Introduce type alias CABundleHash for the hash of a CA bundle ([32]byte)

Co-authored-by: Ryan Richard <richardry@vmware.com> Co-authored-by: Ashish Amarnath <ashish.amarnath@broadcom.com>
2026-01-09 15:44:10 +00:00 · 2024-07-26 12:38:44 -05:00
parent 99cfc4fbce
commit a888083c50
15 changed files with 185 additions and 179 deletions
--- a/internal/controller/authenticator/jwtcachefiller/jwtcachefiller.go
+++ b/internal/controller/authenticator/jwtcachefiller/jwtcachefiller.go
@@ -111,9 +111,9 @@ type tokenAuthenticatorCloser interface {

 type cachedJWTAuthenticator struct {
 	authenticator.Token
-	spec              *authenticationv1alpha1.JWTAuthenticatorSpec
-	caBundlePEMSHA256 [32]byte
-	cancel            context.CancelFunc
+	spec         *authenticationv1alpha1.JWTAuthenticatorSpec
+	caBundleHash tlsconfigutil.CABundleHash
+	cancel       context.CancelFunc
 }

 func (c *cachedJWTAuthenticator) Close() {
@@ -237,7 +237,7 @@ func (c *jwtCacheFillerController) syncIndividualJWTAuthenticator(ctx context.Co
 		if jwtAuthenticatorFromCache != nil &&
 			reflect.DeepEqual(jwtAuthenticatorFromCache.spec, &jwtAuthenticator.Spec) &&
 			tlsBundleOk && // if there was any error while validating the CA bundle, then run remaining validations and update status
-			jwtAuthenticatorFromCache.caBundlePEMSHA256 == caBundle.Hash() {
+			jwtAuthenticatorFromCache.caBundleHash.Equal(caBundle.Hash()) {
 			c.log.WithValues("jwtAuthenticator", klog.KObj(jwtAuthenticator), "issuer", jwtAuthenticator.Spec.Issuer).
 				Info("actual jwt authenticator and desired jwt authenticator are the same")
 			// Stop, no more work to be done. This authenticator is already validated and cached.
@@ -562,7 +562,7 @@ func (c *jwtCacheFillerController) newCachedJWTAuthenticator(
 	client *http.Client,
 	spec *authenticationv1alpha1.JWTAuthenticatorSpec,
 	keySet *coreosoidc.RemoteKeySet,
-	caBundlePEMSHA256 [32]byte,
+	caBundleHash tlsconfigutil.CABundleHash,
 	conditions []*metav1.Condition,
 	prereqOk bool,
 ) (*cachedJWTAuthenticator, []*metav1.Condition, error) {
@@ -633,10 +633,10 @@ func (c *jwtCacheFillerController) newCachedJWTAuthenticator(
 		Message: msg,
 	})
 	return &cachedJWTAuthenticator{
-		Token:             oidcAuthenticator,
-		spec:              spec,
-		caBundlePEMSHA256: caBundlePEMSHA256,
-		cancel:            cancel,
+		Token:        oidcAuthenticator,
+		spec:         spec,
+		caBundleHash: caBundleHash,
+		cancel:       cancel,
 	}, conditions, nil
 }

--- a/internal/controller/authenticator/jwtcachefiller/jwtcachefiller_test.go
+++ b/internal/controller/authenticator/jwtcachefiller/jwtcachefiller_test.go
@@ -10,7 +10,6 @@ import (
 	"crypto/elliptic"
 	"crypto/rand"
 	"crypto/rsa"
-	"crypto/sha256"
 	"crypto/x509"
 	_ "embed"
 	"encoding/base64"
@@ -45,6 +44,7 @@ import (
 	conciergefake "go.pinniped.dev/generated/latest/client/concierge/clientset/versioned/fake"
 	conciergeinformers "go.pinniped.dev/generated/latest/client/concierge/informers/externalversions"
 	"go.pinniped.dev/internal/controller/authenticator/authncache"
+	"go.pinniped.dev/internal/controller/tlsconfigutil"
 	"go.pinniped.dev/internal/controllerlib"
 	"go.pinniped.dev/internal/crypto/ptls"
 	"go.pinniped.dev/internal/plog"
@@ -2631,8 +2631,8 @@ func newCacheValue(t *testing.T, spec authenticationv1alpha1.JWTAuthenticatorSpe
 	})

 	return &cachedJWTAuthenticator{
-		spec:              &spec,
-		caBundlePEMSHA256: sha256.Sum256([]byte(caBundle)),
+		spec:         &spec,
+		caBundleHash: tlsconfigutil.NewCABundleHash([]byte(caBundle)),
 		cancel: func() {
 			wasClosed = true
 		},
--- a/internal/controller/authenticator/webhookcachefiller/webhookcachefiller.go
+++ b/internal/controller/authenticator/webhookcachefiller/webhookcachefiller.go
@@ -61,8 +61,8 @@ const (

 type cachedWebhookAuthenticator struct {
 	authenticator.Token
-	spec              *authenticationv1alpha1.WebhookAuthenticatorSpec
-	caBundlePEMSHA256 [32]byte
+	spec         *authenticationv1alpha1.WebhookAuthenticatorSpec
+	caBundleHash tlsconfigutil.CABundleHash
 }

 // New instantiates a new controllerlib.Controller which will populate the provided authncache.Cache.
@@ -162,8 +162,6 @@ func (c *webhookCacheFillerController) syncIndividualWebhookAuthenticator(ctx co

 	conditions := make([]*metav1.Condition, 0)
 	caBundle, conditions, tlsBundleOk := c.validateTLSBundle(webhookAuthenticator.Spec.TLS, conditions)
-	caBundlePEMSHA256 := caBundle.Hash()
-
 	// Only revalidate and update the cache if the cached authenticator is different from the desired authenticator.
 	// There is no need to repeat validations for a spec that was already successfully validated. We are making a
 	// design decision to avoid repeating the validation which dials the server, even though the server's TLS
@@ -177,7 +175,7 @@ func (c *webhookCacheFillerController) syncIndividualWebhookAuthenticator(ctx co
 		if webhookAuthenticatorFromCache != nil &&
 			reflect.DeepEqual(webhookAuthenticatorFromCache.spec, &webhookAuthenticator.Spec) &&
 			tlsBundleOk && // if there was any error while validating the CA bundle, then run remaining validations and update status
-			webhookAuthenticatorFromCache.caBundlePEMSHA256 == caBundlePEMSHA256 {
+			webhookAuthenticatorFromCache.caBundleHash.Equal(caBundle.Hash()) {
 			c.log.WithValues("webhookAuthenticator", klog.KObj(webhookAuthenticator), "endpoint", webhookAuthenticator.Spec.Endpoint).
 				Info("actual webhook authenticator and desired webhook authenticator are the same")
 			// Stop, no more work to be done. This authenticator is already validated and cached.
@@ -210,9 +208,9 @@ func (c *webhookCacheFillerController) syncIndividualWebhookAuthenticator(ctx co
 		c.cache.Delete(cacheKey)
 	} else {
 		c.cache.Store(cacheKey, &cachedWebhookAuthenticator{
-			Token:             newWebhookAuthenticatorForCache,
-			spec:              webhookAuthenticator.Spec.DeepCopy(), // deep copy to avoid caching original object
-			caBundlePEMSHA256: caBundlePEMSHA256,
+			Token:        newWebhookAuthenticatorForCache,
+			spec:         webhookAuthenticator.Spec.DeepCopy(), // deep copy to avoid caching original object
+			caBundleHash: caBundle.Hash(),
 		})
 		c.log.WithValues("webhook", klog.KObj(webhookAuthenticator), "endpoint", webhookAuthenticator.Spec.Endpoint).
 			Info("added new webhook authenticator")
--- a/internal/controller/authenticator/webhookcachefiller/webhookcachefiller_test.go
+++ b/internal/controller/authenticator/webhookcachefiller/webhookcachefiller_test.go
@@ -6,7 +6,6 @@ package webhookcachefiller
 import (
 	"bytes"
 	"context"
-	"crypto/sha256"
 	"crypto/tls"
 	"encoding/base64"
 	"encoding/json"
@@ -39,6 +38,7 @@ import (
 	conciergeinformers "go.pinniped.dev/generated/latest/client/concierge/informers/externalversions"
 	"go.pinniped.dev/internal/certauthority"
 	"go.pinniped.dev/internal/controller/authenticator/authncache"
+	"go.pinniped.dev/internal/controller/tlsconfigutil"
 	"go.pinniped.dev/internal/controllerlib"
 	"go.pinniped.dev/internal/crypto/ptls"
 	"go.pinniped.dev/internal/plog"
@@ -2030,8 +2030,8 @@ func newCacheValue(t *testing.T, spec authenticationv1alpha1.WebhookAuthenticato
 	t.Helper()

 	return &cachedWebhookAuthenticator{
-		spec:              &spec,
-		caBundlePEMSHA256: sha256.Sum256([]byte(caBundle)),
+		spec:         &spec,
+		caBundleHash: tlsconfigutil.NewCABundleHash([]byte(caBundle)),
 	}
 }