Accept Opaque secrets as TLS credentials for backward compatibility#2524
Accept Opaque secrets as TLS credentials for backward compatibility#2524AryanP123 wants to merge 1 commit into
Conversation
📝 WalkthroughWalkthroughAdds an ChangesTLS Credential Detection
Estimated code review effort: 2 (Simple) | ~15 minutes Sequence Diagram(s)sequenceDiagram
participant SecretWatcher
participant SyncHandle as Sync.handle
participant IsTlsCredentialSecret
participant SslProfile
SecretWatcher->>SyncHandle: notify Secret (type Opaque, TLS data)
SyncHandle->>IsTlsCredentialSecret: check(secret)
IsTlsCredentialSecret-->>SyncHandle: true (tls.crt, tls.key, ca.crt present)
SyncHandle->>SslProfile: handleSslProfile(secret)
SslProfile-->>SyncHandle: profile updated
SyncHandle->>SyncHandle: doCallback()
Related Issues: 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
🧹 Nitpick comments (1)
internal/kube/secrets/manager.go (1)
75-76: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick winConsider adding direct test coverage for the Opaque-secret dispatch path here.
sync.gogotTestSyncHandlerOpaqueTlsSecretverifying the Opaque-secret branch end-to-end, but no equivalent test is included forhandleSecret/TlsCredentialSecretPresentin this file. Since both files independently branch onIsTlsCredentialSecret, a regression in one wouldn't be caught by the other's tests.Also applies to: 252-252
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro Plus
Run ID: 5c320e23-6097-411c-9153-a49cae40d1d7
📒 Files selected for processing (5)
internal/kube/secrets/context.gointernal/kube/secrets/context_test.gointernal/kube/secrets/manager.gointernal/kube/secrets/sync.gointernal/kube/secrets/sync_test.go
| if secret.Type != corev1.SecretTypeOpaque && secret.Type != "" { | ||
| return false | ||
| } | ||
| return len(secret.Data["tls.crt"]) > 0 && |
There was a problem hiding this comment.
This last assertion would break at least one (probably untested) thing. Until this regression and the subsequent changes to tls credentials dependencies the controller was designed to mostly turn a blind eye to tlsCredentials secret contents. It mostly tried to sort the contents out in the router/kube-adaptor.
It's probably more work than just this to iron out all of the corner cases, but to tell whether or not a secret is suitable to be used with an sslProfile configuration we need more context. Example: a Connector with spec.useClientCert=false (default) only configures a sslProfile with a CA - no cert or key file.
All that to say - let's either properly solve for this with a path with concrete "reasons" a secret is unacceptable for a particular tlsCredential or return to ye olden days with something wide open like 'secret.Type == "" || opaque || tls'
There was a problem hiding this comment.
Not to complicate this more, but just ran into another edge case we've never handled well: Listeners and MultiKeyListeners with requireClientCert=false have no real purpose for a CA certificate. We currently configure the sslProfile with one unconditionally and the router crashes when it is empty/absent. Looks like the kubernetes.io/tls type only requires tls.crt and tls.key (not ca.crt.)
Maybe the least controversial, most backwards compatible IsTlsCredentialSecret would be something like this? Would really count on your judgement here: A cryptic "Secret not found" error message is a big improvement over a crashing router deployment, but a major downgrade from a working link/service generated by regular skupper tooling.
func IsTlsCredentialSecret(secret *corev1.Secret) bool {
if secret == nil || secret.Data == nil || secret.Type == corev1.SecretTypeBasicAuth {
return false
}
return len(secret.Data["ca.crt"]) > 0
}
Fixes #2518
Summary by CodeRabbit
New Features
Bug Fixes