Fix tls Secret creation when upstream contains a port (contains :)

gardener · Nov 14, 2024 · 2c3f06e · 2c3f06e
1 parent f96039b
commit 2c3f06e
Show file tree

Hide file tree

Showing 4 changed files with 13 additions and 7 deletions.
diff --git a/pkg/component/registrycaches/registry_caches.go b/pkg/component/registrycaches/registry_caches.go
@@ -199,13 +199,15 @@ func (r *registryCaches) computeResourcesData(ctx context.Context, secrets map[s
 
 	remappedSecrets := make(map[string]*corev1.Secret, len(secrets))
 	for _, secret := range secrets {
-		remappedSecrets[strings.TrimSuffix(secret.Labels["name"], "-tls")] = secret
+		remappedSecrets[secret.Labels["name"]] = secret
 	}
 
 	for _, cache := range r.values.Caches {
-		secret, ok := remappedSecrets[cache.Upstream]
+		tlsSecretName := strings.ReplaceAll(cache.Upstream, ":", "-") + "-tls"
+
+		secret, ok := remappedSecrets[tlsSecretName]
 		if !ok {
-			return nil, fmt.Errorf("secret for %s upstream not found", cache.Upstream)
+			return nil, fmt.Errorf("secret for upstream %s not found", cache.Upstream)
 		}
 		cacheObjects, err := r.computeResourcesDataForRegistryCache(ctx, &cache, secret)
 		if err != nil {

diff --git a/pkg/component/registrycaches/registry_caches_test.go b/pkg/component/registrycaches/registry_caches_test.go
@@ -365,7 +365,7 @@ status: {}
 			})
 
 			It("should return error", func() {
-				Expect(registryCaches.Deploy(ctx)).To(MatchError(ContainSubstring("secret for docker.io upstream not found")))
+				Expect(registryCaches.Deploy(ctx)).To(MatchError(ContainSubstring("secret for upstream docker.io not found")))
 			})
 		})
 

diff --git a/pkg/secrets/config.go b/pkg/secrets/config.go
@@ -6,6 +6,7 @@ package secrets
 
 import (
 	"net"
+	"strings"
 	"time"
 
 	extensionssecretsmanager "github.com/gardener/gardener/extensions/pkg/util/secret/manager"
@@ -38,10 +39,13 @@ func ConfigsFor(services []corev1.Service) []extensionssecretsmanager.SecretConf
 		},
 	}
 	for _, service := range services {
+		upstream := service.Annotations[constants.UpstreamAnnotation]
+		name := strings.ReplaceAll(upstream, ":", "-") + "-tls"
+
 		configs = append(configs, extensionssecretsmanager.SecretConfigWithOptions{
 			Config: &secretutils.CertificateSecretConfig{
-				Name:                        service.Annotations[constants.UpstreamAnnotation] + "-tls",
-				CommonName:                  service.Annotations[constants.UpstreamAnnotation] + "-tls",
+				Name:                        name,
+				CommonName:                  name,
 				CertType:                    secretutils.ServerCert,
 				IPAddresses:                 []net.IP{net.ParseIP(service.Spec.ClusterIP).To4()},
 				Validity:                    ptr.To(90 * 24 * time.Hour),

diff --git a/pkg/utils/registry/registry.go b/pkg/utils/registry/registry.go
@@ -32,7 +32,7 @@ func GetLabels(name, upstreamLabel string) map[string]string {
 
 // ComputeUpstreamLabelValue computes upstream-host label value by given upstream.
 //
-// Upstream is a valid DNS subdomain (RFC 1123) and optionally a port (e.g. my-registry.io[:5000])
+// Upstream is a valid DNS subdomain (RFC 1123) and optionally a port (e.g. my-registry.io[:5000]).
 // It is used as an 'upstream-host' label value on registry cache resources (Service, Secret, StatefulSet and VPA).
 // Label values cannot contain ':' char, so if upstream is '<host>:<port>' the label value is transformed to '<host>-<port>'.
 // It is also used to build the resources names escaping the '.' with '-'; e.g. `registry-<escaped_upstreamLabel>`.
-Original file line number
+Diff line change
@@ Expand Up / @@ -365,7 +365,7 @@ status: {} @@
     			})
     			It("should return error", func() {
-    				Expect(registryCaches.Deploy(ctx)).To(MatchError(ContainSubstring("secret for docker.io upstream not found")))
+    				Expect(registryCaches.Deploy(ctx)).To(MatchError(ContainSubstring("secret for upstream docker.io not found")))
     			})
     		})
@@ Expand Down @@