From 1e336a1775a70d73b6621c88146aaada57fed5f0 Mon Sep 17 00:00:00 2001 From: pjuarezd Date: Thu, 23 May 2024 16:15:26 -0700 Subject: [PATCH] enhance notifications when a cert is loaded or not Signed-off-by: pjuarezd --- pkg/controller/main-controller.go | 8 ++++--- pkg/controller/operator.go | 37 +++++++++++++++++++++++-------- 2 files changed, 33 insertions(+), 12 deletions(-) diff --git a/pkg/controller/main-controller.go b/pkg/controller/main-controller.go index 420e8f6d017..b5dac673083 100644 --- a/pkg/controller/main-controller.go +++ b/pkg/controller/main-controller.go @@ -1412,13 +1412,15 @@ func (c *Controller) handleSecret(obj interface{}, oldObj interface{}) { if secret.Namespace == ns { // a secret with prefix "operator-ca-tls" changed, reload all trusted CA certificates if strings.HasPrefix(secret.Name, OperatorCATLSSecretName) { - klog.Infof("secret '%s' found, adding TLS certs in it to trusted CA's", secret.Name) + klog.Infof("Secret '%s/%s' changed", secret.Namespace, secret.Name) var oldSecret *corev1.Secret - if oldSecret != nil { + if oldObj != nil { oldSecret = oldObj.(*corev1.Secret) } // Add new certificates to Transport Certs if any changed - c.TrustTLSCertificatesInSecretIfChanged(secret, oldSecret) + if !c.TrustTLSCertificatesInSecretIfChanged(secret, oldSecret) { + klog.Infof("No new certificate was added from secret '%s/%s'", secret.Name, secret.Name) + } } } } diff --git a/pkg/controller/operator.go b/pkg/controller/operator.go index c0dbc5ae179..0064441bc1c 100644 --- a/pkg/controller/operator.go +++ b/pkg/controller/operator.go @@ -210,21 +210,35 @@ func getFileFromSecretDataField(secretData map[string][]byte, key string) ([]byt // TrustTLSCertificatesInSecretIfChanged Compares old and new secret content and trusts TLS certificates if field // content is different, looks for the fields public.crt, tls.crt and ca.crt -func (c *Controller) TrustTLSCertificatesInSecretIfChanged(newSecret *corev1.Secret, oldSecret *corev1.Secret) { +func (c *Controller) TrustTLSCertificatesInSecretIfChanged(newSecret *corev1.Secret, oldSecret *corev1.Secret) bool { + added := false if oldSecret == nil { // secret did not exist before, we trust all certs in it - c.trustPEMInSecretField(newSecret, certs.PublicCertFile) - c.trustPEMInSecretField(newSecret, certs.TLSCertFile) - c.trustPEMInSecretField(newSecret, certs.CAPublicCertFile) + if c.trustPEMInSecretField(newSecret, certs.PublicCertFile) { + added = true + } + if c.trustPEMInSecretField(newSecret, certs.TLSCertFile) { + added = true + } + if c.trustPEMInSecretField(newSecret, certs.CAPublicCertFile) { + added = true + } } else { // compare to add to trust only certs that changed - c.trustIfChanged(newSecret, oldSecret, certs.PublicCertFile) - c.trustIfChanged(newSecret, oldSecret, certs.TLSCertFile) - c.trustIfChanged(newSecret, oldSecret, certs.CAPublicCertFile) + if c.trustIfChanged(newSecret, oldSecret, certs.PublicCertFile) { + added = true + } + if c.trustIfChanged(newSecret, oldSecret, certs.TLSCertFile) { + added = true + } + if c.trustIfChanged(newSecret, oldSecret, certs.CAPublicCertFile) { + added = true + } } + return added } -func (c *Controller) trustIfChanged(newSecret *corev1.Secret, oldSecret *corev1.Secret, fieldToCompare string) { +func (c *Controller) trustIfChanged(newSecret *corev1.Secret, oldSecret *corev1.Secret, fieldToCompare string) bool { if newPublicCert, err := getFileFromSecretDataField(newSecret.Data, fieldToCompare); err == nil { if oldPublicCert, err := getFileFromSecretDataField(oldSecret.Data, fieldToCompare); err == nil { newPublicCert = bytes.TrimSpace(newPublicCert) @@ -233,6 +247,7 @@ func (c *Controller) trustIfChanged(newSecret *corev1.Secret, oldSecret *corev1. if !bytes.Equal(oldPublicCert, newPublicCert) { if err := c.addTLSCertificatesToTrustInTransport(newPublicCert); err == nil { klog.Infof("Added certificates in field '%s' of '%s/%s' secret to trusted RootCA's", fieldToCompare, newSecret.Namespace, newSecret.Name) + return true } else { klog.Errorf("Failed adding certs in field '%s' of '%s/%s' secret: %v", fieldToCompare, newSecret.Namespace, newSecret.Name, err) } @@ -241,22 +256,26 @@ func (c *Controller) trustIfChanged(newSecret *corev1.Secret, oldSecret *corev1. // If filed was not present in old secret but is in new secret then is an addition, we trust it if err := c.addTLSCertificatesToTrustInTransport(newPublicCert); err == nil { klog.Infof("Added certificates in field '%s' of '%s/%s' secret to trusted RootCA's", fieldToCompare, newSecret.Namespace, newSecret.Name) + return true } else { klog.Errorf("Failed adding certs in field %s of '%s/%s' secret: %v", fieldToCompare, newSecret.Namespace, newSecret.Name, err) } } } + return false } -func (c *Controller) trustPEMInSecretField(secret *corev1.Secret, fieldToCompare string) { +func (c *Controller) trustPEMInSecretField(secret *corev1.Secret, fieldToCompare string) bool { newPublicCert, err := getFileFromSecretDataField(secret.Data, fieldToCompare) if err == nil { if err := c.addTLSCertificatesToTrustInTransport(newPublicCert); err == nil { klog.Infof("Added certificates in field '%s' of '%s/%s' secret to trusted RootCA's", fieldToCompare, secret.Namespace, secret.Name) + return true } else { klog.Errorf("Failed adding certs in field '%s' of '%s/%s' secret: %v", fieldToCompare, secret.Namespace, secret.Name, err) } } + return false } func (c *Controller) addTLSCertificatesToTrustInTransport(certificateData []byte) error {