Skip to content

Commit

Permalink
amphora certs: return a fatal error if server CA pass secret isn't found
Browse files Browse the repository at this point in the history 
If the server CA passphrase secret is not found, we need to return an
error because later on, Octavia worker won't be able to sign the
certificate. Cryptography will complain:

```
Password was given but private key is not encrypted
```
  • Loading branch information
@EmilienM
EmilienM committed Jun 7, 2024
1 parent 3a1a634 commit cc02722
Show file tree
Hide file tree
Showing 2 changed files with 4 additions and 7 deletions.
2 changes: 1 addition & 1 deletion controllers/octavia_controller.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -506,7 +506,7 @@ func (r *OctaviaReconciler) reconcileNormal(ctx context.Context, instance *octav
}
instance.Status.Conditions.MarkTrue(condition.InputReadyCondition, condition.InputReadyMessage)

err = octavia.EnsureAmphoraCerts(ctx, instance, helper, &Log)
err = octavia.EnsureAmphoraCerts(ctx, instance, helper)
if err != nil {
instance.Status.Conditions.Set(condition.FalseCondition(
octaviav1.OctaviaAmphoraCertsReadyCondition,
Expand Down
9 changes: 3 additions & 6 deletions pkg/octavia/amphora_certs.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,6 @@ import (
"math/big"
"time"

"github.com/go-logr/logr"
"github.com/openstack-k8s-operators/lib-common/modules/common/helper"
"github.com/openstack-k8s-operators/lib-common/modules/common/secret"
octaviav1 "github.com/openstack-k8s-operators/octavia-operator/api/v1beta1"
Expand Down Expand Up @@ -149,8 +148,7 @@ func generateClientCert(caTemplate *x509.Certificate, certPrivKey *rsa.PrivateKe
func EnsureAmphoraCerts(
ctx context.Context,
instance *octaviav1.Octavia,
h *helper.Helper,
log *logr.Logger) error {
h *helper.Helper) error {
var oAmpSecret *corev1.Secret
var serverCAPass []byte

Expand All @@ -165,10 +163,9 @@ func EnsureAmphoraCerts(
cAPassSecret, _, err := secret.GetSecret(
ctx, h, serverCAPassSecretName, instance.Namespace)
if err != nil {
log.Info("Could not read server CA passphrase. No encryption will be applied to the generated key.")
} else {
serverCAPass = cAPassSecret.Data["server-ca-passphrase"]
return fmt.Errorf("Error retrieving secret %s needed to encrypt the generated key - %w", serverCAPassSecretName, err)
}
serverCAPass = cAPassSecret.Data["server-ca-passphrase"]

serverCAKey, serverCAKeyPEM, err := generateKey(serverCAPass)
if err != nil {
Expand Down

0 comments on commit cc02722

Please sign in to comment.