search

cert-manager / trust-manager

trust-manager is an operator for distributing trust bundles across a Kubernetes cluster.
https://cert-manager.io/docs/projects/trust-manager/
Apache License 2.0
256 stars 69 forks source link

Update bundle status with error when encountering problem with sources files #434

Open Shawcs opened 2 months ago

Shawcs commented 2 months ago

Hi !

I noticed that the status do not reflect problem with bad/empty sources.

How to reproduce:

create a bundle that target a ConfigMap with a valid cert entry

apiVersion: trust.cert-manager.io/v1alpha1
kind: Bundle
metadata:
  name: my-bundle
spec:
  sources:
    - configMap:
        key: ca.crt
        selector:
          matchLabels:
            trust-bundle.my-bundle: include
  target:
    additionalFormats:
      pkcs12:
        key: ca.p12
        password: changeit
    namespaceSelector:
      matchLabels:
        kubernetes.io/metadata.name: infra
    secret:
      key: ca.crt
kind: ConfigMap
apiVersion: v1
metadata:
  name: my-cert.crt
  namespace: infra-cert-manager
  labels:
    trust-bundle.my-bundle: include
data:
  ca.crt: |
    -----BEGIN CERTIFICATE-----
    MIIDojCCAYqgAwIBAgIQV5ocp05c1d2ULNLEDrdCpTANBgkqhkiG9w0BAQsFADBH
    MQswCQYDVQQGEwJDSDEnMCUGA1UEChMeQmFucXVlIExvbWJhcmQgT2RpZXIgZXQg
    Q2llIFNBMQ8wDQYDVQQDEwZMTyBEUEkwHhcNMjQwMzA3MDAwMDAwWhcNMjUwMzA3
    MjM1OTU5WjAVMRMwEQYDVQQDEwpnaXRodWIuY29tMFkwEwYHKoZIzj0CAQYIKoZI
    zj0DAQcDQgAEQrPuGOisrWzPTzsVzujNAMvKeM1GRDs18c2N5R6LemewOMjO0Ep1
    yESxF/xn4Zj7tlsTeMT5zz4Li1DQN/K1zKOBhjCBgzAdBgNVHQ4EFgQUO2g/NDr1
    RzTK76ZOPZq9Xm56zJ8wDgYDVR0PAQH/BAQDAgeAMAwGA1UdEwEB/wQCMAAwHQYD
    VR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMCUGA1UdEQQeMByCCmdpdGh1Yi5j
    b22CDnd3dy5naXRodWIuY29tMA0GCSqGSIb3DQEBCwUAA4ICAQBEaD1pszjmbtjc
    nE0s43FN2oU/S23Wf331M6Ae72F9B3ceqY/X0oPIHsOtpA7gSDOzjs4sNrHq34qn
    q3SRpmiDepmY4Ba2+gXNg5dWeul2e7ht22L/jYR8oT0pGClWkLiveijBT3Veqbxu
    jT3lxYGd1ey20feg4rQIw61GgaZ2dyHjlpj8FrCxSSLnULIM4db+04+2PXbTGl9J
    O+UQzbDI34KoKKWCCvCDFziCTG3rblv3RcGOCUcAXL1WpJIPlhhSYK+Dvv1Op2/C
    bd8LU10GmzZpZ/aR4SZDymggc32xvXEfPSrM36qgDcbg7Vb3mm+uZUgWKHmh1pnA
    1DeiFM9PT9GGN8m5ioMsbYIbNZUUw2jt8Gbz0CWSQlJWAfo0LEbVnIH4TG10m6Ix
    zqDgzL7QYe7XpGqY1LuwNidozLvRUaZkhDud7XlgHYYQwrP4z6/ekawett0LdvSL
    JdSRFvE7pO4K2kXxFr8YzeET0jrZ+JeVX8WYbsfUlo0UdMVnViIFrgbTd8v6Mlev
    kBG18BDEDA8hYS1JsSmpeiy/c/WsIzihgln25RcaaUPZBszu/yQp3WwtNVJojqnF
    16LisgMdnA/1gj801KmoTYUfQFTPVkITGjYVogYGZ1B9FYNwl7ymulCRrVNOzqs/
    G3VnreyXrukwRbMI/MR4ccXl5/n+Hw==
    -----END CERTIFICATE-----

the bundle status should change to :

  conditions:
    - lastTransitionTime: '2024-09-10T13:24:17Z'
      message: 'Successfully synced Bundle to namespaces that match this label selector: kubernetes.io/metadata.name=infra'
      observedGeneration: 1
      reason: Synced
      status: 'True'
      type: Synced

go to the source cert in the configMap and "destroy" it by adding some characters inside the cert

kind: ConfigMap
apiVersion: v1
metadata:
  name: my-cert.crt
  namespace: infra-cert-manager
  labels:
    trust-bundle.my-bundle: include
data:
  ca.crt: |
    -----BEGIN CERTIFICATE-----
    MIIDojCCAYqgAwIBAgIQV5ocp05c1d2ULNLEDrdCpTANBgkqhkiG9w0BAQsFADBH
    MQswCQYDVQQGEwJDSDEnMCUGA1UEChMeQmFucXVlIExvbWJhcmQgT2RpZXIgZXQg
    Q2llIFNBMQ8wDQYDVQQDEwZMTyBEUEkwHhcNMjQwMzA3MDAwMDAwWhcNMjUwMzA3
    MjM1OTU5WjAVMRMwEQYDVQQDEwpnaXRodWIuY29tMFkwEwYHKoZIzj0CAQYIKoZI
    PlhhSYK+Dvv1Op2/C
    bd8LU10GmzZpZ/aR4SZDymggc32xvXEfPSrM36qgDcbg7Vb3mm+uZUgWKHmh1pnA
    1DeiFM9PT9GGN8m5ioMsbYw2jt8Gbz0CWSQlJWAfo0LEbVnIH4TG10m6Ix
    zqDgzL7QYe7XpGqY1LuwNidozLvRUaZkhDud7XlgHYYQwrP4z6/ekawett0LdvSL
    JdSRFvE7pO4K2kXxFr8YzeET0jrZ+JeVX8WYbsfUlo0UdMVnViIFrgbTd8v6Mlev
    kBG18BDEDA8hYS1JsSmpeiy/c/WsIzihgtNVJojqnF
    16LisgMdnA/1gj801KmoTYUfQFNwl7ymulCRrVNOzqs/
    G3VnreyXrukwRbMI/MR4ccXl5/n+Hw==
    -----END CERTIFICATE-----

the status is still the same in the bundle (and is not re generated in destination namespace), but in the operator we can read:

time=2024-09-10T13:37:16.460Z level=ERROR msg="Reconciler error" controller=bundles namespace="" name=bundle-mycert reconcileID=efb1bda3-b71d-4bed-9613-60a8b5b2b5bb logger=trust/manager err="failed to build bundle source: invalid PEM data in source: bundle contains no PEM certificates"
time=2024-09-10T13:37:16.460Z level=DEBUG+3 msg="Failed to build bundle sources: invalid PEM data in source: bundle contains no PEM certificates" logger=trust/manager/events type=Warning object="{Kind:Bundle Namespace: Name:bundle-mycert UID:debfc06e-e120-43e6-a78b-8efd646eaf7d APIVersion:trust.cert-manager.io/v1alpha1 ResourceVersion:333113243 FieldPath:}" reason=SourceBuildError
time=2024-09-10T13:37:16.460Z level=DEBUG+3 msg="Failed to build bundle sources: invalid PEM data in source: bundle contains no PEM certificates" logger=trust/manager/events type=Warning object="{Kind:Bundle Namespace: Name:bundle-mycert  UID:debfc06e-e120-43e6-a78b-8efd646eaf7d APIVersion:trust.cert-manager.io/v1alpha1 ResourceVersion:333113243 FieldPath:}" reason=SourceBuildError
time=2024-09-10T13:42:44.141Z level=ERROR msg="failed to build source bundle" bundle=bundle-mycert  logger=trust/bundle err="invalid PEM data in source: bundle contains no PEM certificates"

Suggestion

I suggest that when we have this kind of error the status in the bundle is updated with a relevant error. This also work for the case where source is empty

erikgb commented 2 months ago

/kind enhancement

cert-manager-prow[bot] commented 2 months ago

@erikgb: The label(s) kind/enhancement cannot be applied, because the repository doesn't have them.

In response to [this](https://github.com/cert-manager/trust-manager/issues/434#issuecomment-2341257082): >/kind enhancement Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes-sigs/prow](https://github.com/kubernetes-sigs/prow/issues/new?title=Prow%20issue:) repository.