forked from cert-manager/cert-manager
-
Notifications
You must be signed in to change notification settings - Fork 0
/
issue.go
94 lines (77 loc) · 2.75 KB
/
issue.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
package acme
import (
"bytes"
"context"
"crypto/rand"
"crypto/x509"
"encoding/pem"
"fmt"
"github.com/golang/glog"
k8sErrors "k8s.io/apimachinery/pkg/api/errors"
"github.com/jetstack/cert-manager/pkg/apis/certmanager/v1alpha1"
"github.com/jetstack/cert-manager/pkg/util/errors"
"github.com/jetstack/cert-manager/pkg/util/kube"
"github.com/jetstack/cert-manager/pkg/util/pki"
)
const (
errorIssueCert = "ErrIssueCert"
successCertIssued = "CertIssueSuccess"
messageErrorIssueCert = "Error issuing TLS certificate: "
messageCertIssued = "Certificate issued successfully"
)
func (a *Acme) obtainCertificate(ctx context.Context, crt *v1alpha1.Certificate) ([]byte, []byte, error) {
commonName := crt.Spec.CommonName
altNames := crt.Spec.DNSNames
if len(commonName) == 0 && len(altNames) == 0 {
return nil, nil, fmt.Errorf("no domains specified on certificate")
}
cl, err := a.acmeClient()
if err != nil {
return nil, nil, fmt.Errorf("error creating ACME client: %s", err.Error())
}
// get existing certificate private key
key, err := kube.SecretTLSKey(a.secretsLister, crt.Namespace, crt.Spec.SecretName)
if k8sErrors.IsNotFound(err) || errors.IsInvalidData(err) {
key, err = pki.GenerateRSAPrivateKey(2048)
if err != nil {
return nil, nil, fmt.Errorf("error generating private key: %s", err.Error())
}
}
if err != nil {
return nil, nil, fmt.Errorf("error getting certificate private key: %s", err.Error())
}
// generate a csr
template := pki.GenerateCSR(commonName, altNames...)
csr, err := x509.CreateCertificateRequest(rand.Reader, template, key)
if err != nil {
return nil, nil, fmt.Errorf("error creating certificate request: %s", err)
}
// obtain a certificate from the acme server
certSlice, certURL, err := cl.CreateCert(
ctx,
csr,
0,
true,
)
if err != nil {
return nil, nil, fmt.Errorf("error getting certificate for acme server: %s", err)
}
// encode the retrieved certificate
certBuffer := bytes.NewBuffer([]byte{})
for _, cert := range certSlice {
pem.Encode(certBuffer, &pem.Block{Type: "CERTIFICATE", Bytes: cert})
}
glog.V(2).Infof("successfully got certificate: cn=%q altNames=%+v url=%q", commonName, altNames, certURL)
// encode the private key and return
return pki.EncodePKCS1PrivateKey(key), certBuffer.Bytes(), nil
}
func (a *Acme) Issue(ctx context.Context, crt *v1alpha1.Certificate) ([]byte, []byte, error) {
key, cert, err := a.obtainCertificate(ctx, crt)
if err != nil {
s := messageErrorIssueCert + err.Error()
crt.UpdateStatusCondition(v1alpha1.CertificateConditionReady, v1alpha1.ConditionFalse, errorIssueCert, s)
return nil, nil, err
}
crt.UpdateStatusCondition(v1alpha1.CertificateConditionReady, v1alpha1.ConditionTrue, successCertIssued, messageCertIssued)
return key, cert, err
}