Skip to content

Commit

Permalink
Consider user-ca-bundle certificates as external
Browse files Browse the repository at this point in the history 
We do not want to regenerate them as they are external to the cluster.

This commit adds ConfigMap/openshift-config:user-ca-bundle
/data/ca-bundle.crt as a location where we scan to determine which
certificates are external and should be ignored
  • Loading branch information
@omertuc
omertuc committed Oct 31, 2023
1 parent 4649b79 commit 3cf2464
Showing 1 changed file with 25 additions and 15 deletions.
40 changes: 25 additions & 15 deletions src/cluster_crypto/scanning.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,26 +23,36 @@ use x509_certificate::X509Certificate;
pub(crate) async fn discover_external_certs(in_memory_etcd_client: Arc<InMemoryK8sEtcd>) -> Result<()> {
let mut pem_strings = vec![];

let yaml = get_etcd_json(
&in_memory_etcd_client,
&(K8sResourceLocation {
for location in [
K8sResourceLocation {
namespace: Some("openshift-apiserver-operator".into()),
kind: "ConfigMap".into(),
apiversion: "v1".into(),
name: "trusted-ca-bundle".into(),
}),
)
.await
.context("getting trusted-ca-bundle")?
.context("not found")?;
},
K8sResourceLocation {
namespace: Some("openshift-config".into()),
kind: "ConfigMap".into(),
apiversion: "v1".into(),
name: "user-ca-bundle".into(),
},
] {
let json = get_etcd_json(&in_memory_etcd_client, &location)
.await
.context("getting trusted-ca-bundle")?;

pem_strings.push(
yaml.pointer("/data/ca-bundle.crt")
.context("parsing ca-bundle.crt")?
.as_str()
.context("must be string")?
.to_string(),
);
if let Some(json) = json {
pem_strings.push(
json.pointer("/data/ca-bundle.crt")
.context("parsing ca-bundle.crt")?
.as_str()
.context("must be string")?
.to_string(),
);
} else {
println!("INFO: {:?} not found, will not be considered in external certs", location);
}
}

let yaml = get_etcd_json(
&in_memory_etcd_client,
Expand Down

0 comments on commit 3cf2464

Please sign in to comment.