Update CA issuer to return the CA cert pem

Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
lrsmith · Sep 13, 2018 · 58efbc0 · 58efbc0
1 parent 280382e
commit 58efbc0
Show file tree

Hide file tree

Showing 2 changed files with 35 additions and 19 deletions.
diff --git a/pkg/issuer/ca/issue.go b/pkg/issuer/ca/issue.go
@@ -18,6 +18,7 @@ package ca
 
 import (
 	"context"
+	"crypto/x509"
 	"fmt"
 
 	k8sErrors "k8s.io/apimachinery/pkg/api/errors"
@@ -44,7 +45,7 @@ const (
 	messageCertIssued = "Certificate issued successfully"
 )
 
-func (c *CA) Issue(ctx context.Context, crt *v1alpha1.Certificate) ([]byte, []byte, error) {
+func (c *CA) Issue(ctx context.Context, crt *v1alpha1.Certificate) ([]byte, []byte, []byte, error) {
 	signeeKey, err := kube.SecretTLSKey(c.secretsLister, crt.Namespace, crt.Spec.SecretName)
 
 	if k8sErrors.IsNotFound(err) || errors.IsInvalidData(err) {
@@ -54,22 +55,27 @@ func (c *CA) Issue(ctx context.Context, crt *v1alpha1.Certificate) ([]byte, []by
 	if err != nil {
 		s := messageErrorGetCertKeyPair + err.Error()
 		crt.UpdateStatusCondition(v1alpha1.CertificateConditionReady, v1alpha1.ConditionFalse, errorGetCertKeyPair, s, false)
-		return nil, nil, err
+		return nil, nil, nil, err
 	}
 
 	publicKey, err := pki.PublicKeyForPrivateKey(signeeKey)
 	if err != nil {
 		s := messageErrorPublicKey + err.Error()
 		crt.UpdateStatusCondition(v1alpha1.CertificateConditionReady, v1alpha1.ConditionFalse, errorGetPublicKey, s, false)
-		return nil, nil, err
+		return nil, nil, nil, err
 	}
 
-	certPem, err := c.obtainCertificate(crt, publicKey)
+	caCert, err := kube.SecretTLSCert(c.secretsLister, c.resourceNamespace, c.issuer.GetSpec().CA.SecretName)
+	if err != nil {
+		return nil, nil, nil, err
+	}
+
+	certPem, err := c.obtainCertificate(crt, publicKey, caCert)
 
 	if err != nil {
 		s := messageErrorIssueCert + err.Error()
 		crt.UpdateStatusCondition(v1alpha1.CertificateConditionReady, v1alpha1.ConditionFalse, errorIssueCert, s, false)
-		return nil, nil, err
+		return nil, nil, nil, err
 	}
 
 	crt.UpdateStatusCondition(v1alpha1.CertificateConditionReady, v1alpha1.ConditionTrue, successCertIssued, messageCertIssued, true)
@@ -78,24 +84,24 @@ func (c *CA) Issue(ctx context.Context, crt *v1alpha1.Certificate) ([]byte, []by
 	if err != nil {
 		s := messageErrorEncodePrivateKey + err.Error()
 		crt.UpdateStatusCondition(v1alpha1.CertificateConditionReady, v1alpha1.ConditionFalse, errorEncodePrivateKey, s, false)
-		return nil, nil, err
+		return nil, nil, nil, err
 	}
 
-	return keyPem, certPem, nil
+	caPem, err := pki.EncodeX509(caCert)
+	if err != nil {
+		return nil, nil, nil, err
+	}
+
+	return keyPem, certPem, caPem, nil
 }
 
-func (c *CA) obtainCertificate(crt *v1alpha1.Certificate, signeeKey interface{}) ([]byte, error) {
+func (c *CA) obtainCertificate(crt *v1alpha1.Certificate, signeeKey interface{}, signerCert *x509.Certificate) ([]byte, error) {
 	commonName := crt.Spec.CommonName
 	altNames := crt.Spec.DNSNames
 	if len(commonName) == 0 && len(altNames) == 0 {
 		return nil, fmt.Errorf("no domains specified on certificate")
 	}
 
-	signerCert, err := kube.SecretTLSCert(c.secretsLister, c.resourceNamespace, c.issuer.GetSpec().CA.SecretName)
-	if err != nil {
-		return nil, fmt.Errorf("error getting issuer certificate: %s", err.Error())
-	}
-
 	signerKey, err := kube.SecretTLSKey(c.secretsLister, c.resourceNamespace, c.issuer.GetSpec().CA.SecretName)
 	if err != nil {
 		return nil, fmt.Errorf("error getting issuer private key: %s", err.Error())

diff --git a/pkg/issuer/ca/renew.go b/pkg/issuer/ca/renew.go
@@ -34,21 +34,26 @@ const (
 	messageCertRenewed = "Certificate issued successfully"
 )
 
-func (c *CA) Renew(ctx context.Context, crt *v1alpha1.Certificate) ([]byte, []byte, error) {
+func (c *CA) Renew(ctx context.Context, crt *v1alpha1.Certificate) ([]byte, []byte, []byte, error) {
 	signeeKey, err := kube.SecretTLSKey(c.secretsLister, crt.Namespace, crt.Spec.SecretName)
 
 	if err != nil {
 		s := messageErrorGetCertKeyPair + err.Error()
 		crt.UpdateStatusCondition(v1alpha1.CertificateConditionReady, v1alpha1.ConditionFalse, errorGetCertKeyPair, s, false)
-		return nil, nil, err
+		return nil, nil, nil, err
 	}
 
-	certPem, err := c.obtainCertificate(crt, signeeKey)
+	caCert, err := kube.SecretTLSCert(c.secretsLister, c.resourceNamespace, c.issuer.GetSpec().CA.SecretName)
+	if err != nil {
+		return nil, nil, nil, err
+	}
+
+	certPem, err := c.obtainCertificate(crt, signeeKey, caCert)
 
 	if err != nil {
 		s := messageErrorRenewCert + err.Error()
 		crt.UpdateStatusCondition(v1alpha1.CertificateConditionReady, v1alpha1.ConditionFalse, errorRenewCert, s, false)
-		return nil, nil, err
+		return nil, nil, nil, err
 	}
 
 	crt.UpdateStatusCondition(v1alpha1.CertificateConditionReady, v1alpha1.ConditionTrue, successCertRenewed, messageCertRenewed, true)
@@ -57,8 +62,13 @@ func (c *CA) Renew(ctx context.Context, crt *v1alpha1.Certificate) ([]byte, []by
 	if err != nil {
 		s := messageErrorEncodePrivateKey + err.Error()
 		crt.UpdateStatusCondition(v1alpha1.CertificateConditionReady, v1alpha1.ConditionFalse, errorEncodePrivateKey, s, false)
-		return nil, nil, err
+		return nil, nil, nil, err
+	}
+
+	caPem, err := pki.EncodeX509(caCert)
+	if err != nil {
+		return nil, nil, nil, err
 	}
 
-	return keyPem, certPem, nil
+	return keyPem, certPem, caPem, nil
 }