- // 7. Sign CertificateRequest
- signedPEM, trustedCAs, err := provisioner.Sign(ctx, certificateRequest)
+ // 7. Get private key matching CertificateRequest
+ privateKeySecretName := certificateRequest.ObjectMeta.Annotations[privateKeySecretNameAnnotation]
+ privateKeySecretNamespaceName := types.NamespacedName{
+ Namespace: k8sRequest.Namespace,
+ Name: privateKeySecretName,
+ }
+ var privateKeySecret core.Secret
+ if err := controller.Client.Get(ctx, privateKeySecretNamespaceName, &privateKeySecret); err != nil {
+ controller.handleErrorGettingPrivateKey(ctx, log, err, certificateRequest, privateKeySecretNamespaceName)
+ return ctrl.Result{}, err
+ }
+ privateKeyBytes := privateKeySecret.Data[privateKeySecretKey]
+
+ // 8. Sign CertificateRequest
+ signedPEM, trustedCAs, err := provisioner.Sign(ctx, certificateRequest, privateKeyBytes)