func()

in pkg/admission/webhook_manager.go [129:183]

• 45 lines of code
• 6 McCabe index (conditional complexity)

func (wm *webhookManagerImpl) GenerateServerCertificate() (*tls.Certificate, error) {
	caCert, caKey, err := wm.getBestCACertificate()
	if err != nil {
		log.Log(log.AdmissionWebhook).Error("Unable to find best CA certificate", zap.Error(err))
		return nil, err
	}

	serviceName := wm.conf.GetAmServiceName()
	namespace := wm.conf.GetNamespace()

	commonName := fmt.Sprintf("%s.%s.svc", serviceName, namespace)
	dnsNames := []string{
		wm.serviceName,
		fmt.Sprintf("%s.%s", serviceName, namespace),
		fmt.Sprintf("%s.%s.svc", serviceName, namespace),
	}

	log.Log(log.AdmissionWebhook).Info("Generating server certificate...")

	cert, key, err := pki.GenerateServerCertificate(commonName, dnsNames, caCert, caKey)
	if err != nil {
		log.Log(log.AdmissionWebhook).Error("Unable to generate server certificate", zap.Error(err))
		return nil, err
	}

	log.Log(log.AdmissionWebhook).Info("Generated server certificate",
		zap.String("commonName", cert.Subject.CommonName),
		zap.Strings("dnsNames", cert.DNSNames),
		zap.Time("notBefore", cert.NotBefore),
		zap.Time("notAfter", cert.NotAfter),
		zap.Stringer("issuer", cert.Issuer),
		zap.Int64("issuerSerialNumber", caCert.SerialNumber.Int64()))

	certChain := make([]*x509.Certificate, 0)
	certChain = append(certChain, cert)
	certChain = append(certChain, caCert)

	certPemChain, err := pki.EncodeCertChainPem(certChain)
	if err != nil {
		log.Log(log.AdmissionWebhook).Error("Unable to encode certificate chain", zap.Error(err))
		return nil, err
	}

	keyPem, err := pki.EncodePrivateKeyPem(key)
	if err != nil {
		log.Log(log.AdmissionWebhook).Error("Unable to encode private key", zap.Error(err))
	}

	pair, err := tls.X509KeyPair(*certPemChain, *keyPem)
	if err != nil {
		return nil, err
	}

	return &pair, nil
}