-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Return certificate chain for export cert #8147
Conversation
d7148c2
to
bfd4abc
Compare
/test pull-kubevirt-unit-test |
bfd4abc
to
62f936c
Compare
@@ -1027,10 +1027,20 @@ func (ctrl *VMExportController) findCertByHostName(hostName string, certs []*x50 | |||
return "", nil | |||
} | |||
|
|||
func buildPemFromCert(cert *x509.Certificate) string { | |||
func (ctrl *VMExportController) buildPemFromCert(matchingCert *x509.Certificate, allCerts []*x509.Certificate) (string, error) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
how does this code handle the case when there may be multiple entries for the same hostname? This will happen when certs are rotated. I think it will just return the first encountered? But what if that's an old one that will expire soon? Will the export get updated? I know these questions not entirely related to changes in this PR.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah definitely don't take rotation into account currently. I suppose the bundle could contain multiple certs with the same name. I guess if multiple are valid, I should return the one with the expiry that is furthest into the future?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sure, but do we have to watch whatever source we got the cert from so that we catch updates/rotation?
62f936c
to
9be024a
Compare
9be024a
to
235d3b0
Compare
235d3b0
to
5d1d185
Compare
5d1d185
to
4e88af3
Compare
Before we returned just the found certificate and not the entire chain. To properly verify the certificate you must have the entire chain. This commit looks up the chain until either we find the root CA or we can't find anything else in the config map Signed-off-by: Alexander Wels <awels@redhat.com>
Signed-off-by: Alexander Wels <awels@redhat.com>
4e88af3
to
65cd4d1
Compare
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: mhenriks The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/retest-required |
/retest-required |
@awels: The following test failed, say
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
/retest-required |
@awels: cannot checkout In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/cherrypick release-0.58 |
@awels: new pull request created: #8637 In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Signed-off-by: Alexander Wels awels@redhat.com
What this PR does / why we need it:
Before we returned just the found certificate and not the entire chain. To properly verify the certificate you must have the entire chain. This commit looks up the chain until either we find the root CA or we can't find anything else in the config map.
Also checking the OnBefore and OnAfter times, to figure out which cert is most valid in case of a cert rotation and the bundle containing multiple valid certificates.
Which issue(s) this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)
format, will close the issue(s) when PR gets merged):Fixes #
Special notes for your reviewer:
Release note: