OCPBUGS-24176: Ignore invalid PEM blocks

[kyrtapz]

Copy of #2141 as I was unable to make the the tide happy...
@trozet please approve again.

Previously, the CertificateData function would error out when unable to decode the next PEM block, causing issues with files containing empty lines at the end.

This causes problems for HyperShift clusters with a management cluster that uses the legacyVulnerableCABundle:
https://github.com/openshift/service-ca-operator/blob/fe887613d031435fb0c76eb397764ba68fe09014/pkg/controller/cabundleinjector/starter.go#L30C5-L35
https://github.com/openshift/service-ca-operator/blob/fe887613d031435fb0c76eb397764ba68fe09014/pkg/controller/cabundleinjector/starter.go#L72

This change addresses the problem by using crypto.CertsFromPEM from library-go, which returns early when it cannot decode the next PEM block without throwing an error.

[openshift-ci-robot]

@kyrtapz: This pull request references Jira Issue OCPBUGS-24176, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.16.0) matches configured target version for branch (4.16.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

No GitHub users were found matching the public email listed for the QA contact in Jira (heli@redhat.com), skipping review request.

The bug has been updated to refer to the pull request using the external bug tracker.

In response to this:

Copy of #2141 as I was unable to make the the tide happy...
@trozet please approve again.

Previously, the CertificateData function would error out when unable to decode the next PEM block, causing issues with files containing empty lines at the end.

This causes problems for HyperShift clusters with a management cluster that uses the legacyVulnerableCABundle:
https://github.com/openshift/service-ca-operator/blob/fe887613d031435fb0c76eb397764ba68fe09014/pkg/controller/cabundleinjector/starter.go#L30C5-L35
https://github.com/openshift/service-ca-operator/blob/fe887613d031435fb0c76eb397764ba68fe09014/pkg/controller/cabundleinjector/starter.go#L72

This change addresses the problem by using crypto.CertsFromPEM from library-go, which returns early when it cannot decode the next PEM block without throwing an error.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[trozet]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: kyrtapz, trozet

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [trozet]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD d0ce194 and 2 for PR HEAD 987f17f in total

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD 149ea71 and 1 for PR HEAD 987f17f in total

[openshift-ci]

@kyrtapz: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-metal-ipi-ovn-ipv6-ipsec	987f17f	link	false	/test e2e-metal-ipi-ovn-ipv6-ipsec
ci/prow/e2e-openstack-ovn	987f17f	link	false	/test e2e-openstack-ovn
ci/prow/4.16-upgrade-from-stable-4.15-e2e-gcp-ovn-upgrade	987f17f	link	false	/test 4.16-upgrade-from-stable-4.15-e2e-gcp-ovn-upgrade
ci/prow/e2e-ovn-step-registry	987f17f	link	false	/test e2e-ovn-step-registry
ci/prow/e2e-vsphere-ovn-dualstack	987f17f	link	false	/test e2e-vsphere-ovn-dualstack
ci/prow/e2e-vsphere-ovn-dualstack-primaryv6	987f17f	link	false	/test e2e-vsphere-ovn-dualstack-primaryv6
ci/prow/e2e-aws-ovn-shared-to-local-gateway-mode-migration-periodic	987f17f	link	false	/test e2e-aws-ovn-shared-to-local-gateway-mode-migration-periodic

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[openshift-ci-robot]

@kyrtapz: Jira Issue OCPBUGS-24176: All pull requests linked via external trackers have merged:

• openshift/cluster-network-operator#2178

Jira Issue OCPBUGS-24176 has been moved to the MODIFIED state.

In response to this:

Copy of #2141 as I was unable to make the the tide happy...
@trozet please approve again.

Previously, the CertificateData function would error out when unable to decode the next PEM block, causing issues with files containing empty lines at the end.

This causes problems for HyperShift clusters with a management cluster that uses the legacyVulnerableCABundle:
https://github.com/openshift/service-ca-operator/blob/fe887613d031435fb0c76eb397764ba68fe09014/pkg/controller/cabundleinjector/starter.go#L30C5-L35
https://github.com/openshift/service-ca-operator/blob/fe887613d031435fb0c76eb397764ba68fe09014/pkg/controller/cabundleinjector/starter.go#L72

This change addresses the problem by using crypto.CertsFromPEM from library-go, which returns early when it cannot decode the next PEM block without throwing an error.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[openshift-bot]

[ART PR BUILD NOTIFIER]

This PR has been included in build cluster-network-operator-container-v4.16.0-202312220131.p0.g9fdafaa.assembly.stream for distgit cluster-network-operator.
All builds following this will include this PR.

[openshift-merge-robot]

Fix included in accepted release 4.16.0-0.nightly-2024-01-09-085011