[Bugfix] Ignore not owned CAs (#632)

ajanikow · web-flow · commit bdfd3126c682 · 2020-09-08T14:51:17.000+02:00
diff --git a/pkg/deployment/reconcile/plan_builder_tls.go b/pkg/deployment/reconcile/plan_builder_tls.go
@@ -461,6 +461,7 @@ func keyfileRenewalRequired(ctx context.Context,
 		case *url.Error:
 			switch v.Err.(type) {
 			case x509.UnknownAuthorityError, x509.CertificateInvalidError:
+				log.Warn().Err(v.Err).Str("type", reflect.TypeOf(v.Err).String()).Msg("Validation of server cert failed")
 				return true, true
 			default:
 				log.Warn().Err(v.Err).Str("type", reflect.TypeOf(v.Err).String()).Msg("Validation of server cert failed")
@@ -477,7 +478,12 @@ func keyfileRenewalRequired(ctx context.Context,
 			continue
 		}
 
+		if ca.Contains(cert) {
+			continue
+		}
+
 		if time.Now().Add(CertificateRenewalMargin).After(cert.NotAfter) {
+			log.Warn().Msg("Renewal margin exceeded")
 			return true, true
 		}
 	}
@@ -512,6 +518,7 @@ func keyfileRenewalRequired(ctx context.Context,
 		keyfileSha := util.SHA256(keyfile)
 
 		if tls.Result.KeyFile.GetSHA().Checksum() != keyfileSha {
+			log.Warn().Str("current", tls.Result.KeyFile.GetSHA().Checksum()).Str("desired", keyfileSha).Msg("Unable to get tls details")
 			return true, false
 		}
 	}

Original file line number	Diff line number	Diff line change
`@@ -461,6 +461,7 @@ func keyfileRenewalRequired(ctx context.Context,`
`461`	`461`	`case *url.Error:`
`462`	`462`	`switch v.Err.(type) {`
`463`	`463`	`case x509.UnknownAuthorityError, x509.CertificateInvalidError:`
	`464`	`+ log.Warn().Err(v.Err).Str("type", reflect.TypeOf(v.Err).String()).Msg("Validation of server cert failed")`
`464`	`465`	`return true, true`
`465`	`466`	`default:`
`466`	`467`	`log.Warn().Err(v.Err).Str("type", reflect.TypeOf(v.Err).String()).Msg("Validation of server cert failed")`
`@@ -477,7 +478,12 @@ func keyfileRenewalRequired(ctx context.Context,`
`477`	`478`	`continue`
`478`	`479`	`}`
`479`	`480`
	`481`	`+ if ca.Contains(cert) {`
	`482`	`+ continue`
	`483`	`+ }`
	`484`	`+`
`480`	`485`	`if time.Now().Add(CertificateRenewalMargin).After(cert.NotAfter) {`
	`486`	`+ log.Warn().Msg("Renewal margin exceeded")`
`481`	`487`	`return true, true`
`482`	`488`	`}`
`483`	`489`	`}`
`@@ -512,6 +518,7 @@ func keyfileRenewalRequired(ctx context.Context,`
`512`	`518`	`keyfileSha := util.SHA256(keyfile)`
`513`	`519`
`514`	`520`	`if tls.Result.KeyFile.GetSHA().Checksum() != keyfileSha {`
	`521`	`+ log.Warn().Str("current", tls.Result.KeyFile.GetSHA().Checksum()).Str("desired", keyfileSha).Msg("Unable to get tls details")`
`515`	`522`	`return true, false`
`516`	`523`	`}`
`517`	`524`	`}`