Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Koperator can handle intermediate and leaf certificates in generated kafkaUser's TLS certificate #843

Merged
merged 4 commits into from Aug 2, 2022
Merged

Koperator can handle intermediate and leaf certificates in generated kafkaUser's TLS certificate #843

merged 4 commits into from Aug 2, 2022

Conversation

bartam1
Copy link
Contributor

@bartam1 bartam1 commented Aug 1, 2022

Q A
Bug fix? yes
New feature? no
API breaks? no
Deprecations? no
Related tickets fixes #834
License Apache 2.0

What's in this PR?

It fixes bug in the kafkaUser reconcile when trying to get Distinguish Name from the generated TLS certificate.

Why?

When the generated TLS certificate contains intermediate certificates, not only the leaf certificate, the Koperator gets panic because of nil pointer dereference.

Checklist

  • Implementation tested
  • Error handling code meets the guideline
  • Logging code meets the guideline
  • User guide and development docs updated (if needed)

@bartam1 bartam1 requested a review from a team as a code owner August 1, 2022 14:40
stoader
stoader requested changes Aug 1, 2022
View reviewed changes
controllers/kafkauser_controller.go Outdated Show resolved Hide resolved
@bartam1 bartam1 requested review from panyuenlau, stoader and a team August 1, 2022 16:59
panyuenlau
panyuenlau previously approved these changes Aug 2, 2022
View reviewed changes
pregnor
pregnor previously approved these changes Aug 2, 2022
View reviewed changes
Copy link
Member

@pregnor pregnor left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh, this was a surprisingly straightforward fix.

controllers/kafkauser_controller.go Outdated
@@ -238,7 +238,13 @@ func (r *KafkaUserReconciler) Reconcile(ctx context.Context, request reconcile.R
return requeueWithError(reqLogger, "failed to reconcile user secret", err)
}
}
kafkaUser = user.DN()
kafkaUser, err = user.DN()
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note: we need to rename that function for public interface clarity purposes....

pkg/util/pki/common.go
return cert.Subject.String()
cert, err := certutil.DecodeCertificate(u.Certificate)
if err != nil {
return "", err
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Question: wouldn't it be better to wrap the error with some content information (we are doing this in KafkaUser DistinguishedName retrieval), IMO it would help with debug clarification.
(These cases I always have the os.Open() errors in mind where the non-existing path object error is no such file or directory, but the path itself is not included - although that would be a detail, not a wrapping, but I mean the contextual information in general).

Copy link
Member

@stoader stoader Aug 2, 2022
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure if any useful information is available here that could be added to the error context. The caller can add more details to the error like the KafkaUser custom resources name (https://github.com/banzaicloud/koperator/pull/843/files#diff-2b2cc6c6efb0a3a4b49078c08a64ff936f6d02a73543d0c8f98a7b9b0c4f2a2eR243)

Maybe a more descriptive error message could help here errors.WrapIfWithDetails(err, "couldn't decode KafkaUser certificate", "cert", string(u.Certificate))

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, I meant an error message to narrow the context from generic certificate error to KafkaUser DistringuishedName determination certificate error

Copy link
Contributor Author

@bartam1 bartam1 Aug 2, 2022
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The error log message already contains the kafkauser name, namespace.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reconciler dumps the stacktrace.

@bartam1 bartam1 dismissed stale reviews from pregnor and panyuenlau via 3fb43bc August 2, 2022 08:43
@bartam1 bartam1 merged commit ecce211 into master Aug 2, 2022
@bartam1 bartam1 deleted the fixsslmulticert branch August 2, 2022 11:50
@bartam1 bartam1 mentioned this pull request Aug 2, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pregnor pregnor pregnor left review comments

@stoader stoader stoader approved these changes

@panyuenlau panyuenlau panyuenlau approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
4 participants
@bartam1 @stoader @pregnor @panyuenlau