Skip to content

Commit 551e847

Browse files
erikgberikgb
committed
Work through sources
Signed-off-by: Erik Godding Boye <[email protected]>
1 parent ee128a7 commit 551e847

File tree

2 files changed

+22
-38
lines changed

2 files changed

+22
-38
lines changed

pkg/bundle/bundle.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -116,7 +116,7 @@ func (b *bundle) reconcileBundle(ctx context.Context, req ctrl.Request) (statusP
116116
statusPatch = &trustapi.BundleStatus{
117117
DefaultCAPackageVersion: bundle.Status.DefaultCAPackageVersion,
118118
}
119-
resolvedBundle, err := b.bundleBuilder.BuildBundle(ctx, bundle.Spec.Sources)
119+
resolvedBundle, err := b.bundleBuilder.BuildBundle(ctx, bundle.Spec)
120120

121121
if err != nil {
122122
var reason, message string

pkg/bundle/internal/source/source.go

Lines changed: 21 additions & 37 deletions
Original file line numberDiff line numberDiff line change
@@ -28,7 +28,6 @@ import (
2828
"sigs.k8s.io/controller-runtime/pkg/client"
2929
logf "sigs.k8s.io/controller-runtime/pkg/log"
3030

31-
trustapi "github.com/cert-manager/trust-manager/pkg/apis/trust/v1alpha1"
3231
"github.com/cert-manager/trust-manager/pkg/bundle/controller"
3332
"github.com/cert-manager/trust-manager/pkg/fspkg"
3433
"github.com/cert-manager/trust-manager/pkg/util"
@@ -61,7 +60,7 @@ type BundleBuilder struct {
6160

6261
// BuildBundle retrieves and concatenates all source bundle data for this Bundle object.
6362
// Each source data is validated and pruned to ensure that all certificates within are valid.
64-
func (b *BundleBuilder) BuildBundle(ctx context.Context, sources []trustapi.BundleSource) (BundleData, error) {
63+
func (b *BundleBuilder) BuildBundle(ctx context.Context, spec trustmanagerapi.BundleSpec) (BundleData, error) {
6564
var resolvedBundle BundleData
6665
resolvedBundle.CertPool = util.NewCertPool(
6766
util.WithFilteredExpiredCerts(b.FilterExpiredCerts),
@@ -82,14 +81,14 @@ func (b *BundleBuilder) BuildBundle(ctx context.Context, sources []trustapi.Bund
8281
panic(fmt.Sprintf("don't know how to process source of kind: %q", source.Kind))
8382
}
8483

85-
if err := certSource.addToCertPool(ctx, certPool); err != nil {
84+
if err := certSource.addToCertPool(ctx, resolvedBundle.CertPool); err != nil {
8685
return BundleData{}, err
8786
}
8887
}
8988

9089
if spec.InLineCAs != nil {
9190
certSource := &inlineBundleSource{*spec.InLineCAs}
92-
if err := certSource.addToCertPool(ctx, certPool); err != nil {
91+
if err := certSource.addToCertPool(ctx, resolvedBundle.CertPool); err != nil {
9392
return BundleData{}, err
9493
}
9594
}
@@ -183,20 +182,13 @@ func (b configMapBundleSource) addToCertPool(ctx context.Context, pool *util.Cer
183182
}
184183

185184
for _, cm := range configMaps {
186-
if len(b.ref.Key) > 0 {
187-
data, ok := cm.Data[b.ref.Key]
188-
if !ok {
189-
return NotFoundError{fmt.Errorf("no data found in ConfigMap %s/%s at key %q", cm.Namespace, cm.Name, b.ref.Key)}
190-
}
191-
if err := pool.AddCertsFromPEM([]byte(data)); err != nil {
192-
return InvalidPEMError{fmt.Errorf("invalid PEM data in ConfigMap %s/%s at key %q: %w", cm.Namespace, cm.Name, b.ref.Key, err)}
193-
}
194-
} else if b.ref.IncludeAllKeys {
195-
for key, data := range cm.Data {
196-
if err := pool.AddCertsFromPEM([]byte(data)); err != nil {
197-
return InvalidPEMError{fmt.Errorf("invalid PEM data in ConfigMap %s/%s at key %q: %w", cm.Namespace, cm.Name, key, err)}
198-
}
199-
}
185+
// TODO: Find matching keys
186+
data, ok := cm.Data[b.ref.Key]
187+
if !ok {
188+
return NotFoundError{fmt.Errorf("no data found in ConfigMap %s/%s at key %q", cm.Namespace, cm.Name, b.ref.Key)}
189+
}
190+
if err := pool.AddCertsFromPEM([]byte(data)); err != nil {
191+
return InvalidPEMError{fmt.Errorf("invalid PEM data in ConfigMap %s/%s at key %q: %w", cm.Namespace, cm.Name, b.ref.Key, err)}
200192
}
201193
}
202194
return nil
@@ -246,25 +238,17 @@ func (b secretBundleSource) addToCertPool(ctx context.Context, pool *util.CertPo
246238
}
247239

248240
for _, secret := range secrets {
249-
if len(b.ref.Key) > 0 {
250-
data, ok := secret.Data[b.ref.Key]
251-
if !ok {
252-
return NotFoundError{fmt.Errorf("no data found in Secret %s/%s at key %q", secret.Namespace, secret.Name, b.ref.Key)}
253-
}
254-
if err := pool.AddCertsFromPEM(data); err != nil {
255-
return InvalidPEMError{fmt.Errorf("invalid PEM data in Secret %s/%s at key %q: %w", secret.Namespace, secret.Name, b.ref.Key, err)}
256-
}
257-
} else if b.ref.IncludeAllKeys {
258-
// This is done to prevent mistakes. All keys should never be included for a TLS secret, since that would include the private key.
259-
if secret.Type == corev1.SecretTypeTLS {
260-
return InvalidSecretError{fmt.Errorf("includeAllKeys is not supported for TLS Secrets such as %s/%s", secret.Namespace, secret.Name)}
261-
}
262-
263-
for key, data := range secret.Data {
264-
if err := pool.AddCertsFromPEM(data); err != nil {
265-
return InvalidPEMError{fmt.Errorf("invalid PEM data in Secret %s/%s at key %q: %w", secret.Namespace, secret.Name, key, err)}
266-
}
267-
}
241+
// This is done to prevent mistakes. All keys should never be included for a TLS secret, since that would include the private key.
242+
if secret.Type == corev1.SecretTypeTLS && b.ref.Key == "*" {
243+
return InvalidSecretError{fmt.Errorf("including all keys is not supported for TLS Secrets such as %s/%s", secret.Namespace, secret.Name)}
244+
}
245+
// TODO: Find matching keys
246+
data, ok := secret.Data[b.ref.Key]
247+
if !ok {
248+
return NotFoundError{fmt.Errorf("no data found in Secret %s/%s at key %q", secret.Namespace, secret.Name, b.ref.Key)}
249+
}
250+
if err := pool.AddCertsFromPEM(data); err != nil {
251+
return InvalidPEMError{fmt.Errorf("invalid PEM data in Secret %s/%s at key %q: %w", secret.Namespace, secret.Name, b.ref.Key, err)}
268252
}
269253
}
270254
return nil

0 commit comments

Comments
 (0)