Verify success of parsing OpenStack cloud cacert

MaysaMacedo · MaysaMacedo · commit 02dde936ad0f · 2023-12-04T12:55:39.000-03:00
If no certificate is set to `OPENSTACK_CLOUD_CACERT_B64` env varaible, it
defaults to an empty string encoded. This can cause failure to connect
to OpenStack API when it uses a certificate bundle that is supplied by the
OS, instead of a private certificate. This commit fixes the issue by checking
if the certificate was parsed successfully and if not attempts to use the
host's root CA.
diff --git a/pkg/scope/provider.go b/pkg/scope/provider.go
@@ -165,7 +165,11 @@ func NewProviderClient(cloud clientconfig.Cloud, caCert []byte, logger logr.Logg
 	}
 	if caCert != nil {
 		config.RootCAs = x509.NewCertPool()
-		config.RootCAs.AppendCertsFromPEM(caCert)
+		ok := config.RootCAs.AppendCertsFromPEM(caCert)
+		if !ok {
+			// If no certificates were successfully parsed, set RootCAs to nil to use the host's root CA
+			config.RootCAs = nil
+		}
 	}
 
 	provider.HTTPClient.Transport = &http.Transport{Proxy: http.ProxyFromEnvironment, TLSClientConfig: config}

Original file line number	Diff line number	Diff line change
`@@ -165,7 +165,11 @@ func NewProviderClient(cloud clientconfig.Cloud, caCert []byte, logger logr.Logg`
`165`	`165`	`}`
`166`	`166`	`if caCert != nil {`
`167`	`167`	`config.RootCAs = x509.NewCertPool()`
`168`		`- config.RootCAs.AppendCertsFromPEM(caCert)`
	`168`	`+ ok := config.RootCAs.AppendCertsFromPEM(caCert)`
	`169`	`+ if !ok {`
	`170`	`+ // If no certificates were successfully parsed, set RootCAs to nil to use the host's root CA`
	`171`	`+ config.RootCAs = nil`
	`172`	`+ }`
`169`	`173`	`}`
`170`	`174`
`171`	`175`	`provider.HTTPClient.Transport = &http.Transport{Proxy: http.ProxyFromEnvironment, TLSClientConfig: config}`