From 58efbc068c6ec811d92df0247792a9dfe0e13903 Mon Sep 17 00:00:00 2001 From: Max Ehrlich Date: Thu, 13 Sep 2018 16:58:17 -0400 Subject: [PATCH] Update CA issuer to return the CA cert pem Signed-off-by: Max Ehrlich --- pkg/issuer/ca/issue.go | 32 +++++++++++++++++++------------- pkg/issuer/ca/renew.go | 22 ++++++++++++++++------ 2 files changed, 35 insertions(+), 19 deletions(-) diff --git a/pkg/issuer/ca/issue.go b/pkg/issuer/ca/issue.go index e3b8d3808..c6df82566 100644 --- a/pkg/issuer/ca/issue.go +++ b/pkg/issuer/ca/issue.go @@ -18,6 +18,7 @@ package ca import ( "context" + "crypto/x509" "fmt" k8sErrors "k8s.io/apimachinery/pkg/api/errors" @@ -44,7 +45,7 @@ const ( messageCertIssued = "Certificate issued successfully" ) -func (c *CA) Issue(ctx context.Context, crt *v1alpha1.Certificate) ([]byte, []byte, error) { +func (c *CA) Issue(ctx context.Context, crt *v1alpha1.Certificate) ([]byte, []byte, []byte, error) { signeeKey, err := kube.SecretTLSKey(c.secretsLister, crt.Namespace, crt.Spec.SecretName) if k8sErrors.IsNotFound(err) || errors.IsInvalidData(err) { @@ -54,22 +55,27 @@ func (c *CA) Issue(ctx context.Context, crt *v1alpha1.Certificate) ([]byte, []by if err != nil { s := messageErrorGetCertKeyPair + err.Error() crt.UpdateStatusCondition(v1alpha1.CertificateConditionReady, v1alpha1.ConditionFalse, errorGetCertKeyPair, s, false) - return nil, nil, err + return nil, nil, nil, err } publicKey, err := pki.PublicKeyForPrivateKey(signeeKey) if err != nil { s := messageErrorPublicKey + err.Error() crt.UpdateStatusCondition(v1alpha1.CertificateConditionReady, v1alpha1.ConditionFalse, errorGetPublicKey, s, false) - return nil, nil, err + return nil, nil, nil, err } - certPem, err := c.obtainCertificate(crt, publicKey) + caCert, err := kube.SecretTLSCert(c.secretsLister, c.resourceNamespace, c.issuer.GetSpec().CA.SecretName) + if err != nil { + return nil, nil, nil, err + } + + certPem, err := c.obtainCertificate(crt, publicKey, caCert) if err != nil { s := messageErrorIssueCert + err.Error() crt.UpdateStatusCondition(v1alpha1.CertificateConditionReady, v1alpha1.ConditionFalse, errorIssueCert, s, false) - return nil, nil, err + return nil, nil, nil, err } crt.UpdateStatusCondition(v1alpha1.CertificateConditionReady, v1alpha1.ConditionTrue, successCertIssued, messageCertIssued, true) @@ -78,24 +84,24 @@ func (c *CA) Issue(ctx context.Context, crt *v1alpha1.Certificate) ([]byte, []by if err != nil { s := messageErrorEncodePrivateKey + err.Error() crt.UpdateStatusCondition(v1alpha1.CertificateConditionReady, v1alpha1.ConditionFalse, errorEncodePrivateKey, s, false) - return nil, nil, err + return nil, nil, nil, err } - return keyPem, certPem, nil + caPem, err := pki.EncodeX509(caCert) + if err != nil { + return nil, nil, nil, err + } + + return keyPem, certPem, caPem, nil } -func (c *CA) obtainCertificate(crt *v1alpha1.Certificate, signeeKey interface{}) ([]byte, error) { +func (c *CA) obtainCertificate(crt *v1alpha1.Certificate, signeeKey interface{}, signerCert *x509.Certificate) ([]byte, error) { commonName := crt.Spec.CommonName altNames := crt.Spec.DNSNames if len(commonName) == 0 && len(altNames) == 0 { return nil, fmt.Errorf("no domains specified on certificate") } - signerCert, err := kube.SecretTLSCert(c.secretsLister, c.resourceNamespace, c.issuer.GetSpec().CA.SecretName) - if err != nil { - return nil, fmt.Errorf("error getting issuer certificate: %s", err.Error()) - } - signerKey, err := kube.SecretTLSKey(c.secretsLister, c.resourceNamespace, c.issuer.GetSpec().CA.SecretName) if err != nil { return nil, fmt.Errorf("error getting issuer private key: %s", err.Error()) diff --git a/pkg/issuer/ca/renew.go b/pkg/issuer/ca/renew.go index a99311716..df01ef227 100644 --- a/pkg/issuer/ca/renew.go +++ b/pkg/issuer/ca/renew.go @@ -34,21 +34,26 @@ const ( messageCertRenewed = "Certificate issued successfully" ) -func (c *CA) Renew(ctx context.Context, crt *v1alpha1.Certificate) ([]byte, []byte, error) { +func (c *CA) Renew(ctx context.Context, crt *v1alpha1.Certificate) ([]byte, []byte, []byte, error) { signeeKey, err := kube.SecretTLSKey(c.secretsLister, crt.Namespace, crt.Spec.SecretName) if err != nil { s := messageErrorGetCertKeyPair + err.Error() crt.UpdateStatusCondition(v1alpha1.CertificateConditionReady, v1alpha1.ConditionFalse, errorGetCertKeyPair, s, false) - return nil, nil, err + return nil, nil, nil, err } - certPem, err := c.obtainCertificate(crt, signeeKey) + caCert, err := kube.SecretTLSCert(c.secretsLister, c.resourceNamespace, c.issuer.GetSpec().CA.SecretName) + if err != nil { + return nil, nil, nil, err + } + + certPem, err := c.obtainCertificate(crt, signeeKey, caCert) if err != nil { s := messageErrorRenewCert + err.Error() crt.UpdateStatusCondition(v1alpha1.CertificateConditionReady, v1alpha1.ConditionFalse, errorRenewCert, s, false) - return nil, nil, err + return nil, nil, nil, err } crt.UpdateStatusCondition(v1alpha1.CertificateConditionReady, v1alpha1.ConditionTrue, successCertRenewed, messageCertRenewed, true) @@ -57,8 +62,13 @@ func (c *CA) Renew(ctx context.Context, crt *v1alpha1.Certificate) ([]byte, []by if err != nil { s := messageErrorEncodePrivateKey + err.Error() crt.UpdateStatusCondition(v1alpha1.CertificateConditionReady, v1alpha1.ConditionFalse, errorEncodePrivateKey, s, false) - return nil, nil, err + return nil, nil, nil, err } - return keyPem, certPem, nil + caPem, err := pki.EncodeX509(caCert) + if err != nil { + return nil, nil, nil, err + } + + return keyPem, certPem, caPem, nil }