in pkg/operator/webhook.go [97:141]
func ensureCerts(operatorNamespace, dir, certEncoded, keyEncoded, caCertEncoded string) ([]byte, error) {
var (
crt, key, caData []byte
err error
)
if keyEncoded != "" && certEncoded != "" {
crt, err = base64.StdEncoding.DecodeString(certEncoded)
if err != nil {
return nil, fmt.Errorf("decoding TLS certificate: %w", err)
}
key, err = base64.StdEncoding.DecodeString(keyEncoded)
if err != nil {
return nil, fmt.Errorf("decoding TLS key: %w", err)
}
if caCertEncoded != "" {
caData, err = base64.StdEncoding.DecodeString(caCertEncoded)
if err != nil {
return nil, fmt.Errorf("decoding certificate authority: %w", err)
}
}
} else if keyEncoded == "" && certEncoded == "" && caCertEncoded == "" {
// Generate a self-signed pair if none was explicitly provided. It will be valid
// for 1 year.
// TODO(freinartz): re-generate at runtime and update the ValidatingWebhookConfiguration
// at runtime whenever the files change.
fqdn := fmt.Sprintf("%s.%s.svc", NameOperator, operatorNamespace)
crt, key, err = cert.GenerateSelfSignedCertKey(fqdn, nil, nil)
if err != nil {
return nil, fmt.Errorf("generate self-signed TLS key pair: %w", err)
}
// Use crt as the ca in the self-sign case.
caData = crt
} else {
return nil, errors.New("flags key-base64 and cert-base64 must both be set")
}
// Create cert/key files.
if err := os.WriteFile(filepath.Join(dir, "tls.crt"), crt, 0666); err != nil {
return nil, fmt.Errorf("create cert file: %w", err)
}
if err := os.WriteFile(filepath.Join(dir, "tls.key"), key, 0666); err != nil {
return nil, fmt.Errorf("create key file: %w", err)
}
return caData, nil
}