From 282b949c24702ede16428c5b4467e69036bc71c5 Mon Sep 17 00:00:00 2001 From: Ashish Amarnath Date: Thu, 25 Jul 2024 19:53:27 -0700 Subject: [PATCH] update jwtcachefiller to use new tlsconfigutil.CABundle type Signed-off-by: Ashish Amarnath --- .../webhookcachefiller/webhookcachefiller.go | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/internal/controller/authenticator/webhookcachefiller/webhookcachefiller.go b/internal/controller/authenticator/webhookcachefiller/webhookcachefiller.go index 9c2eddd59..58f17c76c 100644 --- a/internal/controller/authenticator/webhookcachefiller/webhookcachefiller.go +++ b/internal/controller/authenticator/webhookcachefiller/webhookcachefiller.go @@ -6,7 +6,6 @@ package webhookcachefiller import ( "context" - "crypto/sha256" "crypto/tls" "crypto/x509" "fmt" @@ -162,8 +161,8 @@ func (c *webhookCacheFillerController) syncIndividualWebhookAuthenticator(ctx co } conditions := make([]*metav1.Condition, 0) - certPool, caBundlePEM, conditions, tlsBundleOk := c.validateTLSBundle(webhookAuthenticator.Spec.TLS, conditions) - caBundlePEMSHA256 := sha256.Sum256(caBundlePEM) // note that this will always return the same hash for nil input + caBundle, conditions, tlsBundleOk := c.validateTLSBundle(webhookAuthenticator.Spec.TLS, conditions) + caBundlePEMSHA256 := caBundle.GetCABundleHash() // Only revalidate and update the cache if the cached authenticator is different from the desired authenticator. // There is no need to repeat validations for a spec that was already successfully validated. We are making a @@ -190,7 +189,7 @@ func (c *webhookCacheFillerController) syncIndividualWebhookAuthenticator(ctx co endpointHostPort, conditions, endpointOk := c.validateEndpoint(webhookAuthenticator.Spec.Endpoint, conditions) okSoFar := tlsBundleOk && endpointOk - conditions, tlsNegotiateErr := c.validateConnection(certPool, endpointHostPort, conditions, okSoFar) + conditions, tlsNegotiateErr := c.validateConnection(caBundle.GetCertPool(), endpointHostPort, conditions, okSoFar) errs = append(errs, tlsNegotiateErr) okSoFar = okSoFar && tlsNegotiateErr == nil @@ -198,7 +197,7 @@ func (c *webhookCacheFillerController) syncIndividualWebhookAuthenticator(ctx co // Note that we use the whole URL when constructing the webhook client, // not just the host and port that we validated above. We need the path, etc. webhookAuthenticator.Spec.Endpoint, - caBundlePEM, + caBundle.GetCABundle(), conditions, okSoFar, ) @@ -243,7 +242,7 @@ func (c *webhookCacheFillerController) cacheValueAsWebhookAuthenticator(value au return webhookAuthenticator } -func (c *webhookCacheFillerController) validateTLSBundle(tlsSpec *authenticationv1alpha1.TLSSpec, conditions []*metav1.Condition) (*x509.CertPool, []byte, []*metav1.Condition, bool) { +func (c *webhookCacheFillerController) validateTLSBundle(tlsSpec *authenticationv1alpha1.TLSSpec, conditions []*metav1.Condition) (*tlsconfigutil.CABundle, []*metav1.Condition, bool) { condition, caBundle := tlsconfigutil.ValidateTLSConfig( tlsconfigutil.TLSSpecForConcierge(tlsSpec), "spec.tls", @@ -252,7 +251,7 @@ func (c *webhookCacheFillerController) validateTLSBundle(tlsSpec *authentication c.configMapInformer) conditions = append(conditions, condition) - return caBundle.GetCertPool(), caBundle.GetCABundle(), conditions, condition.Status == metav1.ConditionTrue + return caBundle, conditions, condition.Status == metav1.ConditionTrue } // newWebhookAuthenticator creates a webhook from the provided API server url and caBundle