Merge pull request #286 from adityajoshi12/channel-pki

adityajoshi12 · web-flow · commit 4bc5b4b1b51a · 2025-10-23T19:20:34.000+05:30
diff --git a/controllers/certs_vault/provision_certs.go b/controllers/certs_vault/provision_certs.go
@@ -20,6 +20,7 @@ import (
 	hlfv1alpha1 "github.com/kfsoftware/hlf-operator/pkg/apis/hlf.kungfusoftware.es/v1alpha1"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
+	log "github.com/sirupsen/logrus"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/rest"
@@ -376,27 +377,48 @@ func ReenrollUser(clientSet *kubernetes.Clientset, spec *hlfv1alpha1.VaultSpecCo
 		return nil, nil, err
 	}
 
-	// Create CSR data
-	csrData := map[string]interface{}{
-		"common_name": params.EnrollID,
-		"key_type":    "ec",
+	commonName := params.EnrollID
+
+	template := &x509.CertificateRequest{
+		Subject: pkix.Name{
+			CommonName: commonName,
+		},
 	}
-	if len(params.Hosts) > 0 {
-		csrData["alt_names"] = strings.Join(params.Hosts, ",")
+
+	csrDER, err := x509.CreateCertificateRequest(rand.Reader, template, ecdsaKey)
+	if err != nil {
+		return nil, nil, errors.Wrap(err, "failed to create CSR")
+	}
+
+	csrPEM := pem.EncodeToMemory(&pem.Block{
+		Type:  "CERTIFICATE REQUEST",
+		Bytes: csrDER,
+	})
+
+	csrData := map[string]interface{}{
+		"csr":                 string(csrPEM),
+		"common_name":         commonName,
+		"use_csr_common_name": true,
+		"use_csr_sans":        true,
+		"key_type":            "ec",
 	}
 	if params.CN != "" {
 		csrData["common_name"] = params.CN
 	}
 
-	// Add TTL if specified in the request
+	if len(params.Hosts) > 0 {
+		csrData["alt_names"] = strings.Join(params.Hosts, ",")
+	}
+
 	if request.TTL != "" {
 		csrData["ttl"] = request.TTL
 	}
 
-	// Request certificate from Vault PKI using existing key
+	log.Infof("reenrolling certs for %s", commonName)
+
 	secret, err := vaultClient.Write(
 		context.Background(),
-		fmt.Sprintf("%s/issue/%s", "pki", "fabric"), // TODO: Make these configurable
+		fmt.Sprintf("%s/sign/%s", request.PKI, request.Role),
 		csrData,
 	)
 	if err != nil {
@@ -478,8 +500,6 @@ func EnrollUser(clientSet *kubernetes.Clientset, vaultConf *hlfv1alpha1.VaultSpe
 		"use_csr_common_name": true,
 		"use_csr_sans":        true,
 	}
-
-	// Add TTL if specified in the request
 	if request.TTL != "" {
 		csrData["ttl"] = request.TTL
 	}
