func()

in pkg/mesh/certs.go [47:109]

• 55 lines of code
• 15 McCabe index (conditional complexity)

func (kr *KRun) InitCertificates(ctx context.Context, outDir string) error {
	var err error
	keyFile := filepath.Join(outDir, privateKey)
	chainFile := filepath.Join(outDir, cert)
	if outDir != "" {
		kp, err := tls.LoadX509KeyPair(chainFile, keyFile)
		if err == nil && len(kp.Certificate) > 0 {
			kp.Leaf, _ = x509.ParseCertificate(kp.Certificate[0])

			exp := kp.Leaf.NotAfter.Sub(time.Now())
			if exp > -5 * time.Minute {
				kr.X509KeyPair = &kp
				log.Println("Existing Cert", "expires", exp)
				return nil
			}
		}
	}
	if kr.CSRSigner == nil {
		return nil
	}
	// TODO: decode WorkloadCertificateConfig, use EC256 or RSA
	privPEM, csr, err := kr.NewCSR("rsa", kr.TrustDomain, "spiffe://"+kr.TrustDomain+"/ns/"+kr.Namespace+"/sa/"+kr.KSA)
	if err != nil {
		return err
	}
	chain, err := kr.CSRSigner.CSRSign(ctx, csr, 24*3600)
	if err != nil {
		return err
	}
	certChain := strings.Join(chain, "\n")

	kp, err := tls.X509KeyPair([]byte(certChain), privPEM)
	kr.X509KeyPair = &kp

	if err == nil && len(kp.Certificate) > 0 {
		kp.Leaf, _ = x509.ParseCertificate(kp.Certificate[0])

		if !kp.Leaf.NotAfter.Before(time.Now()) {
			r, _ := x509.ParseCertificate(kp.Certificate[len(kp.Certificate) - 1])
			log.Println("New Cert", "expires", kp.Leaf.NotAfter, "signer", r.Subject)
		}
	}
	if outDir != "" {
		os.MkdirAll(outDir, 0755)
		err = ioutil.WriteFile(keyFile, privPEM, 0660)
		if err != nil {
			return err
		}
		err = ioutil.WriteFile(chainFile, []byte(certChain), 0660)
		if err != nil {
			return err
		}
		if os.Getuid() == 0 {
			os.Chown(outDir, 1337, 1337)
			os.Chown(keyFile, 1337, 1337)
			os.Chown(chainFile, 1337, 1337)

		}
	}
	// The roots are extracted from the mesh env.

	return err
}