Fix #1582 by not double-decoding the ca.crt field in external TLS secrets for the impersonation proxy

2026-01-06 05:27:23 +00:00 · 2023-08-08 20:17:21 -05:00
parent f24f82b25b
commit 1707995378
4 changed files with 101 additions and 46 deletions
--- a/internal/controller/impersonatorconfig/impersonator_config.go
+++ b/internal/controller/impersonatorconfig/impersonator_config.go
@@ -730,24 +730,18 @@ func (c *impersonatorConfigController) readExternalTLSSecret(externalTLSSecretNa
 		return nil, err
 	}

-	base64EncodedCaCert := secretFromInformer.Data[caCrtKey]
+	if caCertPEM, ok := secretFromInformer.Data[caCrtKey]; ok && len(caCertPEM) > 0 {
+		plog.Info(fmt.Sprintf("found a %s field in the externally provided TLS secret for the impersonation proxy", caCrtKey),
+			"secretName", externalTLSSecretName,
+			"caCertPEM", caCertPEM)

-	if len(base64EncodedCaCert) > 0 {
-		var decodedCaCert []byte
-		decodedCaCert, err = base64.StdEncoding.DecodeString(string(secretFromInformer.Data[caCrtKey]))
-		if err != nil {
-			err = fmt.Errorf("unable to read provided ca.crt: %w", err)
-			plog.Error("error loading cert from externally provided TLS secret for the impersonation proxy", err)
-			return nil, err
-		}
-
-		block, _ := pem.Decode(decodedCaCert)
+		block, _ := pem.Decode(caCertPEM)
 		if block == nil {
 			plog.Warning("error loading cert from externally provided TLS secret for the impersonation proxy: data is not a certificate")
 			return nil, fmt.Errorf("unable to read provided ca.crt: data is not a certificate")
 		}

-		return decodedCaCert, nil
+		return caCertPEM, nil
 	}

 	return nil, nil
--- a/internal/controller/impersonatorconfig/impersonator_config_test.go
+++ b/internal/controller/impersonatorconfig/impersonator_config_test.go
@@ -1356,7 +1356,7 @@ func TestImpersonatorConfigControllerSync(t *testing.T) {
 				when("the externally provided TLS secret has a ca.crt field", func() {
 					it.Before(func() {
 						addSecretToTrackers(mTLSClientCertCASecret, kubeInformerClient)
-						externalTLSSecret.Data["ca.crt"] = []byte(base64.StdEncoding.EncodeToString(externalCA.Bundle()))
+						externalTLSSecret.Data["ca.crt"] = externalCA.Bundle()
 						addSecretToTrackers(externalTLSSecret, kubeInformerClient)
 						addCredentialIssuerToTrackers(v1alpha1.CredentialIssuer{
 							ObjectMeta: metav1.ObjectMeta{Name: credentialIssuerResourceName},
@@ -1386,42 +1386,10 @@ func TestImpersonatorConfigControllerSync(t *testing.T) {
 					})
 				})

-				when("the externally provided TLS secret has a ca.crt field that is not base64-encoded", func() {
-					it.Before(func() {
-						addSecretToTrackers(mTLSClientCertCASecret, kubeInformerClient)
-						externalTLSSecret.Data["ca.crt"] = []byte("hello")
-						addSecretToTrackers(externalTLSSecret, kubeInformerClient)
-						addCredentialIssuerToTrackers(v1alpha1.CredentialIssuer{
-							ObjectMeta: metav1.ObjectMeta{Name: credentialIssuerResourceName},
-							Spec: v1alpha1.CredentialIssuerSpec{
-								ImpersonationProxy: &v1alpha1.ImpersonationProxySpec{
-									Mode:             v1alpha1.ImpersonationProxyModeAuto,
-									ExternalEndpoint: localhostIP,
-									Service: v1alpha1.ImpersonationProxyServiceSpec{
-										Type: v1alpha1.ImpersonationProxyServiceTypeNone,
-									},
-									TLS: &v1alpha1.ImpersonationProxyTLSSpec{
-										SecretName: externallyProvidedTLSSecretName,
-									},
-								},
-							},
-						}, pinnipedInformerClient, pinnipedAPIClient)
-					})
-
-					it("returns an error", func() {
-						startInformersAndController()
-						r.Error(runControllerSync(), "could not load the externally provided TLS secret for the impersonation proxy: unable to read provided ca.crt: illegal base64 data at input byte 4")
-						r.Len(kubeAPIClient.Actions(), 1)
-						requireNodesListed(kubeAPIClient.Actions()[0])
-						requireCredentialIssuer(newErrorStrategy("could not load the externally provided TLS secret for the impersonation proxy: unable to read provided ca.crt: illegal base64 data at input byte 4"))
-						requireMTLSClientCertProviderHasLoadedCerts([]byte{}, []byte{})
-					})
-				})
-
 				when("the externally provided TLS secret has a ca.crt field that is not a valid cert", func() {
 					it.Before(func() {
 						addSecretToTrackers(mTLSClientCertCASecret, kubeInformerClient)
-						externalTLSSecret.Data["ca.crt"] = []byte(base64.StdEncoding.EncodeToString([]byte("hello")))
+						externalTLSSecret.Data["ca.crt"] = []byte("hello")
 						addSecretToTrackers(externalTLSSecret, kubeInformerClient)
 						addCredentialIssuerToTrackers(v1alpha1.CredentialIssuer{
 							ObjectMeta: metav1.ObjectMeta{Name: credentialIssuerResourceName},