func createValidatedHTTPCertificateTemplate()

in pkg/controller/common/certificates/http_reconcile.go [356:431]

• 63 lines of code
• 9 McCabe index (conditional complexity)

func createValidatedHTTPCertificateTemplate(
	owner types.NamespacedName,
	namer name.Namer,
	tls commonv1.TLSOptions,
	controllerSANs []commonv1.SubjectAlternativeName,
	svcs []corev1.Service,
	csr *x509.CertificateRequest,
	certValidity time.Duration,
) *ValidatedCertificateTemplate {
	defaultSuffixes := strings.Join(namer.DefaultSuffixes, "-")
	shortName := owner.Name + "-" + defaultSuffixes + "-" + string(HTTPCAType)
	cnNameParts := []string{
		shortName,
		owner.Namespace,
	}
	cnNameParts = append(cnNameParts, namer.DefaultSuffixes...)
	// add .local to the certificate name to avoid issuing certificates signed for .es by default
	cnNameParts = append(cnNameParts, "local")

	certCommonName := strings.Join(cnNameParts, ".")

	dnsNames := []string{
		certCommonName, // eg. clusterName-es-http.default.es.local
		shortName,      // eg. clusterName-es-http
	}
	var ipAddresses []net.IP

	for _, svc := range svcs {
		dnsNames = append(dnsNames, k8s.GetServiceDNSName(svc)...)
		ipAddresses = append(ipAddresses, k8s.GetServiceIPAddresses(svc)...)
	}

	if selfSignedCerts := tls.SelfSignedCertificate; selfSignedCerts != nil {
		for _, san := range selfSignedCerts.SubjectAlternativeNames {
			if san.DNS != "" {
				dnsNames = append(dnsNames, san.DNS)
			}
			if san.IP != "" {
				ipAddresses = append(ipAddresses, netutil.IPToRFCForm(net.ParseIP(san.IP)))
			}
		}
	}

	for _, san := range controllerSANs {
		if san.DNS != "" {
			dnsNames = append(dnsNames, san.DNS)
		}
		if san.IP != "" {
			ipAddresses = append(ipAddresses, netutil.IPToRFCForm(net.ParseIP(san.IP)))
		}
	}

	certificateTemplate := ValidatedCertificateTemplate(x509.Certificate{
		Subject: pkix.Name{
			CommonName:         certCommonName,
			OrganizationalUnit: []string{owner.Name},
		},

		DNSNames:    dnsNames,
		IPAddresses: ipAddresses,

		NotBefore: time.Now().Add(-10 * time.Minute),
		NotAfter:  time.Now().Add(certValidity),

		PublicKeyAlgorithm: csr.PublicKeyAlgorithm,
		PublicKey:          csr.PublicKey,

		Signature:          csr.Signature,
		SignatureAlgorithm: csr.SignatureAlgorithm,

		KeyUsage:    x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment,
		ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth},
	})

	return &certificateTemplate
}