Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Ensure that chain is copied in full to route #122

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
+43 −7
Open

Ensure that chain is copied in full to route #122

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 15 additions & 4 deletions internal/controller/sync.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -567,11 +567,18 @@ func (r *RouteController) populateRoute(ctx context.Context, route *routev1.Rout
}
key = k

certificate, err := utilpki.DecodeX509CertificateBytes(secret.Data["tls.crt"])
certificates, err := utilpki.DecodeX509CertificateChainBytes(secret.Data["tls.crt"])
if err != nil {
return err
}
matches, err := utilpki.PublicKeyMatchesCertificate(key.Public(), certificate)

if len(certificates) == 0 {
// this shouldn't happen; DecodeX509CertificateChainBytes should error in this situation
// but just in case, catch this case so we don't panic when accessing certificates[0]
return fmt.Errorf("found no valid certs from DecodeX509CertificateChainBytes")
}

matches, err := utilpki.PublicKeyMatchesCertificate(key.Public(), certificates[0])
if err != nil {
return err
}
Expand All @@ -585,16 +592,20 @@ func (r *RouteController) populateRoute(ctx context.Context, route *routev1.Rout
InsecureEdgeTerminationPolicy: routev1.InsecureEdgeTerminationPolicyRedirect,
}
}

encodedKey, err := utilpki.EncodePrivateKey(key, cmapi.PKCS1)
if err != nil {
return err
}

route.Spec.TLS.Key = string(encodedKey)
encodedCert, err := utilpki.EncodeX509(certificate)

encodedCerts, err := utilpki.EncodeX509Chain(certificates)
if err != nil {
return err
}
route.Spec.TLS.Certificate = string(encodedCert)

route.Spec.TLS.Certificate = string(encodedCerts)

_, err = r.routeClient.RouteV1().Routes(route.Namespace).Update(ctx, route, metav1.UpdateOptions{})
return err
Expand Down
31 changes: 28 additions & 3 deletions test/test-smoke.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,8 @@ set -o pipefail

YQ=${1:-yq}

# Create a self-signed CA certificate and Issuer
# Create a self-signed root CA certificate and Issuer
# Then create an intermediate CA and issuer

cat <<EOF | kubectl apply -f -
---
Expand Down Expand Up @@ -50,10 +51,34 @@ spec:
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: my-ca-issuer
name: my-root-issuer
spec:
ca:
secretName: root-secret
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: my-intermediate-ca
spec:
isCA: true
commonName: my-intermediate-ca
secretName: intermediate-secret
privateKey:
algorithm: RSA
size: 2048
issuerRef:
name: my-root-issuer
kind: Issuer
group: cert-manager.io
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: my-ca-issuer
spec:
ca:
secretName: intermediate-secret
EOF

# Create a Route and patch the status with multiple hosts
Expand Down Expand Up @@ -126,7 +151,7 @@ kubectl patch route "$route_name" --type=merge --subresource=status -p="$patch"
# Wait for the certificate to be issued
SLEEP_TIME=2

for _ in {1..10}; do
for _ in {1..30}; do
certificate=$(kubectl get route "$route_name" -o jsonpath='{.spec.tls.certificate}')
if [ "$certificate" != "" ]; then
break
Expand Down