diff --git a/pkg/authority/certificate/tls.go b/internal/certificate/generate.go similarity index 77% rename from pkg/authority/certificate/tls.go rename to internal/certificate/generate.go index 7c338ce..21d7e27 100644 --- a/pkg/authority/certificate/tls.go +++ b/internal/certificate/generate.go @@ -21,11 +21,8 @@ import ( "crypto/ecdsa" "crypto/elliptic" "crypto/rand" - "crypto/tls" "crypto/x509" "crypto/x509/pkix" - "errors" - "sync/atomic" "time" "github.com/cert-manager/webhook-cert-lib/internal/pki" @@ -100,30 +97,3 @@ func GenerateCA( _, cert, err := pki.SignCertificate(template, template, pk.Public(), pk) return cert, pk, err } - -var ( - ErrCertNotAvailable = errors.New("no tls.Certificate available") -) - -type Holder struct { - certP atomic.Pointer[tls.Certificate] -} - -func (h *Holder) GetCertificate(_ *tls.ClientHelloInfo) (*tls.Certificate, error) { - cert := h.certP.Load() - if cert == nil { - return nil, ErrCertNotAvailable - } - return cert, nil -} - -func (h *Holder) SetCertificate(cert *tls.Certificate) { - h.certP.Store(cert) -} - -// RenewAfter returns the duration until the certificate should be renewed. -func RenewAfter(cert *x509.Certificate) time.Duration { - lifetime := cert.NotAfter.Sub(cert.NotBefore) - renewTime := cert.NotBefore.Add(lifetime * 2 / 3) - return time.Until(renewTime) -} diff --git a/internal/certificate/holder.go b/internal/certificate/holder.go new file mode 100644 index 0000000..29bd50f --- /dev/null +++ b/internal/certificate/holder.go @@ -0,0 +1,43 @@ +/* +Copyright 2025 The cert-manager Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package certificate + +import ( + "crypto/tls" + "errors" + "sync/atomic" +) + +var ( + ErrCertNotAvailable = errors.New("no tls.Certificate available") +) + +type Holder struct { + certP atomic.Pointer[tls.Certificate] +} + +func (h *Holder) GetCertificate(_ *tls.ClientHelloInfo) (*tls.Certificate, error) { + cert := h.certP.Load() + if cert == nil { + return nil, ErrCertNotAvailable + } + return cert, nil +} + +func (h *Holder) SetCertificate(cert *tls.Certificate) { + h.certP.Store(cert) +} diff --git a/internal/certificate/renew.go b/internal/certificate/renew.go new file mode 100644 index 0000000..4cbeeca --- /dev/null +++ b/internal/certificate/renew.go @@ -0,0 +1,29 @@ +/* +Copyright 2025 The cert-manager Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package certificate + +import ( + "crypto/x509" + "time" +) + +// RenewAfter returns the duration until the certificate should be renewed. +func RenewAfter(cert *x509.Certificate) time.Duration { + lifetime := cert.NotAfter.Sub(cert.NotBefore) + renewTime := cert.NotBefore.Add(lifetime * 2 / 3) + return time.Until(renewTime) +} diff --git a/pkg/authority/authority.go b/pkg/authority/authority.go index b5fa61d..31c9e31 100644 --- a/pkg/authority/authority.go +++ b/pkg/authority/authority.go @@ -28,8 +28,8 @@ import ( "sigs.k8s.io/controller-runtime/pkg/cache" "sigs.k8s.io/controller-runtime/pkg/client" + "github.com/cert-manager/webhook-cert-lib/internal/certificate" "github.com/cert-manager/webhook-cert-lib/pkg/authority/api" - "github.com/cert-manager/webhook-cert-lib/pkg/authority/certificate" "github.com/cert-manager/webhook-cert-lib/pkg/authority/injectable" ) diff --git a/pkg/authority/ca_secret_controller.go b/pkg/authority/ca_secret_controller.go index 773db7c..8f1d55c 100644 --- a/pkg/authority/ca_secret_controller.go +++ b/pkg/authority/ca_secret_controller.go @@ -33,9 +33,9 @@ import ( "sigs.k8s.io/controller-runtime/pkg/log" "sigs.k8s.io/controller-runtime/pkg/source" + "github.com/cert-manager/webhook-cert-lib/internal/certificate" "github.com/cert-manager/webhook-cert-lib/internal/pki" "github.com/cert-manager/webhook-cert-lib/pkg/authority/api" - "github.com/cert-manager/webhook-cert-lib/pkg/authority/certificate" "github.com/cert-manager/webhook-cert-lib/pkg/authority/internal/ssa" ) diff --git a/pkg/authority/leaf_cert_controller.go b/pkg/authority/leaf_cert_controller.go index 90e33e0..ff8218d 100644 --- a/pkg/authority/leaf_cert_controller.go +++ b/pkg/authority/leaf_cert_controller.go @@ -27,8 +27,8 @@ import ( "sigs.k8s.io/controller-runtime/pkg/controller" "sigs.k8s.io/controller-runtime/pkg/handler" + "github.com/cert-manager/webhook-cert-lib/internal/certificate" "github.com/cert-manager/webhook-cert-lib/internal/pki" - "github.com/cert-manager/webhook-cert-lib/pkg/authority/certificate" ) // LeafCertReconciler reconciles the leaf/serving certificate diff --git a/test/leaf_cert_controller_test.go b/test/leaf_cert_controller_test.go index 21ec554..6129cfc 100644 --- a/test/leaf_cert_controller_test.go +++ b/test/leaf_cert_controller_test.go @@ -20,10 +20,10 @@ import ( "crypto/tls" "time" + "github.com/cert-manager/webhook-cert-lib/internal/certificate" "github.com/cert-manager/webhook-cert-lib/internal/pki" "github.com/cert-manager/webhook-cert-lib/pkg/authority" "github.com/cert-manager/webhook-cert-lib/pkg/authority/api" - "github.com/cert-manager/webhook-cert-lib/pkg/authority/certificate" corev1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/types" "k8s.io/client-go/kubernetes/scheme"