Skip to content

Commit

Permalink
[Bugfix] Ignore not owned CAs (#632)
Browse files Browse the repository at this point in the history
  • Loading branch information
@ajanikow
ajanikow authored Sep 8, 2020
1 parent 3f7b548 commit bdfd312
Showing 1 changed file with 7 additions and 0 deletions.
7 changes: 7 additions & 0 deletions pkg/deployment/reconcile/plan_builder_tls.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -461,6 +461,7 @@ func keyfileRenewalRequired(ctx context.Context,
case *url.Error:
switch v.Err.(type) {
case x509.UnknownAuthorityError, x509.CertificateInvalidError:
log.Warn().Err(v.Err).Str("type", reflect.TypeOf(v.Err).String()).Msg("Validation of server cert failed")
return true, true
default:
log.Warn().Err(v.Err).Str("type", reflect.TypeOf(v.Err).String()).Msg("Validation of server cert failed")
Expand All @@ -477,7 +478,12 @@ func keyfileRenewalRequired(ctx context.Context,
continue
}

if ca.Contains(cert) {
continue
}

if time.Now().Add(CertificateRenewalMargin).After(cert.NotAfter) {
log.Warn().Msg("Renewal margin exceeded")
return true, true
}
}
Expand Down Expand Up @@ -512,6 +518,7 @@ func keyfileRenewalRequired(ctx context.Context,
keyfileSha := util.SHA256(keyfile)

if tls.Result.KeyFile.GetSHA().Checksum() != keyfileSha {
log.Warn().Str("current", tls.Result.KeyFile.GetSHA().Checksum()).Str("desired", keyfileSha).Msg("Unable to get tls details")
return true, false
}
}
Expand Down

0 comments on commit bdfd312

Please sign in to comment.