Skip to content

Commit

Permalink
enhance notifications when a cert is loaded or not
Browse files Browse the repository at this point in the history
Signed-off-by: pjuarezd <[email protected]>
  • Loading branch information
pjuarezd committed May 24, 2024
1 parent fd42e9e commit 1e336a1
Show file tree
Hide file tree
Showing 2 changed files with 33 additions and 12 deletions.
8 changes: 5 additions & 3 deletions pkg/controller/main-controller.go
Original file line number Diff line number Diff line change
Expand Up @@ -1412,13 +1412,15 @@ func (c *Controller) handleSecret(obj interface{}, oldObj interface{}) {
if secret.Namespace == ns {
// a secret with prefix "operator-ca-tls" changed, reload all trusted CA certificates
if strings.HasPrefix(secret.Name, OperatorCATLSSecretName) {
klog.Infof("secret '%s' found, adding TLS certs in it to trusted CA's", secret.Name)
klog.Infof("Secret '%s/%s' changed", secret.Namespace, secret.Name)
var oldSecret *corev1.Secret
if oldSecret != nil {
if oldObj != nil {
oldSecret = oldObj.(*corev1.Secret)
}
// Add new certificates to Transport Certs if any changed
c.TrustTLSCertificatesInSecretIfChanged(secret, oldSecret)
if !c.TrustTLSCertificatesInSecretIfChanged(secret, oldSecret) {
klog.Infof("No new certificate was added from secret '%s/%s'", secret.Name, secret.Name)
}
}
}
}
Expand Down
37 changes: 28 additions & 9 deletions pkg/controller/operator.go
Original file line number Diff line number Diff line change
Expand Up @@ -210,21 +210,35 @@ func getFileFromSecretDataField(secretData map[string][]byte, key string) ([]byt

// TrustTLSCertificatesInSecretIfChanged Compares old and new secret content and trusts TLS certificates if field
// content is different, looks for the fields public.crt, tls.crt and ca.crt
func (c *Controller) TrustTLSCertificatesInSecretIfChanged(newSecret *corev1.Secret, oldSecret *corev1.Secret) {
func (c *Controller) TrustTLSCertificatesInSecretIfChanged(newSecret *corev1.Secret, oldSecret *corev1.Secret) bool {
added := false
if oldSecret == nil {
// secret did not exist before, we trust all certs in it
c.trustPEMInSecretField(newSecret, certs.PublicCertFile)
c.trustPEMInSecretField(newSecret, certs.TLSCertFile)
c.trustPEMInSecretField(newSecret, certs.CAPublicCertFile)
if c.trustPEMInSecretField(newSecret, certs.PublicCertFile) {
added = true
}
if c.trustPEMInSecretField(newSecret, certs.TLSCertFile) {
added = true
}
if c.trustPEMInSecretField(newSecret, certs.CAPublicCertFile) {
added = true
}
} else {
// compare to add to trust only certs that changed
c.trustIfChanged(newSecret, oldSecret, certs.PublicCertFile)
c.trustIfChanged(newSecret, oldSecret, certs.TLSCertFile)
c.trustIfChanged(newSecret, oldSecret, certs.CAPublicCertFile)
if c.trustIfChanged(newSecret, oldSecret, certs.PublicCertFile) {
added = true
}
if c.trustIfChanged(newSecret, oldSecret, certs.TLSCertFile) {
added = true
}
if c.trustIfChanged(newSecret, oldSecret, certs.CAPublicCertFile) {
added = true
}
}
return added
}

func (c *Controller) trustIfChanged(newSecret *corev1.Secret, oldSecret *corev1.Secret, fieldToCompare string) {
func (c *Controller) trustIfChanged(newSecret *corev1.Secret, oldSecret *corev1.Secret, fieldToCompare string) bool {
if newPublicCert, err := getFileFromSecretDataField(newSecret.Data, fieldToCompare); err == nil {
if oldPublicCert, err := getFileFromSecretDataField(oldSecret.Data, fieldToCompare); err == nil {
newPublicCert = bytes.TrimSpace(newPublicCert)
Expand All @@ -233,6 +247,7 @@ func (c *Controller) trustIfChanged(newSecret *corev1.Secret, oldSecret *corev1.
if !bytes.Equal(oldPublicCert, newPublicCert) {
if err := c.addTLSCertificatesToTrustInTransport(newPublicCert); err == nil {
klog.Infof("Added certificates in field '%s' of '%s/%s' secret to trusted RootCA's", fieldToCompare, newSecret.Namespace, newSecret.Name)
return true
} else {
klog.Errorf("Failed adding certs in field '%s' of '%s/%s' secret: %v", fieldToCompare, newSecret.Namespace, newSecret.Name, err)
}
Expand All @@ -241,22 +256,26 @@ func (c *Controller) trustIfChanged(newSecret *corev1.Secret, oldSecret *corev1.
// If filed was not present in old secret but is in new secret then is an addition, we trust it
if err := c.addTLSCertificatesToTrustInTransport(newPublicCert); err == nil {
klog.Infof("Added certificates in field '%s' of '%s/%s' secret to trusted RootCA's", fieldToCompare, newSecret.Namespace, newSecret.Name)
return true
} else {
klog.Errorf("Failed adding certs in field %s of '%s/%s' secret: %v", fieldToCompare, newSecret.Namespace, newSecret.Name, err)
}
}
}
return false
}

func (c *Controller) trustPEMInSecretField(secret *corev1.Secret, fieldToCompare string) {
func (c *Controller) trustPEMInSecretField(secret *corev1.Secret, fieldToCompare string) bool {
newPublicCert, err := getFileFromSecretDataField(secret.Data, fieldToCompare)
if err == nil {
if err := c.addTLSCertificatesToTrustInTransport(newPublicCert); err == nil {
klog.Infof("Added certificates in field '%s' of '%s/%s' secret to trusted RootCA's", fieldToCompare, secret.Namespace, secret.Name)
return true
} else {
klog.Errorf("Failed adding certs in field '%s' of '%s/%s' secret: %v", fieldToCompare, secret.Namespace, secret.Name, err)
}
}
return false
}

func (c *Controller) addTLSCertificatesToTrustInTransport(certificateData []byte) error {
Expand Down

0 comments on commit 1e336a1

Please sign in to comment.