Skip to content

Bug 1751147: Correct ca-bundle filename in terminate on change #195

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 3 commits into from
Sep 17, 2019
Merged

Bug 1751147: Correct ca-bundle filename in terminate on change #195

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
287ea94
bump(*): library-go: cmd: run terminate-on-files observer #524
mfojtik Sep 16, 2019
6e484d0
Bug 1751147: Correct ca-bundle filename in terminate on change
mfojtik Sep 16, 2019
a3cc4d5
operator: use the systemCABundle when checking the health of a route
mfojtik Sep 17, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
The table of contents is too big for display.
Diff view
Diff view
  •  
  •  
  •  
The diff you're trying to view is too large. We only load the first 3000 changed files.
84 changes: 46 additions & 38 deletions glide.lock
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion manifests/07_deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@ spec:
echo "Copying system trust bundle"
cp -f /var/run/configmaps/trusted-ca-bundle/ca-bundle.crt /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
fi
exec authentication-operator operator --config=/var/run/configmaps/config/operator-config.yaml --v=2 --terminate-on-files=/var/run/configmaps/trusted-ca-bundle/tls-ca-bundle.pem
exec authentication-operator operator --config=/var/run/configmaps/config/operator-config.yaml --v=2 --terminate-on-files=/var/run/configmaps/trusted-ca-bundle/ca-bundle.crt
resources:
requests:
memory: 50Mi
Expand Down
16 changes: 15 additions & 1 deletion pkg/operator2/operator.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
package operator2

import (
"bytes"
"encoding/json"
"fmt"
"io/ioutil"
Expand Down Expand Up @@ -171,6 +172,8 @@ type authOperator struct {
apiserver configv1client.APIServerInterface
proxy configv1client.ProxyInterface

systemCABundle []byte

resourceSyncer resourcesynccontroller.ResourceSyncer
}

Expand Down Expand Up @@ -214,6 +217,12 @@ func NewAuthenticationOperator(
resourceSyncer: resourceSyncer,
}

systemCABytes, err := ioutil.ReadFile("/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem")
if err != nil {
klog.Warningf("Unable to read system CA from /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem: %v", err)
}
c.systemCABundle = systemCABytes

coreInformers := kubeInformersNamespaced.Core().V1()
configV1Informers := configInformers.Config().V1()

Expand Down Expand Up @@ -521,7 +530,12 @@ func (c *authOperator) checkDeploymentReady(deployment *appsv1.Deployment, opera
func (c *authOperator) checkRouteHealthy(route *routev1.Route, routerSecret *corev1.Secret, ingress *configv1.Ingress) (ready bool, msg, reason string, err error) {
caData := routerSecretToCA(route, routerSecret, ingress)

rt, err := transportFor("", caData, nil, nil)
// if systemCABundle is not empty, append the new line to the caData
if len(c.systemCABundle) > 0 {
caData = append(bytes.TrimSpace(caData), []byte("\n")...)
Copy link
Contributor

@stlaz stlaz Sep 17, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: no need to trim the spaces here, there can be multiple empty lines between the certs
https://goplay.space/#2tCqSuOBWJL

}

rt, err := transportFor("", append(caData, c.systemCABundle...), nil, nil)
if err != nil {
return false, "", "FailedTransport", fmt.Errorf("failed to build transport for route: %v", err)
}
Expand Down
Loading