trust-manager icon indicating copy to clipboard operation
trust-manager copied to clipboard

Published 20 hours ago verified publisher icon cert-manager

Update bundle status with error when encountering problem with sources files

Open Shawcs opened this issue 1 year ago • 2 comments

Hi !

I noticed that the status do not reflect problem with bad/empty sources.

How to reproduce:

create a bundle that target a ConfigMap with a valid cert entry

apiVersion: trust.cert-manager.io/v1alpha1
kind: Bundle
metadata:
  name: my-bundle
spec:
  sources:
    - configMap:
        key: ca.crt
        selector:
          matchLabels:
            trust-bundle.my-bundle: include
  target:
    additionalFormats:
      pkcs12:
        key: ca.p12
        password: changeit
    namespaceSelector:
      matchLabels:
        kubernetes.io/metadata.name: infra
    secret:
      key: ca.crt

kind: ConfigMap
apiVersion: v1
metadata:
  name: my-cert.crt
  namespace: infra-cert-manager
  labels:
    trust-bundle.my-bundle: include
data:
  ca.crt: |
    -----BEGIN CERTIFICATE-----
    MIIDojCCAYqgAwIBAgIQV5ocp05c1d2ULNLEDrdCpTANBgkqhkiG9w0BAQsFADBH
    MQswCQYDVQQGEwJDSDEnMCUGA1UEChMeQmFucXVlIExvbWJhcmQgT2RpZXIgZXQg
    Q2llIFNBMQ8wDQYDVQQDEwZMTyBEUEkwHhcNMjQwMzA3MDAwMDAwWhcNMjUwMzA3
    MjM1OTU5WjAVMRMwEQYDVQQDEwpnaXRodWIuY29tMFkwEwYHKoZIzj0CAQYIKoZI
    zj0DAQcDQgAEQrPuGOisrWzPTzsVzujNAMvKeM1GRDs18c2N5R6LemewOMjO0Ep1
    yESxF/xn4Zj7tlsTeMT5zz4Li1DQN/K1zKOBhjCBgzAdBgNVHQ4EFgQUO2g/NDr1
    RzTK76ZOPZq9Xm56zJ8wDgYDVR0PAQH/BAQDAgeAMAwGA1UdEwEB/wQCMAAwHQYD
    VR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMCUGA1UdEQQeMByCCmdpdGh1Yi5j
    b22CDnd3dy5naXRodWIuY29tMA0GCSqGSIb3DQEBCwUAA4ICAQBEaD1pszjmbtjc
    nE0s43FN2oU/S23Wf331M6Ae72F9B3ceqY/X0oPIHsOtpA7gSDOzjs4sNrHq34qn
    q3SRpmiDepmY4Ba2+gXNg5dWeul2e7ht22L/jYR8oT0pGClWkLiveijBT3Veqbxu
    jT3lxYGd1ey20feg4rQIw61GgaZ2dyHjlpj8FrCxSSLnULIM4db+04+2PXbTGl9J
    O+UQzbDI34KoKKWCCvCDFziCTG3rblv3RcGOCUcAXL1WpJIPlhhSYK+Dvv1Op2/C
    bd8LU10GmzZpZ/aR4SZDymggc32xvXEfPSrM36qgDcbg7Vb3mm+uZUgWKHmh1pnA
    1DeiFM9PT9GGN8m5ioMsbYIbNZUUw2jt8Gbz0CWSQlJWAfo0LEbVnIH4TG10m6Ix
    zqDgzL7QYe7XpGqY1LuwNidozLvRUaZkhDud7XlgHYYQwrP4z6/ekawett0LdvSL
    JdSRFvE7pO4K2kXxFr8YzeET0jrZ+JeVX8WYbsfUlo0UdMVnViIFrgbTd8v6Mlev
    kBG18BDEDA8hYS1JsSmpeiy/c/WsIzihgln25RcaaUPZBszu/yQp3WwtNVJojqnF
    16LisgMdnA/1gj801KmoTYUfQFTPVkITGjYVogYGZ1B9FYNwl7ymulCRrVNOzqs/
    G3VnreyXrukwRbMI/MR4ccXl5/n+Hw==
    -----END CERTIFICATE-----

the bundle status should change to :

  conditions:
    - lastTransitionTime: '2024-09-10T13:24:17Z'
      message: 'Successfully synced Bundle to namespaces that match this label selector: kubernetes.io/metadata.name=infra'
      observedGeneration: 1
      reason: Synced
      status: 'True'
      type: Synced

go to the source cert in the configMap and "destroy" it by adding some characters inside the cert

kind: ConfigMap
apiVersion: v1
metadata:
  name: my-cert.crt
  namespace: infra-cert-manager
  labels:
    trust-bundle.my-bundle: include
data:
  ca.crt: |
    -----BEGIN CERTIFICATE-----
    MIIDojCCAYqgAwIBAgIQV5ocp05c1d2ULNLEDrdCpTANBgkqhkiG9w0BAQsFADBH
    MQswCQYDVQQGEwJDSDEnMCUGA1UEChMeQmFucXVlIExvbWJhcmQgT2RpZXIgZXQg
    Q2llIFNBMQ8wDQYDVQQDEwZMTyBEUEkwHhcNMjQwMzA3MDAwMDAwWhcNMjUwMzA3
    MjM1OTU5WjAVMRMwEQYDVQQDEwpnaXRodWIuY29tMFkwEwYHKoZIzj0CAQYIKoZI
    PlhhSYK+Dvv1Op2/C
    bd8LU10GmzZpZ/aR4SZDymggc32xvXEfPSrM36qgDcbg7Vb3mm+uZUgWKHmh1pnA
    1DeiFM9PT9GGN8m5ioMsbYw2jt8Gbz0CWSQlJWAfo0LEbVnIH4TG10m6Ix
    zqDgzL7QYe7XpGqY1LuwNidozLvRUaZkhDud7XlgHYYQwrP4z6/ekawett0LdvSL
    JdSRFvE7pO4K2kXxFr8YzeET0jrZ+JeVX8WYbsfUlo0UdMVnViIFrgbTd8v6Mlev
    kBG18BDEDA8hYS1JsSmpeiy/c/WsIzihgtNVJojqnF
    16LisgMdnA/1gj801KmoTYUfQFNwl7ymulCRrVNOzqs/
    G3VnreyXrukwRbMI/MR4ccXl5/n+Hw==
    -----END CERTIFICATE-----

the status is still the same in the bundle (and is not re generated in destination namespace), but in the operator we can read:

time=2024-09-10T13:37:16.460Z level=ERROR msg="Reconciler error" controller=bundles namespace="" name=bundle-mycert reconcileID=efb1bda3-b71d-4bed-9613-60a8b5b2b5bb logger=trust/manager err="failed to build bundle source: invalid PEM data in source: bundle contains no PEM certificates"
time=2024-09-10T13:37:16.460Z level=DEBUG+3 msg="Failed to build bundle sources: invalid PEM data in source: bundle contains no PEM certificates" logger=trust/manager/events type=Warning object="{Kind:Bundle Namespace: Name:bundle-mycert UID:debfc06e-e120-43e6-a78b-8efd646eaf7d APIVersion:trust.cert-manager.io/v1alpha1 ResourceVersion:333113243 FieldPath:}" reason=SourceBuildError
time=2024-09-10T13:37:16.460Z level=DEBUG+3 msg="Failed to build bundle sources: invalid PEM data in source: bundle contains no PEM certificates" logger=trust/manager/events type=Warning object="{Kind:Bundle Namespace: Name:bundle-mycert  UID:debfc06e-e120-43e6-a78b-8efd646eaf7d APIVersion:trust.cert-manager.io/v1alpha1 ResourceVersion:333113243 FieldPath:}" reason=SourceBuildError
time=2024-09-10T13:42:44.141Z level=ERROR msg="failed to build source bundle" bundle=bundle-mycert  logger=trust/bundle err="invalid PEM data in source: bundle contains no PEM certificates"

Suggestion

I suggest that when we have this kind of error the status in the bundle is updated with a relevant error. This also work for the case where source is empty

Shawcs avatar Sep 10 '24 14:09 Shawcs

/kind enhancement

erikgb avatar Sep 10 '24 15:09 erikgb

@erikgb: The label(s) kind/enhancement cannot be applied, because the repository doesn't have them.

In response to this:

/kind enhancement

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

cert-manager-prow[bot] avatar Sep 10 '24 15:09 cert-manager-prow[bot]

Issues go stale after 90d of inactivity. Mark the issue as fresh with /remove-lifecycle stale. Stale issues rot after an additional 30d of inactivity and eventually close. If this issue is safe to close now please do so with /close. /lifecycle stale

cert-manager-bot avatar Dec 09 '24 16:12 cert-manager-bot

/remove-lifecycle stale

erikgb avatar Dec 09 '24 16:12 erikgb

Issues go stale after 90d of inactivity. Mark the issue as fresh with /remove-lifecycle stale. Stale issues rot after an additional 30d of inactivity and eventually close. If this issue is safe to close now please do so with /close. /lifecycle stale

cert-manager-bot avatar Mar 09 '25 17:03 cert-manager-bot

/remove-lifecycle stale /good-first-issue

erikgb avatar Mar 15 '25 15:03 erikgb

@erikgb: This request has been marked as suitable for new contributors.

Please ensure the request meets the requirements listed here.

If this request no longer meets these requirements, the label can be removed by commenting with the /remove-good-first-issue command.

In response to this:

/remove-lifecycle stale /good-first-issue

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

cert-manager-prow[bot] avatar Mar 15 '25 15:03 cert-manager-prow[bot]

/assign

erikgb avatar May 04 '25 16:05 erikgb