in pkg/controller/common/certificates/http_reconcile.go [273:353]
func getHTTPCertificate(
ctx context.Context,
owner types.NamespacedName,
namer name.Namer,
tls commonv1.TLSOptions,
controllerSANs []commonv1.SubjectAlternativeName,
secret *corev1.Secret,
svcs []corev1.Service,
ca *CA,
certReconcileBefore time.Duration,
) []byte {
log := ulog.FromContext(ctx)
validatedTemplate := createValidatedHTTPCertificateTemplate(
owner, namer, tls, controllerSANs, svcs, &x509.CertificateRequest{}, certReconcileBefore,
)
var certificate *x509.Certificate
certData, ok := secret.Data[CertFileName]
if !ok {
return nil
}
certs, err := ParsePEMCerts(certData)
if err != nil {
log.Error(err, "Invalid certificate data found, issuing new certificate", "namespace", secret.Namespace, "secret_name", secret.Name)
return nil
}
// look for the certificate based on the CommonName
for _, c := range certs {
if c.Subject.CommonName == validatedTemplate.Subject.CommonName {
certificate = c
break
}
}
if certificate == nil {
return nil
}
pool := x509.NewCertPool()
pool.AddCert(ca.Cert)
verifyOpts := x509.VerifyOptions{
DNSName: validatedTemplate.Subject.CommonName,
Roots: pool,
Intermediates: pool,
}
if _, err := certificate.Verify(verifyOpts); err != nil {
log.Info(
"Certificate was not valid, should issue new",
"validation_failure", err,
"subject", certificate.Subject,
"issuer", certificate.Issuer,
"current_ca_subject", ca.Cert.Subject,
"secret_name", secret.Name,
"namespace", secret.Namespace,
"owner_name", owner.Name,
)
return nil
}
if time.Now().After(certificate.NotAfter.Add(-certReconcileBefore)) {
log.Info("Certificate soon to expire, should issue new", "namespace", secret.Namespace, "secret_name", secret.Name)
return nil
}
if certificate.Subject.String() != validatedTemplate.Subject.String() {
return nil
}
if !reflect.DeepEqual(certificate.IPAddresses, validatedTemplate.IPAddresses) {
return nil
}
if !reflect.DeepEqual(certificate.DNSNames, validatedTemplate.DNSNames) {
return nil
}
return certificate.Raw
}