-
-
Notifications
You must be signed in to change notification settings - Fork 1
/
cert.go
113 lines (100 loc) · 2.7 KB
/
cert.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
package cert
import (
"context"
"os"
"time"
errors "golang.org/x/xerrors"
"k8s.io/apimachinery/pkg/util/wait"
"k8s.io/client-go/dynamic"
"k8s.io/client-go/kubernetes"
klog "k8s.io/klog/v2"
)
type CertOption struct {
CAName string
CAOrganizations []string
Hosts []string
// Deprecated: user Hosts instead
DNSNames []string
CommonName string
CertDir string
CertValidityDuration time.Duration
SecretInfo SecretInfo
}
type WebhookCert struct {
certOpt CertOption
certmanager *certManager
webhookmanager *webhookManager
}
func NewWebhookCert(certOpt CertOption, webhooks []WebhookInfo, kubeclient kubernetes.Interface, dyclient dynamic.Interface) *WebhookCert {
return &WebhookCert{
certOpt: certOpt,
certmanager: &certManager{
secretInfo: certOpt.SecretInfo,
certOpt: certOpt,
secretClient: kubeclient.CoreV1().Secrets(certOpt.SecretInfo.Namespace),
},
webhookmanager: &webhookManager{
webhooks: webhooks,
dyclient: dyclient,
},
}
}
func (w *WebhookCert) EnsureCertReady(ctx context.Context) error {
if err := w.ensureCert(ctx); err != nil {
return errors.Errorf(": %w", err)
}
klog.Info("ensure cert success")
if err := w.ensureCertsMounted(ctx); err != nil {
return errors.Errorf(": %w", err)
}
klog.Info("ensure cert mounted success")
return nil
}
func (w *WebhookCert) ensureCert(ctx context.Context) error {
secret, err := w.certmanager.ensureSecret(ctx)
if err != nil {
return errors.Errorf("ensure secret: %w", err)
}
klog.Info("ensure secret success")
ka, err := w.certmanager.buildArtifactsFromSecret(secret)
if err != nil {
return errors.Errorf("parse secret: %w", err)
}
err = w.webhookmanager.ensureCA(ctx, ka.certPEM)
if err == nil {
klog.Info("ensure webhook ca config success")
}
return err
}
func (w *WebhookCert) ensureCertsMounted(ctx context.Context) error {
checkFn := func() (bool, error) {
certFile := w.certOpt.CertDir + "/" + w.certOpt.SecretInfo.getCertName()
_, err := os.Stat(certFile)
if err == nil {
return true, nil
}
return false, nil
}
if err := wait.ExponentialBackoffWithContext(ctx, wait.Backoff{
Duration: 1 * time.Second,
Factor: 2,
Jitter: 1,
Steps: 10,
}, checkFn); err != nil {
return errors.Errorf("max retries for checking certs existence: %w", err)
}
klog.Infof("certs are ready in %s", w.certOpt.CertDir)
return nil
}
func (c CertOption) getCertValidityDuration() time.Duration {
if c.CertValidityDuration == 0 {
return certValidityDuration
}
return c.CertValidityDuration
}
func (c CertOption) getHots() []string {
hosts := []string{}
hosts = append(hosts, c.DNSNames...)
hosts = append(hosts, c.Hosts...)
return hosts
}