in operator/controllers/operator/storage_controller.go [225:364]
func (r *StorageReconciler) createCert(ctx context.Context, log logr.Logger, s *operatorv1alpha1.Storage) {
clientset, err := kubeclient.NewForConfig(r.RestConfig)
if err != nil {
return
}
existSecret, err := clientset.CoreV1().Secrets(s.Namespace).Get(ctx, "skywalking-storage", metav1.GetOptions{})
if err != nil && !apierrors.IsNotFound(err) {
log.Info("fail get skywalking-storage secret")
return
}
if existSecret.Name != "" {
_, verifyCert, decodeErr := pkcs12.Decode(existSecret.Data["storage.p12"], "")
if decodeErr != nil {
log.Info("decode storage.p12 error")
return
}
if time.Until(verifyCert.NotAfter).Hours() < 24 {
log.Info("storage cert will expire,the storage cert will re-generate")
} else {
return
}
}
key, err := rsa.GenerateKey(rand.Reader, 4096)
if err != nil {
log.Info("fail generate privatekey")
return
}
subj := pkix.Name{
CommonName: "skywalking-storage",
Country: []string{"CN"},
Province: []string{"ZJ"},
Locality: []string{"HZ"},
Organization: []string{"Skywalking"},
OrganizationalUnit: []string{"Skywalking"},
}
asn1Subj, err := asn1.Marshal(subj.ToRDNSequence())
if err != nil {
return
}
template := x509.CertificateRequest{
RawSubject: asn1Subj,
SignatureAlgorithm: x509.SHA256WithRSA,
}
csrBytes, err := x509.CreateCertificateRequest(rand.Reader, &template, key)
if err != nil {
log.Info("fail create certificaterequest")
return
}
buffer := new(bytes.Buffer)
err = pem.Encode(buffer, &pem.Block{Type: "CERTIFICATE REQUEST", Bytes: csrBytes})
if err != nil {
log.Info("fail encode CERTIFICATE REQUEST")
return
}
singername := "kubernetes.io/legacy-unknown"
request := certv1beta1.CertificateSigningRequest{
TypeMeta: metav1.TypeMeta{
Kind: "CertificateSigningRequest",
APIVersion: "certificates.k8s.io/v1beta1",
},
ObjectMeta: metav1.ObjectMeta{
Name: "storage-csr",
},
Spec: certv1beta1.CertificateSigningRequestSpec{
Groups: []string{"system:authenticated"},
Request: buffer.Bytes(),
SignerName: &singername,
Usages: []certv1beta1.KeyUsage{certv1beta1.UsageClientAuth},
},
}
err = clientset.CertificatesV1beta1().CertificateSigningRequests().Delete(ctx, "storage-csr", metav1.DeleteOptions{})
if err != nil && !apierrors.IsNotFound(err) {
log.Info("fail delete csr")
return
}
csr, err := clientset.CertificatesV1beta1().CertificateSigningRequests().Create(ctx, &request, metav1.CreateOptions{})
if err != nil {
log.Info("fail create csr")
return
}
condition := certv1beta1.CertificateSigningRequestCondition{
Type: "Approved",
Reason: "ApprovedBySkywalkingStorage",
Message: "Approved by skywalking storage controller",
}
csr.Status.Conditions = append(csr.Status.Conditions, condition)
updateapproval, err := clientset.CertificatesV1beta1().CertificateSigningRequests().UpdateApproval(ctx, csr, metav1.UpdateOptions{})
if err != nil {
log.Info("fail update approval", "result", updateapproval, "err", err)
return
}
for {
csr, err = clientset.CertificatesV1beta1().CertificateSigningRequests().Get(ctx, "storage-csr", metav1.GetOptions{})
if err != nil {
log.Info("fail get storage-csr")
return
}
if csr.Status.Certificate != nil {
break
}
}
block, _ := pem.Decode(csr.Status.Certificate)
cert, err := x509.ParseCertificate(block.Bytes)
if err != nil {
log.Info("fail parse certificate")
return
}
p12, err := pkcs12.Encode(rand.Reader, key, cert, nil, "skywalking")
if err != nil {
log.Info("fail encode pkcs12")
return
}
err = clientset.CoreV1().Secrets(s.Namespace).Delete(ctx, "skywalking-storage", metav1.DeleteOptions{})
if err != nil && !apierrors.IsNotFound(err) {
log.Info("fail delete secret skywalking-storage")
return
}
data := make(map[string][]byte)
data["storage.p12"] = p12
secret := core.Secret{
TypeMeta: metav1.TypeMeta{
Kind: "Secret",
APIVersion: "v1",
},
ObjectMeta: metav1.ObjectMeta{
Name: "skywalking-storage",
Namespace: s.Namespace,
},
Data: data,
Type: "Opaque",
}
storageTLSSecret, err := clientset.CoreV1().Secrets(s.Namespace).Create(ctx, &secret, metav1.CreateOptions{})
if err != nil {
log.Info("fail create secret skywalking-storage")
return
}
log.Info("success create secret skywalking-storage", "secret-name", storageTLSSecret.Name)
}