Skip to content

Commit 45acca7

Browse files
k8s-infra-cherrypick-robotNuckal777
k8s-infra-cherrypick-robot
and
Nuckal777
authored
fix: octavia tlsContainerRef validation for barbican secrets (kubernetes#2460)
Co-authored-by: Nuckal777 <[email protected]>
1 parent 79c0a29 commit 45acca7

File tree

1 file changed

+22
-7
lines changed

1 file changed

+22
-7
lines changed

pkg/openstack/loadbalancer.go

Lines changed: 22 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -27,6 +27,7 @@ import (
2727

2828
"github.com/gophercloud/gophercloud"
2929
"github.com/gophercloud/gophercloud/openstack/keymanager/v1/containers"
30+
"github.com/gophercloud/gophercloud/openstack/keymanager/v1/secrets"
3031
"github.com/gophercloud/gophercloud/openstack/loadbalancer/v2/listeners"
3132
"github.com/gophercloud/gophercloud/openstack/loadbalancer/v2/loadbalancers"
3233
v2monitors "github.com/gophercloud/gophercloud/openstack/loadbalancer/v2/monitors"
@@ -1650,16 +1651,30 @@ func (lbaas *LbaasV2) checkService(service *corev1.Service, nodes []*corev1.Node
16501651
"initialized and default-tls-container-ref %q is set", svcConf.tlsContainerRef)
16511652
}
16521653

1653-
// check if container exists for 'barbican' container store
1654-
// tls container ref has the format: https://{keymanager_host}/v1/containers/{uuid}
1654+
// check if container or secret exists for 'barbican' container store
1655+
// tls container ref has the format: https://{keymanager_host}/v1/containers/{uuid} or https://{keymanager_host}/v1/secrets/{uuid}
16551656
if lbaas.opts.ContainerStore == "barbican" {
16561657
slice := strings.Split(svcConf.tlsContainerRef, "/")
1657-
containerID := slice[len(slice)-1]
1658-
container, err := containers.Get(lbaas.secret, containerID).Extract()
1659-
if err != nil {
1660-
return fmt.Errorf("failed to get tls container %q: %v", svcConf.tlsContainerRef, err)
1658+
if len(slice) < 2 {
1659+
return fmt.Errorf("invalid tlsContainerRef for service %s", serviceName)
1660+
}
1661+
barbicanUUID := slice[len(slice)-1]
1662+
barbicanType := slice[len(slice)-2]
1663+
if barbicanType == "containers" {
1664+
container, err := containers.Get(lbaas.secret, barbicanUUID).Extract()
1665+
if err != nil {
1666+
return fmt.Errorf("failed to get tls container %q: %v", svcConf.tlsContainerRef, err)
1667+
}
1668+
klog.V(4).Infof("Default TLS container %q found", container.ContainerRef)
1669+
} else if barbicanType == "secrets" {
1670+
secret, err := secrets.Get(lbaas.secret, barbicanUUID).Extract()
1671+
if err != nil {
1672+
return fmt.Errorf("failed to get tls secret %q: %v", svcConf.tlsContainerRef, err)
1673+
}
1674+
klog.V(4).Infof("Default TLS secret %q found", secret.SecretRef)
1675+
} else {
1676+
return fmt.Errorf("failed to validate tlsContainerRef for service %s: tlsContainerRef type %s unknown", serviceName, barbicanType)
16611677
}
1662-
klog.V(4).Infof("Default TLS container %q found", container.ContainerRef)
16631678
}
16641679
}
16651680

0 commit comments

Comments
 (0)