From 0bf8627cc3f6895dcec2df5ff5628f7bdbb6e92d Mon Sep 17 00:00:00 2001
From: Stavros kois <s.kois@outlook.com>
Date: Mon, 12 Dec 2022 15:22:48 +0200
Subject: [PATCH] fail if cert is revoked or expired

---
 .../1.0.0/templates/class/_certifcate.tpl     |  6 ++--
 .../1.0.0/templates/lib/certificate/_cert.tpl | 35 +++++++++----------
 2 files changed, 20 insertions(+), 21 deletions(-)

diff --git a/library/common/1.0.0/templates/class/_certifcate.tpl b/library/common/1.0.0/templates/class/_certifcate.tpl
index 79ec8a12ed..094a9f3cd0 100644
--- a/library/common/1.0.0/templates/class/_certifcate.tpl
+++ b/library/common/1.0.0/templates/class/_certifcate.tpl
@@ -4,7 +4,7 @@
 
   {{- $certName := "TODO: Get the certName" -}}
 
-  {{- if include "ix.v1.common.certificate.exists" (dict "root" $root "certName" $certName) }}
+  {{- if (include "ix.v1.common.certificate.exists" (dict "root" $root "certName" $certName)) }}
 ---
 apiVersion: {{ include "ix.v1.common.capabilities.secret.apiVersion" . }}
 kind: Secret
@@ -22,7 +22,7 @@ metadata:
     {{- . | nindent 4 }}
   {{- end }}
 data:
-  tls.crt:
-  tls.key:
+  tls.crt: {{ include "ix.v1.common.certificate.get" (dict "root" $root "certName" $certName "key" "certificate") }}
+  tls.key: {{ include "ix.v1.common.certificate.get" (dict "root" $root "certName" $certName "key" "privatekey") }}
   {{- end -}}
 {{- end -}}
diff --git a/library/common/1.0.0/templates/lib/certificate/_cert.tpl b/library/common/1.0.0/templates/lib/certificate/_cert.tpl
index a55f6789b1..efac0eb8bb 100644
--- a/library/common/1.0.0/templates/lib/certificate/_cert.tpl
+++ b/library/common/1.0.0/templates/lib/certificate/_cert.tpl
@@ -11,29 +11,28 @@ This checks that the certName exists as a key/dict.
 {{- end -}}
 
 {{/*
-Returns the certificate
+Returns any key (based on the .key value)
+Example keys (certificate, privatekey, expired, revoked)
 */}}
-{{- define "ix.v1.common.certificate.cert" -}}
+{{- define "ix.v1.common.certificate.get" -}}
   {{- $certName := .certName -}}
   {{- $root := .root -}}
+  {{- $key := .key -}}
+
   {{- if (include "ix.v1.common.certificate.exists" (dict "root" $root "certName" $certName)) -}}
     {{- $certificate := (get $root.Values.ixCertificates (toString $certName)) -}}
-    {{- $certificate.certificate -}}
+    {{- if eq (get $certificate "revoked") "true" -}}
+      {{- fail (printf "Certificate (%s) has been revoked." $certName) -}}
+    {{- end -}}
+    {{- if eq (get $certificate "expired") "true" -}}
+      {{- fail (printf "Certificate (%s) has been expired." $certName) -}}
+    {{- end -}}
+    {{- if (hasKey $certificate "key") -}}
+      {{- get $certificate "key" -}}
+    {{- else -}}
+      {{- fail (printf "Key (%s) does not exist in certificate (%s)" $key $certName) -}}
+    {{- end -}}
   {{- else -}}
-    {{ fail (printf "Certificate (%s) did not found." $certName) }}
-  {{- end -}}
-{{- end -}}
-
-{{/*
-Returns the privateKey
-*/}}
-{{- define "ix.v1.common.certificate.privatekey" -}}
-  {{- $certName := .certName -}}
-  {{- $root := .root -}}
-  {{- if (include "ix.v1.common.certificate.exists" (dict "root" $root "certName" $certName)) -}}
-    {{- $privateKey := (get $root.Values.ixCertificates (toString $certName)) -}}
-    {{- $privateKey.privatekey -}}
-  {{- else -}}
-    {{ fail (printf "Certificate (%s) did not found." $certName) }}
+    {{- fail (printf "Certificate (%s) did not found." $certName) -}}
   {{- end -}}
 {{- end -}}