From cc02722a4ad95e53f217b88f2432edee2e1ad65d Mon Sep 17 00:00:00 2001
From: Emilien Macchi <emacchi@redhat.com>
Date: Thu, 6 Jun 2024 16:32:25 -0400
Subject: [PATCH] amphora certs: return a fatal error if server CA pass secret
 isn't found

If the server CA passphrase secret is not found, we need to return an
error because later on, Octavia worker won't be able to sign the
certificate. Cryptography will complain:

```
Password was given but private key is not encrypted
```
---
 controllers/octavia_controller.go | 2 +-
 pkg/octavia/amphora_certs.go      | 9 +++------
 2 files changed, 4 insertions(+), 7 deletions(-)

diff --git a/controllers/octavia_controller.go b/controllers/octavia_controller.go
index e780c740..c1f598ea 100644
--- a/controllers/octavia_controller.go
+++ b/controllers/octavia_controller.go
@@ -506,7 +506,7 @@ func (r *OctaviaReconciler) reconcileNormal(ctx context.Context, instance *octav
 	}
 	instance.Status.Conditions.MarkTrue(condition.InputReadyCondition, condition.InputReadyMessage)
 
-	err = octavia.EnsureAmphoraCerts(ctx, instance, helper, &Log)
+	err = octavia.EnsureAmphoraCerts(ctx, instance, helper)
 	if err != nil {
 		instance.Status.Conditions.Set(condition.FalseCondition(
 			octaviav1.OctaviaAmphoraCertsReadyCondition,
diff --git a/pkg/octavia/amphora_certs.go b/pkg/octavia/amphora_certs.go
index 6f82f161..746eac5e 100644
--- a/pkg/octavia/amphora_certs.go
+++ b/pkg/octavia/amphora_certs.go
@@ -26,7 +26,6 @@ import (
 	"math/big"
 	"time"
 
-	"github.com/go-logr/logr"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/helper"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/secret"
 	octaviav1 "github.com/openstack-k8s-operators/octavia-operator/api/v1beta1"
@@ -149,8 +148,7 @@ func generateClientCert(caTemplate *x509.Certificate, certPrivKey *rsa.PrivateKe
 func EnsureAmphoraCerts(
 	ctx context.Context,
 	instance *octaviav1.Octavia,
-	h *helper.Helper,
-	log *logr.Logger) error {
+	h *helper.Helper) error {
 	var oAmpSecret *corev1.Secret
 	var serverCAPass []byte
 
@@ -165,10 +163,9 @@ func EnsureAmphoraCerts(
 		cAPassSecret, _, err := secret.GetSecret(
 			ctx, h, serverCAPassSecretName, instance.Namespace)
 		if err != nil {
-			log.Info("Could not read server CA passphrase. No encryption will be applied to the generated key.")
-		} else {
-			serverCAPass = cAPassSecret.Data["server-ca-passphrase"]
+			return fmt.Errorf("Error retrieving secret %s needed to encrypt the generated key - %w", serverCAPassSecretName, err)
 		}
+		serverCAPass = cAPassSecret.Data["server-ca-passphrase"]
 
 		serverCAKey, serverCAKeyPEM, err := generateKey(serverCAPass)
 		if err != nil {