in pkg/controller/common/certificates/http_reconcile.go [57:141]
func (r Reconciler) ReconcileInternalHTTPCerts(ctx context.Context, ca *CA, customCertificates *CertificatesSecret) (*CertificatesSecret, error) {
log := ulog.FromContext(ctx)
ownerNSN := k8s.ExtractNamespacedName(r.Owner)
watchKey := CertificateWatchKey(r.Namer, ownerNSN.Name)
if err := ReconcileCustomCertWatch(r.DynamicWatches, watchKey, ownerNSN, r.TLSOptions.Certificate); err != nil {
return nil, err
}
secret := corev1.Secret{
ObjectMeta: metav1.ObjectMeta{
Namespace: ownerNSN.Namespace,
Name: InternalCertsSecretName(r.Namer, ownerNSN.Name),
},
}
shouldCreateSecret := false
if err := r.K8sClient.Get(ctx, k8s.ExtractNamespacedName(&secret), &secret); err != nil && !apierrors.IsNotFound(err) {
return nil, err
} else if apierrors.IsNotFound(err) {
shouldCreateSecret = true
}
if secret.Labels == nil {
secret.Labels = make(map[string]string)
}
// TODO: reconcile annotations?
needsUpdate := false
// ensure our labels are set on the secret.
for k, v := range r.Labels {
if current, ok := secret.Labels[k]; !ok || current != v {
secret.Labels[k] = v
needsUpdate = true
}
}
if err := controllerutil.SetControllerReference(r.Owner, &secret, scheme.Scheme); err != nil {
return nil, err
}
// a placeholder secret may have nil entries, create them if needed
if secret.Data == nil {
secret.Data = make(map[string][]byte)
}
// by default let's assume that the CA is provided, either by the ECK internal certificate authority or by the user
caCertProvided := true
if customCertificates.HasLeafCertificate() {
caCertProvided, needsUpdate = r.populateFromCustomCertificateContents(&secret, customCertificates, ca)
} else {
selfSignedNeedsUpdate, err := ensureInternalSelfSignedCertificateSecretContents(
ctx, &secret, ownerNSN, r.Namer, r.TLSOptions, r.ExtraHTTPSANs, r.Services, ca, r.CertRotation,
)
if err != nil {
return nil, err
}
needsUpdate = needsUpdate || selfSignedNeedsUpdate
}
//nolint:nestif
if needsUpdate {
if shouldCreateSecret {
log.Info("Creating HTTP internal certificate secret", "namespace", secret.Namespace, "secret_name", secret.Name)
if err := r.K8sClient.Create(ctx, &secret); err != nil {
return nil, err
}
} else {
log.Info("Updating HTTP internal certificate secret", "namespace", secret.Namespace, "secret_name", secret.Name)
if err := r.K8sClient.Update(ctx, &secret); err != nil {
return nil, err
}
}
}
// The CA cert has been set in this Secret for convenience, remove it from the result in order to not propagate it.
if !caCertProvided {
delete(secret.Data, CAFileName)
}
internalCerts := CertificatesSecret{Secret: secret}
return &internalCerts, nil
}