Skip to content

Commit 14f2335

Browse files
fanminshifanminshi
committed
pkg/tlsutil: implement the case where none of CA and App TLS assets are found
1 parent c30b06b commit 14f2335

File tree

1 file changed

+45
-30
lines changed

1 file changed

+45
-30
lines changed

pkg/tlsutil/tls.go

Lines changed: 45 additions & 30 deletions
Original file line numberDiff line numberDiff line change
@@ -157,7 +157,8 @@ func (scg *SDKCertGenerator) GenerateCert(cr runtime.Object, service *v1.Service
157157
if err != nil {
158158
return nil, nil, nil, err
159159
}
160-
caSecret, caConfigMap, err := getCASecretAndConfigMapInCluster(scg.KubeClient, ToCASecretAndConfigMapName(k, n), ns)
160+
caSecretAndConfigMapName := ToCASecretAndConfigMapName(k, n)
161+
caSecret, caConfigMap, err := getCASecretAndConfigMapInCluster(scg.KubeClient, caSecretAndConfigMapName, ns)
161162
if err != nil {
162163
return nil, nil, nil, err
163164
}
@@ -186,15 +187,44 @@ func (scg *SDKCertGenerator) GenerateCert(cr runtime.Object, service *v1.Service
186187
if err != nil {
187188
return nil, nil, nil, err
188189
}
189-
appSecret, err := scg.KubeClient.CoreV1().Secrets(ns).Create(toTLSSecret(key, cert, appSecretName, ns))
190+
appSecret, err := scg.KubeClient.CoreV1().Secrets(ns).Create(toTLSSecret(key, cert, appSecretName))
190191
if err != nil {
191192
return nil, nil, nil, err
192193
}
193194
return appSecret, caConfigMap, caSecret, nil
194195
} else {
195-
// TODO: handle the case where both CA and Application TLS assets don't exist.
196+
// case: both CA and Application TLS assets don't exist.
197+
caKey, err := newPrivateKey()
198+
if err != nil {
199+
return nil, nil, nil, err
200+
}
201+
caCert, err := newSelfSignedCACertificate(caKey)
202+
if err != nil {
203+
return nil, nil, nil, err
204+
}
205+
caSecret, caConfigMap := toCASecretAndConfigmap(caKey, caCert, caSecretAndConfigMapName)
206+
caSecret, err = scg.KubeClient.CoreV1().Secrets(ns).Create(caSecret)
207+
if err != nil {
208+
return nil, nil, nil, err
209+
}
210+
caConfigMap, err = scg.KubeClient.CoreV1().ConfigMaps(ns).Create(caConfigMap)
211+
if err != nil {
212+
return nil, nil, nil, err
213+
}
214+
key, err := newPrivateKey()
215+
if err != nil {
216+
return nil, nil, nil, err
217+
}
218+
cert, err := newSignedCertificate(config, service, key, caCert, caKey)
219+
if err != nil {
220+
return nil, nil, nil, err
221+
}
222+
appSecret, err := scg.KubeClient.CoreV1().Secrets(ns).Create(toTLSSecret(key, cert, appSecretName))
223+
if err != nil {
224+
return nil, nil, nil, err
225+
}
226+
return appSecret, caConfigMap, caSecret, nil
196227
}
197-
return nil, nil, nil, nil
198228
}
199229

200230
func verifyConfig(config *CertConfig) error {
@@ -276,15 +306,10 @@ func toKindNameNamespace(cr runtime.Object) (string, string, string, error) {
276306

277307
// toTLSSecret returns a client/server "kubernetes.io/tls" secret.
278308
// TODO: add owner ref.
279-
func toTLSSecret(key *rsa.PrivateKey, cert *x509.Certificate, name, namespace string) *v1.Secret {
309+
func toTLSSecret(key *rsa.PrivateKey, cert *x509.Certificate, name string) *v1.Secret {
280310
return &v1.Secret{
281-
TypeMeta: metav1.TypeMeta{
282-
Kind: "Secret",
283-
APIVersion: "v1",
284-
},
285311
ObjectMeta: metav1.ObjectMeta{
286-
Name: name,
287-
Namespace: namespace,
312+
Name: name,
288313
},
289314
Data: map[string][]byte{
290315
v1.TLSPrivateKeyKey: encodePrivateKeyPEM(key),
@@ -295,30 +320,20 @@ func toTLSSecret(key *rsa.PrivateKey, cert *x509.Certificate, name, namespace st
295320
}
296321

297322
// TODO: add owner ref.
298-
func toCASecretAndConfigmap(key *rsa.PrivateKey, cert *x509.Certificate, name, namespace string) (*v1.ConfigMap, *v1.Secret) {
299-
return &v1.ConfigMap{
300-
TypeMeta: metav1.TypeMeta{
301-
Kind: "ConfigMap",
302-
APIVersion: "v1",
303-
},
323+
func toCASecretAndConfigmap(key *rsa.PrivateKey, cert *x509.Certificate, name string) (*v1.Secret, *v1.ConfigMap) {
324+
return &v1.Secret{
304325
ObjectMeta: metav1.ObjectMeta{
305-
Name: name,
306-
Namespace: namespace,
326+
Name: name,
307327
},
308-
Data: map[string]string{
309-
TLSCACertKey: string(encodeCertificatePEM(cert)),
310-
},
311-
}, &v1.Secret{
312-
TypeMeta: metav1.TypeMeta{
313-
Kind: "Secret",
314-
APIVersion: "v1",
328+
Data: map[string][]byte{
329+
TLSPrivateCAKeyKey: encodePrivateKeyPEM(key),
315330
},
331+
}, &v1.ConfigMap{
316332
ObjectMeta: metav1.ObjectMeta{
317-
Name: name,
318-
Namespace: namespace,
333+
Name: name,
319334
},
320-
Data: map[string][]byte{
321-
TLSPrivateCAKeyKey: encodePrivateKeyPEM(key),
335+
Data: map[string]string{
336+
TLSCACertKey: string(encodeCertificatePEM(cert)),
322337
},
323338
}
324339
}

0 commit comments

Comments
 (0)