in pkg/controller/common/certificates/http_reconcile.go [176:262]
func ensureInternalSelfSignedCertificateSecretContents(
ctx context.Context,
secret *corev1.Secret,
owner types.NamespacedName,
namer name.Namer,
tls commonv1.TLSOptions,
controllerSANs []commonv1.SubjectAlternativeName,
svcs []corev1.Service,
ca *CA,
rotationParam RotationParams,
) (bool, error) {
log := ulog.FromContext(ctx)
secretWasChanged := false
// verify that the secret contains a parsable and compatible private key
privateKey := GetCompatiblePrivateKey(ctx, ca.PrivateKey, secret, KeyFileName)
// if we need a new private key, generate it
if privateKey == nil {
generatedPrivateKey, err := NewPrivateKey(ca.PrivateKey)
if err != nil {
return false, err
}
encodedPEM, err := EncodePEMPrivateKey(generatedPrivateKey)
if err != nil {
return false, err
}
secret.Data[KeyFileName] = encodedPEM
privateKey = generatedPrivateKey
secretWasChanged = true
}
// check if the existing cert should be re-issued
certificate := getHTTPCertificate(ctx, owner, namer, tls, controllerSANs, secret, svcs, ca, rotationParam.RotateBefore)
if certificate == nil {
log.Info(
"Issuing new HTTP certificate",
"namespace", secret.Namespace,
"secret_name", secret.Name,
"owner_namespace", owner.Namespace,
"owner_name", owner.Name,
)
csr, err := x509.CreateCertificateRequest(cryptorand.Reader, &x509.CertificateRequest{}, privateKey)
if err != nil {
return secretWasChanged, err
}
// create a cert from the csr
parsedCSR, err := x509.ParseCertificateRequest(csr)
if err != nil {
return secretWasChanged, err
}
// validate the csr
validatedCertificateTemplate := createValidatedHTTPCertificateTemplate(
owner, namer, tls, controllerSANs, svcs, parsedCSR, rotationParam.Validity,
)
// sign the certificate
certificate, err = ca.CreateCertificate(*validatedCertificateTemplate)
if err != nil {
return secretWasChanged, err
}
secretWasChanged = true
// store certificate and signed certificate in a secret mounted into the pod
secret.Data[CAFileName] = EncodePEMCert(ca.Cert.Raw)
secret.Data[CertFileName] = EncodePEMCert(certificate, ca.Cert.Raw)
}
// Ensure that the CA certificate is up-to-date.
expectedCaPem := EncodePEMCert(ca.Cert.Raw)
expectedCertPem := EncodePEMCert(certificate, ca.Cert.Raw)
if !reflect.DeepEqual(secret.Data[CAFileName], expectedCaPem) || !reflect.DeepEqual(secret.Data[CertFileName], expectedCertPem) {
log.Info(
"Updating CA certificate",
"secret_name", secret.Name,
"namespace", secret.Namespace,
"owner_name", owner.Name,
)
secretWasChanged = true
secret.Data[CAFileName] = expectedCaPem
secret.Data[CertFileName] = expectedCertPem
}
return secretWasChanged, nil
}