Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -687,15 +687,15 @@ func (c *CertificateRevocationController) ensureNewSignerCertificatePropagated(c
signer, ok := secretForSignerClass(namespace, certificates.SignerClass(crr.Spec.SignerClass))
if !ok {
// we should never reach this case as we validate the class before transitioning states, and it's immutable
return true, nil, false, nil
return true, nil, true, nil
}

signerSecert, signers, err := c.loadCertificateSecret(signer.Namespace, signer.Name)
if err != nil {
return true, nil, false, err
}
if signers == nil {
return true, nil, false, nil
return true, nil, true, nil
}

currentCertPEM, ok := signerSecert.Data[corev1.TLSCertKey]
Expand All @@ -714,7 +714,7 @@ func (c *CertificateRevocationController) ensureNewSignerCertificatePropagated(c
return true, nil, false, err
}
if totalClientTrustBundle == nil {
return true, nil, false, nil
return true, nil, true, nil
}

var recorded bool
Expand Down Expand Up @@ -1008,14 +1008,14 @@ func (c *CertificateRevocationController) ensureOldSignerCertificateRevoked(ctx
// Load the current (new) signer cert/key for cross-checking during per-pod verification.
signer, ok := secretForSignerClass(namespace, certificates.SignerClass(crr.Spec.SignerClass))
if !ok {
return true, nil, false, nil
return true, nil, true, nil
}
signerSecret, _, err := c.loadCertificateSecret(signer.Namespace, signer.Name)
if err != nil {
return true, nil, false, err
}
if signerSecret == nil {
return true, nil, false, nil
return true, nil, true, nil
}
currentCertPEM := signerSecret.Data[corev1.TLSCertKey]
currentKeyPEM := signerSecret.Data[corev1.TLSPrivateKeyKey]
Expand All @@ -1026,7 +1026,7 @@ func (c *CertificateRevocationController) ensureOldSignerCertificateRevoked(ctx
return true, nil, false, err
}
if totalClientTrustBundle == nil {
return true, nil, false, nil
return true, nil, true, nil
}
// the real gate for this phase is that KAS has loaded the updated trust bundle and no longer
// authorizes clients using certificates signed by the revoked signer - it is difficult to unit-test
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2025,4 +2025,19 @@ func TestEnsureOldSignerCertificateRevoked_KASVerification(t *testing.T) {
}
g.Expect(foundRevoked).To(BeTrue(), "should have set PreviousCertificatesRevokedType condition to True")
})

t.Run("When trust bundle ConfigMap is transiently unavailable during revocation it should requeue", func(t *testing.T) {
t.Parallel()
g := NewWithT(t)

kubeconfigData := makeKubeconfig(t)
crr := newRevokedCRR()
secrets := newRevokedSecrets(kubeconfigData)
// No ConfigMaps — trust bundle not yet available
c := newRevokedController(crr, secrets, nil)

_, requeue, err := c.processCertificateRevocationRequest(t.Context(), "crr-ns", "crr-name", postRevocationClock.Now)
g.Expect(err).ToNot(HaveOccurred())
g.Expect(requeue).To(BeTrue(), "should requeue when trust bundle ConfigMap is transiently unavailable")
})
}