in internal/alloydb/refresh.go [119:162]
func fetchClientCertificate(
ctx context.Context,
cl *alloydbadmin.AlloyDBAdminClient,
inst InstanceURI,
key *rsa.PrivateKey,
disableMetadataExchange bool,
) (cc *clientCertificate, err error) {
var end tel.EndSpanFunc
ctx, end = tel.StartSpan(ctx, "cloud.google.com/go/alloydbconn/internal.FetchEphemeralCert")
defer func() { end(err) }()
buf := &bytes.Buffer{}
k := x509.MarshalPKCS1PublicKey(&key.PublicKey)
err = pem.Encode(buf, &pem.Block{Type: "RSA PUBLIC KEY", Bytes: k})
if err != nil {
return nil, err
}
req := &alloydbpb.GenerateClientCertificateRequest{
Parent: fmt.Sprintf(
"projects/%s/locations/%s/clusters/%s", inst.project, inst.region, inst.cluster,
),
PublicKey: buf.String(),
CertDuration: durationpb.New(time.Second * 3600),
UseMetadataExchange: !disableMetadataExchange,
}
resp, err := cl.GenerateClientCertificate(ctx, req)
if err != nil {
return nil, errtype.NewRefreshError(
"create ephemeral cert failed",
inst.String(),
err,
)
}
keyPEMBlock := &pem.Block{
Type: "RSA PRIVATE KEY",
Bytes: x509.MarshalPKCS1PrivateKey(key),
}
keyPEM := pem.EncodeToMemory(keyPEMBlock)
return newClientCertificate(
inst, keyPEM, resp.PemCertificateChain, resp.CaCert,
)
}