From 3cf24642f8f2be08c954566f0b65c6e930133407 Mon Sep 17 00:00:00 2001
From: Omer Tuchfeld <omer@tuchfeld.dev>
Date: Tue, 31 Oct 2023 13:27:49 +0100
Subject: [PATCH] Consider user-ca-bundle certificates as external

We do not want to regenerate them as they are external to the cluster.

This commit adds ConfigMap/openshift-config:user-ca-bundle
/data/ca-bundle.crt as a location where we scan to determine which
certificates are external and should be ignored
---
 src/cluster_crypto/scanning.rs | 40 +++++++++++++++++++++-------------
 1 file changed, 25 insertions(+), 15 deletions(-)

diff --git a/src/cluster_crypto/scanning.rs b/src/cluster_crypto/scanning.rs
index ea3902d6..d6594d23 100644
--- a/src/cluster_crypto/scanning.rs
+++ b/src/cluster_crypto/scanning.rs
@@ -23,26 +23,36 @@ use x509_certificate::X509Certificate;
 pub(crate) async fn discover_external_certs(in_memory_etcd_client: Arc<InMemoryK8sEtcd>) -> Result<()> {
     let mut pem_strings = vec![];
 
-    let yaml = get_etcd_json(
-        &in_memory_etcd_client,
-        &(K8sResourceLocation {
+    for location in [
+        K8sResourceLocation {
             namespace: Some("openshift-apiserver-operator".into()),
             kind: "ConfigMap".into(),
             apiversion: "v1".into(),
             name: "trusted-ca-bundle".into(),
-        }),
-    )
-    .await
-    .context("getting trusted-ca-bundle")?
-    .context("not found")?;
+        },
+        K8sResourceLocation {
+            namespace: Some("openshift-config".into()),
+            kind: "ConfigMap".into(),
+            apiversion: "v1".into(),
+            name: "user-ca-bundle".into(),
+        },
+    ] {
+        let json = get_etcd_json(&in_memory_etcd_client, &location)
+            .await
+            .context("getting trusted-ca-bundle")?;
 
-    pem_strings.push(
-        yaml.pointer("/data/ca-bundle.crt")
-            .context("parsing ca-bundle.crt")?
-            .as_str()
-            .context("must be string")?
-            .to_string(),
-    );
+        if let Some(json) = json {
+            pem_strings.push(
+                json.pointer("/data/ca-bundle.crt")
+                    .context("parsing ca-bundle.crt")?
+                    .as_str()
+                    .context("must be string")?
+                    .to_string(),
+            );
+        } else {
+            println!("INFO: {:?} not found, will not be considered in external certs", location);
+        }
+    }
 
     let yaml = get_etcd_json(
         &in_memory_etcd_client,