Include System Certs if available

We should include the certificates in the standard system certificates location if available. If we have customers who want to generically deploy a specific internal set of certificates, being able to replace them in the standard location may be preferable.
datastax · Jun 3, 2020 · 81a86a8 · 81a86a8
1 parent fdef27f
commit 81a86a8
Showing 1 changed file with 5 additions and 1 deletion.
diff --git a/operator/cmd/manager/webhook.go b/operator/cmd/manager/webhook.go
@@ -26,12 +26,16 @@ func ensureWebhookCertificate(cfg *rest.Config, namespace string) (err error) {
 	var webhook map[string]interface{}
 	var bundled string
 	var client crclient.Client
+	var certpool *x509.CertPool
 	if contents, err = ioutil.ReadFile(serverCertFile); err == nil && len(contents) > 0 {
 		if client, err = crclient.New(cfg, crclient.Options{}); err == nil {
 			if err, _, webhook, _ = fetchWebhookForNamespace(client, namespace); err == nil {
 				if bundled, _, err = unstructured.NestedString(webhook, "clientConfig", "caBundle"); err == nil {
 					if base64.StdEncoding.EncodeToString([]byte(contents)) == bundled {
-						certpool := x509.NewCertPool()
+						certpool, err = x509.SystemCertPool()
+						if err != nil {
+							certpool = x509.NewCertPool()
+						}
 						var block *pem.Block
 						if block, _ = pem.Decode(contents); err == nil && block != nil {
 							var cert *x509.Certificate