Merge branch 'main' into jtc/add-importas-linter

internal/controller/authenticator/authenticator.go

@@ -4,16 +4,6 @@
 // Package authenticator contains helper code for dealing with *Authenticator CRDs.
 package authenticator
 
-import (
-	"crypto/x509"
-	"encoding/base64"
-	"fmt"
-
-	"k8s.io/client-go/util/cert"
-
-	authenticationv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/authentication/v1alpha1"
-)
-
 // Closer is a type that can be closed idempotently.
 //
 // This type is slightly different from io.Closer, because io.Closer can return an error and is not
@@ -21,24 +11,3 @@ import (
 type Closer interface {
 	Close()
 }
-
-// CABundle returns a PEM-encoded CA bundle from the provided spec. If the provided spec is nil, a
-// nil CA bundle will be returned. If the provided spec contains a CA bundle that is not properly
-// encoded, an error will be returned.
-func CABundle(spec *authenticationv1alpha1.TLSSpec) (*x509.CertPool, []byte, error) {
-	if spec == nil || len(spec.CertificateAuthorityData) == 0 {
-		return nil, nil, nil
-	}
-
-	pem, err := base64.StdEncoding.DecodeString(spec.CertificateAuthorityData)
-	if err != nil {
-		return nil, nil, err
-	}
-
-	rootCAs, err := cert.NewPoolFromBytes(pem)
-	if err != nil {
-		return nil, nil, fmt.Errorf("certificateAuthorityData is not valid PEM: %w", err)
-	}
-
-	return rootCAs, pem, nil
-}

internal/controller/authenticator/jwtcachefiller/jwtcachefiller.go

@@ -246,7 +246,7 @@ func (c *jwtCacheFillerController) extractValueAsJWTAuthenticator(value authncac
 }
 
 func (c *jwtCacheFillerController) validateTLS(tlsSpec *authenticationv1alpha1.TLSSpec, conditions []*metav1.Condition) (*x509.CertPool, []*metav1.Condition, bool) {
-	rootCAs, _, err := pinnipedauthenticator.CABundle(tlsSpec)
+	rootCAs, _, err := pinnipedcontroller.BuildCertPoolAuth(tlsSpec)
 	if err != nil {
 		msg := fmt.Sprintf("%s: %s", "invalid TLS configuration", err.Error())
 		conditions = append(conditions, &metav1.Condition{
@@ -603,7 +603,7 @@ func (c *jwtCacheFillerController) updateStatus(
 		})
 	}
 
-	_ = conditionsutil.MergeConfigConditions(
+	_ = conditionsutil.MergeConditions(
 		conditions,
 		original.Generation,
 		&updated.Status.Conditions,

internal/controller/authenticator/webhookcachefiller/webhookcachefiller.go

@@ -28,7 +28,6 @@ import (
 	conciergeclientset "go.pinniped.dev/generated/latest/client/concierge/clientset/versioned"
 	authinformers "go.pinniped.dev/generated/latest/client/concierge/informers/externalversions/authentication/v1alpha1"
 	pinnipedcontroller "go.pinniped.dev/internal/controller"
-	pinnipedauthenticator "go.pinniped.dev/internal/controller/authenticator"
 	"go.pinniped.dev/internal/controller/authenticator/authncache"
 	"go.pinniped.dev/internal/controller/conditionsutil"
 	"go.pinniped.dev/internal/controllerlib"
@@ -265,7 +264,7 @@ func (c *webhookCacheFillerController) validateConnection(certPool *x509.CertPoo
 }
 
 func (c *webhookCacheFillerController) validateTLSBundle(tlsSpec *authenticationv1alpha1.TLSSpec, conditions []*metav1.Condition) (*x509.CertPool, []byte, []*metav1.Condition, bool) {
-	rootCAs, pemBytes, err := pinnipedauthenticator.CABundle(tlsSpec)
+	rootCAs, pemBytes, err := pinnipedcontroller.BuildCertPoolAuth(tlsSpec)
 	if err != nil {
 		msg := fmt.Sprintf("%s: %s", "invalid TLS configuration", err.Error())
 		conditions = append(conditions, &metav1.Condition{
@@ -360,7 +359,7 @@ func (c *webhookCacheFillerController) updateStatus(
 		})
 	}
 
-	_ = conditionsutil.MergeConfigConditions(
+	_ = conditionsutil.MergeConditions(
 		conditions,
 		original.Generation,
 		&updated.Status.Conditions,