Closed Jiawei0227 closed 3 months ago
I thought this is supposed to be fixed already by https://github.com/cert-manager/trust-manager/pull/184?
Maybe something is missing? @arsenalzp
/assign
I'm going to check it.
Thanks Oleksandr! Also it would be great to check the certPool can return deterministic ordering of CA certs to keep the output consistent.
The issue is that the certificate pool is created for each source, so it is necessary to maintain it for each bundle and it should be persistent. Let's discuss this topic, how to implement this feature. As always - I'm ready and want to improve this project!
This code process each source separately, however util.ValidateAndSanitizePEMBundleWithOptions()
should accept either all sources or just hashes only, to be able to maintain hashes across invocation.
Should we process de-dup process after the for loop? We could also just move the entire validateAndSanitize out of the loop and add it here: https://github.com/cert-manager/trust-manager/blob/cd860d6da4580e9aa1d193b33d726e4a01ad3af0/pkg/bundle/sync.go#L126
I dont feel there are performance or other implication if we do that.
actually... I think the validation of the source should still happen within the for loop. But the deduplication should really happen after the for loop. So we might need to do a dedicated dedup after the resolvedBundle is generated.
A simple POC shows that
// NB: empty bundles are not valid so check and return an error if one somehow snuck through.
if len(bundles) == 0 {
return bundleData{}, fmt.Errorf("couldn't find any valid certificates in bundle")
}
combinedBundle := strings.Join(bundles, "\n") + "\n"
finalBundle, err := util.ValidateAndSanitizePEMBundle([]byte(combinedBundle))
if err != nil {
return bundleData{}, fmt.Errorf("invalid PEM data in source: %w", err)
}
resolvedBundle.data = string(finalBundle)
return resolvedBundle, nil
}
If we do this, then it will work. But here basically we are validating the PEM again which is not ideal. The best is probably to only dedup here? I am okay with any solution that could fix this.
A simple POC shows that
// NB: empty bundles are not valid so check and return an error if one somehow snuck through. if len(bundles) == 0 { return bundleData{}, fmt.Errorf("couldn't find any valid certificates in bundle") } combinedBundle := strings.Join(bundles, "\n") + "\n" finalBundle, err := util.ValidateAndSanitizePEMBundle([]byte(combinedBundle)) if err != nil { return bundleData{}, fmt.Errorf("invalid PEM data in source: %w", err) } resolvedBundle.data = string(finalBundle) return resolvedBundle, nil }
If we do this, then it will work. But here basically we are validating the PEM again which is not ideal. The best is probably to only dedup here? I am okay with any solution that could fix this.
I agree with you it would be better to move a dedup from downstream calls to buildSourceBundle()
call.
I tried to fix this issue with no harm to the existing code and test. It is reasonable to separate a sanitizing and a deduplication processes, instead to develop huge food processor in one function.
Hello, Can we close this issue as it was fixed by #303 ?
Can we close this issue as PR #303 has been introduced?
Fixed by https://github.com/cert-manager/trust-manager/pull/303
/close
@erikgb: Closing this issue.
The deduplication feature does not work according to a simple test.
Lets say we have two ca file which contains the exact same CA data
a.crt
b.crt
And then we create them as configmap
Lastly we create a bundle
I expect the output only has one CA data but instead it still has duplicate CAs.