From d9115296a2249e2ce33dfc84277cfd11ce8e6de1 Mon Sep 17 00:00:00 2001 From: Reto Lehmann Date: Fri, 21 Jul 2023 02:06:02 +0200 Subject: [PATCH] Backport of https://github.com/knative-sandbox/control-protocol/commit/06411c45a53ad168e53e3b6ba079661bc042c019 (#390) --- .../011-backport-control-protocol-fix.patch | 62 +++++++++++++++++++ .../certificates/reconciler/certificates.go | 17 +++-- 2 files changed, 73 insertions(+), 6 deletions(-) create mode 100644 openshift/patches/011-backport-control-protocol-fix.patch diff --git a/openshift/patches/011-backport-control-protocol-fix.patch b/openshift/patches/011-backport-control-protocol-fix.patch new file mode 100644 index 000000000000..2e6d62bf1b99 --- /dev/null +++ b/openshift/patches/011-backport-control-protocol-fix.patch @@ -0,0 +1,62 @@ +diff --git a/vendor/knative.dev/control-protocol/pkg/certificates/reconciler/certificates.go b/vendor/knative.dev/control-protocol/pkg/certificates/reconciler/certificates.go +--- a/vendor/knative.dev/control-protocol/pkg/certificates/reconciler/certificates.go (revision 6cb6874ffcb27d8030025cd9a965cf942d105a86) ++++ b/vendor/knative.dev/control-protocol/pkg/certificates/reconciler/certificates.go (date 1689835003162) +@@ -17,6 +17,7 @@ + package sample + + import ( ++ "bytes" + "context" + "crypto/rsa" + "crypto/x509" +@@ -89,7 +90,7 @@ + r.logger.Errorf("Error accessing CA certificate secret %q %q: %v", system.Namespace(), r.caSecretName, err) + return err + } +- caCert, caPk, err := parseAndValidateSecret(caSecret, false) ++ caCert, caPk, err := parseAndValidateSecret(caSecret, nil) + if err != nil { + r.logger.Infof("CA cert invalid: %v", err) + +@@ -118,7 +119,7 @@ + return fmt.Errorf("unknown cert type: %v", r.secretTypeLabelName) + } + +- cert, _, err := parseAndValidateSecret(secret, true, sans...) ++ cert, _, err := parseAndValidateSecret(secret, caSecret.Data[certificates.SecretCertKey], sans...) + if err != nil { + r.logger.Infof("Secret invalid: %v", err) + // Check the secret to reconcile type +@@ -144,7 +145,7 @@ + } + + // All sans provided are required to be lower case +-func parseAndValidateSecret(secret *corev1.Secret, shouldContainCaCert bool, sans ...string) (*x509.Certificate, *rsa.PrivateKey, error) { ++func parseAndValidateSecret(secret *corev1.Secret, caCert []byte, sans ...string) (*x509.Certificate, *rsa.PrivateKey, error) { + certBytes, ok := secret.Data[certificates.SecretCertKey] + if !ok { + return nil, nil, fmt.Errorf("missing cert bytes") +@@ -153,10 +154,14 @@ + if !ok { + return nil, nil, fmt.Errorf("missing pk bytes") + } +- if shouldContainCaCert { +- if _, ok := secret.Data[certificates.SecretCaCertKey]; !ok { ++ if caCert != nil { ++ ca, ok := secret.Data[certificates.SecretCaCertKey] ++ if !ok { + return nil, nil, fmt.Errorf("missing ca cert bytes") + } ++ if !bytes.Equal(ca, caCert) { ++ return nil, nil, fmt.Errorf("ca cert bytes changed") ++ } + } + + cert, caPk, err := certificates.ParseCert(certBytes, pkBytes) +@@ -210,4 +215,4 @@ + + _, hasLabel := secret.Labels[r.secretTypeLabelName] + return hasLabel +-} ++} +\ No newline at end of file diff --git a/vendor/knative.dev/control-protocol/pkg/certificates/reconciler/certificates.go b/vendor/knative.dev/control-protocol/pkg/certificates/reconciler/certificates.go index c6687a81ba13..a239dd77ad0b 100644 --- a/vendor/knative.dev/control-protocol/pkg/certificates/reconciler/certificates.go +++ b/vendor/knative.dev/control-protocol/pkg/certificates/reconciler/certificates.go @@ -17,6 +17,7 @@ limitations under the License. package sample import ( + "bytes" "context" "crypto/rsa" "crypto/x509" @@ -89,7 +90,7 @@ func (r *reconciler) ReconcileKind(ctx context.Context, secret *corev1.Secret) p r.logger.Errorf("Error accessing CA certificate secret %q %q: %v", system.Namespace(), r.caSecretName, err) return err } - caCert, caPk, err := parseAndValidateSecret(caSecret, false) + caCert, caPk, err := parseAndValidateSecret(caSecret, nil) if err != nil { r.logger.Infof("CA cert invalid: %v", err) @@ -118,7 +119,7 @@ func (r *reconciler) ReconcileKind(ctx context.Context, secret *corev1.Secret) p return fmt.Errorf("unknown cert type: %v", r.secretTypeLabelName) } - cert, _, err := parseAndValidateSecret(secret, true, sans...) + cert, _, err := parseAndValidateSecret(secret, caSecret.Data[certificates.SecretCertKey], sans...) if err != nil { r.logger.Infof("Secret invalid: %v", err) // Check the secret to reconcile type @@ -144,7 +145,7 @@ func (r *reconciler) ReconcileKind(ctx context.Context, secret *corev1.Secret) p } // All sans provided are required to be lower case -func parseAndValidateSecret(secret *corev1.Secret, shouldContainCaCert bool, sans ...string) (*x509.Certificate, *rsa.PrivateKey, error) { +func parseAndValidateSecret(secret *corev1.Secret, caCert []byte, sans ...string) (*x509.Certificate, *rsa.PrivateKey, error) { certBytes, ok := secret.Data[certificates.SecretCertKey] if !ok { return nil, nil, fmt.Errorf("missing cert bytes") @@ -153,10 +154,14 @@ func parseAndValidateSecret(secret *corev1.Secret, shouldContainCaCert bool, san if !ok { return nil, nil, fmt.Errorf("missing pk bytes") } - if shouldContainCaCert { - if _, ok := secret.Data[certificates.SecretCaCertKey]; !ok { + if caCert != nil { + ca, ok := secret.Data[certificates.SecretCaCertKey] + if !ok { return nil, nil, fmt.Errorf("missing ca cert bytes") } + if !bytes.Equal(ca, caCert) { + return nil, nil, fmt.Errorf("ca cert bytes changed") + } } cert, caPk, err := certificates.ParseCert(certBytes, pkBytes) @@ -210,4 +215,4 @@ func (r *reconciler) shouldReconcile(secret *corev1.Secret) bool { _, hasLabel := secret.Labels[r.secretTypeLabelName] return hasLabel -} +} \ No newline at end of file