Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix So That SIA does NOT Write Instance Cert When Local File Backup Used #62

Merged
merged 4 commits into from
Nov 20, 2023
Merged

Fix So That SIA does NOT Write Instance Cert When Local File Backup Used #62

Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
b9d0786
fix: logic with backup
mlajkim Nov 14, 2023
ea25b63
refactor: files out
mlajkim Nov 15, 2023
07d3858
Update pkg/identity/certificated.go
mlajkim Nov 16, 2023
c4a5a4d
Update pkg/identity/certificated.go
mlajkim Nov 17, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
34 changes: 21 additions & 13 deletions pkg/identity/certificated.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -45,21 +45,29 @@ func Certificated(idConfig *config.IdentityConfig, stopChan <-chan struct{}) (er
log.Infof("Role certificate provisioning is disabled with empty options: roles[%s], output directory[%s]", idConfig.TargetDomainRoles, idConfig.RoleCertDir)
}

var identity, k8sSecretBackupIdentity, forceInitIdentity *InstanceIdentity
var keyPEM, k8sSecretBackupKeyPEM, forceInitKeyPEM []byte

handler, err := InitIdentityHandler(idConfig)
if err != nil {
log.Errorf("Failed to initialize client for certificates: %s", err.Error())
return err, nil
}

writeFiles := func(id *InstanceIdentity, keyPEM []byte, roleCerts [](*RoleCertificate), roleKeyPEM []byte) error {
// identity & keyPEM will be STORED to the local file system:
var keyPEM, k8sSecretBackupKeyPEM, forceInitKeyPEM []byte
var identity, k8sSecretBackupIdentity, forceInitIdentity *InstanceIdentity

// RoleCert Keys and Certs will be STORED to the local file system:
var roleKeyPEM []byte
var roleCerts [](*RoleCertificate)

w := util.NewWriter()
// identity & keyPEM that will NOT be STORED to the local file system:
var localFileKeyPEM []byte
var localFileIdentity *InstanceIdentity

if id != nil {
leafPEM := []byte(id.X509CertificatePEM)
// Write files to local file system
writeFiles := func() error {
WindzCUHK marked this conversation as resolved.
Show resolved Hide resolved
w := util.NewWriter()
if identity != nil && localFileKeyPEM == nil && localFileIdentity == nil {
leafPEM := []byte(identity.X509CertificatePEM)
if len(leafPEM) != 0 && len(keyPEM) != 0 {
x509Cert, err := util.CertificateFromPEMBytes(leafPEM)
if err != nil {
Expand All @@ -77,7 +85,7 @@ func Certificated(idConfig *config.IdentityConfig, stopChan <-chan struct{}) (er
}
}

caCertPEM := []byte(id.X509CACertificatePEM)
caCertPEM := []byte(identity.X509CACertificatePEM)
if len(caCertPEM) != 0 && idConfig.CaCertFile != "" {
log.Debugf("Saving x509 cacert[%d bytes] at %s", len(caCertPEM), idConfig.CaCertFile)
if err := w.AddBytes(idConfig.CaCertFile, 0644, caCertPEM); err != nil {
Expand Down Expand Up @@ -206,12 +214,12 @@ func Certificated(idConfig *config.IdentityConfig, stopChan <-chan struct{}) (er
if err != nil {
log.Warnf("Error while reading x509 certificate from local file[%s]: %s", idConfig.CertFile, err.Error())
}
localFileKeyPEM, err := ioutil.ReadFile(idConfig.KeyFile)
localFileKeyPEM, err = ioutil.ReadFile(idConfig.KeyFile)
if err != nil {
log.Warnf("Error while reading x509 certificate key from local file[%s]: %s", idConfig.KeyFile, err.Error())
}

localFileIdentity, err := InstanceIdentityFromPEMBytes(localFileCertPEM)
localFileIdentity, err = InstanceIdentityFromPEMBytes(localFileCertPEM)
if err != nil {
log.Warnf("Error while parsing x509 certificate from local file: %s", err.Error())
}
Expand Down Expand Up @@ -256,19 +264,19 @@ func Certificated(idConfig *config.IdentityConfig, stopChan <-chan struct{}) (er
log.Infof("Attempting to request renewed x509 certificate to identity provider[%s]...", idConfig.ProviderService)
err, forceInitIdentity, forceInitKeyPEM = identityProvisioningRequest(true)
if err != nil {
log.Errorf("Failed to retrieve renewed x509 certificate from identity provider: %s", err.Error())
log.Warnf("Failed to retrieve renewed x509 certificate from identity provider: %s, continuing with the backup certificate from kubernetes secret", err.Error())
} else {
identity = forceInitIdentity
keyPEM = forceInitKeyPEM
}
}

err, roleCerts, roleKeyPEM := roleCertProvisioningRequest()
err, roleCerts, roleKeyPEM = roleCertProvisioningRequest()
if err != nil {
return err
}

err = writeFiles(identity, keyPEM, roleCerts, roleKeyPEM)
err = writeFiles()
if err != nil {
if forceInitIdentity != nil || forceInitKeyPEM != nil {
log.Errorf("Failed to save files for renewed key[%s], renewed cert[%s] and renewed certificates for roles[%v]", idConfig.KeyFile, idConfig.CertFile, idConfig.TargetDomainRoles)
Expand Down
Loading