-
Notifications
You must be signed in to change notification settings - Fork 74
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Improve filtered certs error reporting #276
Comments
Can we accept this as the new feature? I think I can work on it once the decision is made. |
Please work on it! I think we all agree that the error handling could be improved here. Could you start by describing the proposed solution in more detail? I agree this would become a lesser problem if a bundle is sanitized after reading all sources. But what if the resulting bundle would contain exclusively expired certificates? |
Hello, I would look something like |
Ah, you haven't seen #273? There is now an opt-in to filter out expired certificates in trust-manager. I understand this issue mostly as a usability improvement to this recently added feature. It could make sense to include an expired certificate in a bundle to get better error messages. |
Oh, I didn't see that because pull request wasn't linked to this particular issue. |
It seems most reasonable to validate to validate at least one certificate per bundle, and not per bundle source. /priority important-soon |
Issues go stale after 90d of inactivity. |
I think the issue was fixed by #375. Feel free to reopen if that is not the case. /close |
@erikgb: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
When creating a bundle from a source (configmap, secret, or inline) with exclusively expired certificates, the bundle will fail and indicate that the source contains no PEM data. There is no indication that certs are expired and it can be tricky to troubleshoot.
This is because 'ValidateAndSanitizePEMBundleWithOptions' parses sources individually, therefore if a source has only expired cert(s), the cert(s) will be skipped and the sanitize function will find an empty output thus returning an error.
For example, if I have:
The bundle will fail with this error message:
Warning SourceBuildError 1s (x12 over 12s) bundles Failed to build bundle sources: invalid PEM data in source: bundle contains no PEM certificates
Also, the bundle is pending:
Whereas If I add 1 valid cert to the inline source the bundle would be OK. This is because the sanitize function requires at least one valid cert by source.
I propose to parse and sanitize sources globally and/or at least to improve the error reporting to highlight a cert is expired.
The text was updated successfully, but these errors were encountered: