-
Notifications
You must be signed in to change notification settings - Fork 292
/
certgen.go
90 lines (75 loc) · 2.49 KB
/
certgen.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
// Copyright Envoy Gateway Authors
// SPDX-License-Identifier: Apache-2.0
// The full text of the Apache license is available in the LICENSE file at
// the root of the repo.
package cmd
import (
"context"
"errors"
"fmt"
"github.com/spf13/cobra"
ctrl "sigs.k8s.io/controller-runtime"
"sigs.k8s.io/controller-runtime/pkg/client"
clicfg "sigs.k8s.io/controller-runtime/pkg/client/config"
"github.com/envoyproxy/gateway/internal/crypto"
"github.com/envoyproxy/gateway/internal/envoygateway"
"github.com/envoyproxy/gateway/internal/envoygateway/config"
"github.com/envoyproxy/gateway/internal/provider/kubernetes"
)
// getCertGenCommand returns the certGen cobra command to be executed.
func getCertGenCommand() *cobra.Command {
cmd := &cobra.Command{
Use: "certgen",
Short: "Generate Control Plane Certificates",
RunE: func(cmd *cobra.Command, args []string) error {
return certGen()
},
}
return cmd
}
// certGen generates control plane certificates.
func certGen() error {
cfg, err := getConfig()
if err != nil {
return err
}
log := cfg.Logger
certs, err := crypto.GenerateCerts(cfg)
if err != nil {
return fmt.Errorf("failed to generate certificates: %w", err)
}
log.Info("generated certificates")
cli, err := client.New(clicfg.GetConfigOrDie(), client.Options{Scheme: envoygateway.GetScheme()})
if err != nil {
return fmt.Errorf("failed to create controller-runtime client: %w", err)
}
if err := outputCerts(ctrl.SetupSignalHandler(), cli, cfg, certs); err != nil {
return fmt.Errorf("failed to output certificates: %w", err)
}
return nil
}
// outputCerts outputs the provided certs to a secret in namespace ns.
func outputCerts(ctx context.Context, cli client.Client, cfg *config.Server, certs *crypto.Certificates) error {
var updateSecrets bool
if cfg.EnvoyGateway != nil &&
cfg.EnvoyGateway.Provider != nil &&
cfg.EnvoyGateway.Provider.Kubernetes != nil &&
cfg.EnvoyGateway.Provider.Kubernetes.OverwriteControlPlaneCerts != nil &&
*cfg.EnvoyGateway.Provider.Kubernetes.OverwriteControlPlaneCerts {
updateSecrets = true
}
secrets, err := kubernetes.CreateOrUpdateSecrets(ctx, cli, kubernetes.CertsToSecret(cfg.Namespace, certs), updateSecrets)
log := cfg.Logger
if err != nil {
if errors.Is(err, kubernetes.ErrSecretExists) {
log.Info(err.Error())
} else {
return fmt.Errorf("failed to create or update secrets: %w", err)
}
}
for i := range secrets {
s := secrets[i]
log.Info("created secret", "namespace", s.Namespace, "name", s.Name)
}
return nil
}