specified on certificate")
|
||||
}
|
||||
|
||||
signerCert, err := kube.SecretTLSCert(c.secretsLister, c.resourceNamespace, c.issuer.GetSpec().CA.SecretName)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("error getting issuer certificate: %s", err.Error())
|
||||
}
|
||||
|
||||
signerKey, err := kube.SecretTLSKey(c.secretsLister, c.resourceNamespace, c.issuer.GetSpec().CA.SecretName)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("error getting issuer private key: %s", err.Error())
|
||||
|
||||
@ -34,21 +34,26 @@ const (
|
||||
messageCertRenewed = "Certificate issued successfully"
|
||||
)
|
||||
|
||||
func (c *CA) Renew(ctx context.Context, crt *v1alpha1.Certificate) ([]byte, []byte, error) {
|
||||
func (c *CA) Renew(ctx context.Context, crt *v1alpha1.Certificate) ([]byte, []byte, []byte, error) {
|
||||
signeeKey, err := kube.SecretTLSKey(c.secretsLister, crt.Namespace, crt.Spec.SecretName)
|
||||
|
||||
if err != nil {
|
||||
s := messageErrorGetCertKeyPair + err.Error()
|
||||
crt.UpdateStatusCondition(v1alpha1.CertificateConditionReady, v1alpha1.ConditionFalse, errorGetCertKeyPair, s, false)
|
||||
return nil, nil, err
|
||||
return nil, nil, nil, err
|
||||
}
|
||||
|
||||
certPem, err := c.obtainCertificate(crt, signeeKey)
|
||||
caCert, err := kube.SecretTLSCert(c.secretsLister, c.resourceNamespace, c.issuer.GetSpec().CA.SecretName)
|
||||
if err != nil {
|
||||
return nil, nil, nil, err
|
||||
}
|
||||
|
||||
certPem, err := c.obtainCertificate(crt, signeeKey, caCert)
|
||||
|
||||
if err != nil {
|
||||
s := messageErrorRenewCert + err.Error()
|
||||
crt.UpdateStatusCondition(v1alpha1.CertificateConditionReady, v1alpha1.ConditionFalse, errorRenewCert, s, false)
|
||||
return nil, nil, err
|
||||
return nil, nil, nil, err
|
||||
}
|
||||
|
||||
crt.UpdateStatusCondition(v1alpha1.CertificateConditionReady, v1alpha1.ConditionTrue, successCertRenewed, messageCertRenewed, true)
|
||||
@ -57,8 +62,13 @@ func (c *CA) Renew(ctx context.Context, crt *v1alpha1.Certificate) ([]byte, []by
|
||||
if err != nil {
|
||||
s := messageErrorEncodePrivateKey + err.Error()
|
||||
crt.UpdateStatusCondition(v1alpha1.CertificateConditionReady, v1alpha1.ConditionFalse, errorEncodePrivateKey, s, false)
|
||||
return nil, nil, err
|
||||
return nil, nil, nil, err
|
||||
}
|
||||
|
||||
return keyPem, certPem, nil
|
||||
caPem, err := pki.EncodeX509(caCert)
|
||||
if err != nil {
|
||||
return nil, nil, nil, err
|
||||
}
|
||||
|
||||
return keyPem, certPem, caPem, nil
|
||||
}
|
||||
|
||||
Loading…
Reference in New Issue
Block a user