Skip to content

Commit f3e3182

Browse files
k8s-infra-cherrypick-robotNuckal777
k8s-infra-cherrypick-robot
and
Nuckal777
authored
fix: octavia tlsContainerRef validation for barbican secrets (#2458)
Co-authored-by: Nuckal777 <[email protected]>
1 parent 92619e4 commit f3e3182

File tree

1 file changed

+22
-7
lines changed

1 file changed

+22
-7
lines changed

pkg/openstack/loadbalancer.go

Lines changed: 22 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -27,6 +27,7 @@ import (
2727

2828
"github.com/gophercloud/gophercloud"
2929
"github.com/gophercloud/gophercloud/openstack/keymanager/v1/containers"
30+
"github.com/gophercloud/gophercloud/openstack/keymanager/v1/secrets"
3031
"github.com/gophercloud/gophercloud/openstack/loadbalancer/v2/listeners"
3132
"github.com/gophercloud/gophercloud/openstack/loadbalancer/v2/loadbalancers"
3233
v2monitors "github.com/gophercloud/gophercloud/openstack/loadbalancer/v2/monitors"
@@ -1658,16 +1659,30 @@ func (lbaas *LbaasV2) checkService(service *corev1.Service, nodes []*corev1.Node
16581659
"initialized and default-tls-container-ref %q is set", svcConf.tlsContainerRef)
16591660
}
16601661

1661-
// check if container exists for 'barbican' container store
1662-
// tls container ref has the format: https://{keymanager_host}/v1/containers/{uuid}
1662+
// check if container or secret exists for 'barbican' container store
1663+
// tls container ref has the format: https://{keymanager_host}/v1/containers/{uuid} or https://{keymanager_host}/v1/secrets/{uuid}
16631664
if lbaas.opts.ContainerStore == "barbican" {
16641665
slice := strings.Split(svcConf.tlsContainerRef, "/")
1665-
containerID := slice[len(slice)-1]
1666-
container, err := containers.Get(lbaas.secret, containerID).Extract()
1667-
if err != nil {
1668-
return fmt.Errorf("failed to get tls container %q: %v", svcConf.tlsContainerRef, err)
1666+
if len(slice) < 2 {
1667+
return fmt.Errorf("invalid tlsContainerRef for service %s", serviceName)
1668+
}
1669+
barbicanUUID := slice[len(slice)-1]
1670+
barbicanType := slice[len(slice)-2]
1671+
if barbicanType == "containers" {
1672+
container, err := containers.Get(lbaas.secret, barbicanUUID).Extract()
1673+
if err != nil {
1674+
return fmt.Errorf("failed to get tls container %q: %v", svcConf.tlsContainerRef, err)
1675+
}
1676+
klog.V(4).Infof("Default TLS container %q found", container.ContainerRef)
1677+
} else if barbicanType == "secrets" {
1678+
secret, err := secrets.Get(lbaas.secret, barbicanUUID).Extract()
1679+
if err != nil {
1680+
return fmt.Errorf("failed to get tls secret %q: %v", svcConf.tlsContainerRef, err)
1681+
}
1682+
klog.V(4).Infof("Default TLS secret %q found", secret.SecretRef)
1683+
} else {
1684+
return fmt.Errorf("failed to validate tlsContainerRef for service %s: tlsContainerRef type %s unknown", serviceName, barbicanType)
16691685
}
1670-
klog.V(4).Infof("Default TLS container %q found", container.ContainerRef)
16711686
}
16721687
}
16731688

0 commit comments

Comments
 (0)