forked from knative/serving
/
certificate.go
82 lines (71 loc) · 2.95 KB
/
certificate.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
/*
Copyright 2019 The Knative Authors
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
https://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package resources
import (
"fmt"
"hash/adler32"
"sort"
"knative.dev/serving/pkg/apis/networking"
"knative.dev/serving/pkg/apis/serving"
"knative.dev/serving/pkg/resources"
corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"knative.dev/pkg/kmeta"
networkingv1alpha1 "knative.dev/serving/pkg/apis/networking/v1alpha1"
"knative.dev/serving/pkg/apis/serving/v1alpha1"
"knative.dev/serving/pkg/reconciler/route/resources/names"
)
// MakeCertificates creates an array of Certificate for the Route to request TLS certificates.
// domainTagMap is an one-to-one mapping between domain and tag, for major domain (tag-less),
// the value is an empty string
// Returns one certificate for each domain
func MakeCertificates(route *v1alpha1.Route, domainTagMap map[string]string, certClass string) []*networkingv1alpha1.Certificate {
order := make(sort.StringSlice, 0, len(domainTagMap))
for dnsName := range domainTagMap {
order = append(order, dnsName)
}
order.Sort()
var certs []*networkingv1alpha1.Certificate
for _, dnsName := range order {
tag := domainTagMap[dnsName]
// k8s supports cert name only up to 63 chars and so is constructed as route-[UID]-[tag digest]
// where route-[UID] will take 42 characters and leaves 20 characters for tag digest (need to include `-`).
// We use https://golang.org/pkg/hash/adler32/#Checksum to compute the digest which returns a uint32.
// We represent the digest in unsigned integer format with maximum value of 4,294,967,295 which are 10 digits.
// The "-[tag digest]" is computed only if there's a tag
certName := names.Certificate(route)
if tag != "" {
certName = fmt.Sprintf("%s-%d", certName, adler32.Checksum([]byte(tag)))
}
certs = append(certs, &networkingv1alpha1.Certificate{
ObjectMeta: metav1.ObjectMeta{
Name: certName,
Namespace: route.Namespace,
OwnerReferences: []metav1.OwnerReference{*kmeta.NewControllerRef(route)},
Annotations: resources.FilterMap(resources.UnionMaps(map[string]string{
networking.CertificateClassAnnotationKey: certClass,
}, route.ObjectMeta.Annotations), func(key string) bool {
return key == corev1.LastAppliedConfigAnnotation
}),
Labels: map[string]string{
serving.RouteLabelKey: route.Name,
},
},
Spec: networkingv1alpha1.CertificateSpec{
DNSNames: []string{dnsName},
SecretName: certName,
},
})
}
return certs
}