certificates: update controllers to understand signerName field

Signed-off-by: James Munnelly <james.munnelly@jetstack.io> Kubernetes-commit: d5dae048983cd299cdce9d2703f564bf4bd246ee
2025-09-20 02:28:20 +00:00 · 2020-02-17 23:06:02 +00:00
parent dd730ded40
commit e8be24fd4c
2 changed files with 10 additions and 4 deletions
--- a/util/certificate/certificate_manager.go
+++ b/util/certificate/certificate_manager.go
@@ -85,6 +85,9 @@ type Config struct {
 	// If no template is available, nil may be returned, and no certificate will be requested.
 	// If specified, takes precedence over Template.
 	GetTemplate func() *x509.CertificateRequest
+	// SignerName is the name of the certificate signer that should sign certificates
+	// generated by the manager.
+	SignerName string
 	// Usages is the types of usages that certificates generated by the manager
 	// can be used for.
 	Usages []certificates.KeyUsage
@@ -174,6 +177,7 @@ type manager struct {
 	lastRequest       *x509.CertificateRequest

 	dynamicTemplate bool
+	signerName      string
 	usages          []certificates.KeyUsage
 	forceRotation   bool

@@ -219,6 +223,7 @@ func NewManager(config *Config) (Manager, error) {
 		clientFn:                config.ClientFn,
 		getTemplate:             getTemplate,
 		dynamicTemplate:         config.GetTemplate != nil,
+		signerName:              config.SignerName,
 		usages:                  config.Usages,
 		certStore:               config.CertificateStore,
 		cert:                    cert,
@@ -424,7 +429,7 @@ func (m *manager) rotateCerts() (bool, error) {

 	// Call the Certificate Signing Request API to get a certificate for the
 	// new private key.
-	req, err := csr.RequestCertificate(client, csrPEM, "", m.usages, privateKey)
+	req, err := csr.RequestCertificate(client, csrPEM, "", m.signerName, m.usages, privateKey)
 	if err != nil {
 		utilruntime.HandleError(fmt.Errorf("Failed while requesting a signed certificate from the master: %v", err))
 		if m.certificateRenewFailure != nil {
--- a/util/certificate/csr/csr.go
+++ b/util/certificate/csr/csr.go
@@ -46,7 +46,7 @@ import (
 // status, once approved by API server, it will return the API server's issued
 // certificate (pem-encoded). If there is any errors, or the watch timeouts, it
 // will return an error.
-func RequestCertificate(client certificatesclient.CertificateSigningRequestInterface, csrData []byte, name string, usages []certificates.KeyUsage, privateKey interface{}) (req *certificates.CertificateSigningRequest, err error) {
+func RequestCertificate(client certificatesclient.CertificateSigningRequestInterface, csrData []byte, name string, signerName string, usages []certificates.KeyUsage, privateKey interface{}) (req *certificates.CertificateSigningRequest, err error) {
 	csr := &certificates.CertificateSigningRequest{
 		// Username, UID, Groups will be injected by API server.
 		TypeMeta: metav1.TypeMeta{Kind: "CertificateSigningRequest"},
@@ -54,8 +54,9 @@ func RequestCertificate(client certificatesclient.CertificateSigningRequestInter
 			Name: name,
 		},
 		Spec: certificates.CertificateSigningRequestSpec{
-			Request: csrData,
-			Usages:  usages,
+			Request:    csrData,
+			Usages:     usages,
+			SignerName: &signerName,
 		},
 	}
 	if len(csr.Name) == 0 {