kuma icon indicating copy to clipboard operation
kuma copied to clipboard

Published 20 hours ago verified publisher icon kumahq

Wrong error message when a provided mTLS secret is missing

Open nicoche opened this issue 1 year ago • 3 comments

What happened?

Hey!

I've noticed a strange behavior when trying to create a mesh with mTLS.

When providing secrets, if one them is present but not the other one, the error message is wrong:

$ ./build/artifacts-darwin-amd64/kumactl/kumactl get mesh default
NAME      mTLS   METRICS   LOGGING   TRACING   LOCALITY   ZONEEGRESS   AGE
default   off    off       off       off       off        off          24s
$ ./build/artifacts-darwin-amd64/kumactl/kumactl get secrets
MESH      NAME                                    AGE
default   dataplane-token-signing-key-default-1   35s
$ cat /tmp/ca-key 
type: Secret
name: manually-generated-ca-key
mesh: default
data: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2Z0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktnd2dnU2tBZ0VBQW9JQkFRQzBYVGdkeklFcTJpVE4KM0ZJdEc5WHBjY0o1WkhTOEFDbWpYUnBXcCtJbXZCc3BGdWIyOExrWEwxTWxwQjVxZTc1bXplMUxYbURydVVyeApFU1BlL1FBazJ3MkViQkJKZ1pQUnc5VGt4eE8yWEh1L3NTNVppUVFaNmxzS2dncmN3ZjBjUmpHRytmSVJFVnArClE1alZ4eTNaNklMd0I1dWNPV0p2cTNYdDB5T2Z5YzJMUjFsQXovT0hkdGp2SXd5ZTlYbjRUQXRRWUp3U01qU2kKRjFjZnM5RXBZbHV3QUM1SDYveXVzd3hhOFBYaUZOQUpHR2VHNnErS3BqejIzbzhObFFMWEV0cGdWZVg5c2F5dwozNGMrNHBTMzhGT3hNVXZpZndCMnFvQ25YZndZNnA0L2JnWkd0anIxNXlWOFJTNGk1cFRORWpkTFo3WkZFSDdPCklwTGZKRUgvQWdNQkFBRUNnZ0VBT3ZnYlo4cThGSG1iL041aTA3SzlIb1QrRTFoZnZqUERhVkVBVW9Lek12emYKV0hEUGRMOUJsSzM1WGw0cFA2RlRvQ01GeVZXREZLN1JMTDN3MzNBU2d2cEhraHNPdkNtc1hiSE1RanhBV3FnawpJWWxaWVJhbUM1OE93d0cvY1d2UFNGWSt6U1dkR2kxMVM4RG9FRVQ5M2JmaVQzMzlSM2VQa25rWnBuY1l0NTNpCndpMVoyUTFkYmJTSVRoTTlMZHIzTU1BSHJaVlk0MGg5L0h5T080bENSK2NZTkJkNFJqMnlhSmR4S3pNSGd1KysKRUltdllxcVpNeHdselBhOUNISHZrbXJXSU1xNHpIM1ZTNTNYWjZuNXN0QUZmcDhmbVpRQXlVdUlOQXhzUHJLTwpKeXpIOXU0Uk5Rb210VTM5d0Z0L0ZmbmtNam03YXQ4Y2JyeU5XREt4Y1FLQmdRRHdBN25BOVVkTy9IWEdVRkRCCm0yT0N6SXh5RytrbHh1ZHNvQ1Vxc0VVT3lMUTZINkdmR2xpMlMyL1FuYkJ1L0tUOUVTRTRiYkV1WUxVa1VQMlkKaGlSM3FHM2ptUlFmMDZ0dlhPbnVMT2ZZK1RnUTdNRVVjV05HQVQvYU9DU1VQWE8rS2lVc3VGUGF4cjIvalZqeQpCWHhPbE5MWWQrd2FKLzQyeGp0QVdhWk9kd0tCZ1FEQVlIS09yQ2FudTIyVWg5MGRUVEJ2Nm9rK2RMNS9IYVhnCnlYekV0N0tOUk5hRE5ZQVJXWmNqWU1SeTZ0UmVpYkJIOUtLYnRaNC9jYUtFczBEcDdCWUtkSVZMNWFjOHpQczIKNnpDU0hGaG81QzI4d1lvbTdBUjJUbXFBTlJSNyticll3Q1dzc2xXRXZnL2VpYzFvMUpSM3ZKUXNDU1BmRDNUegoxcDdEa25SaXVRS0JnUUNRZGsyWnZJZzlIR3R1Lyt4N2U2RzdtbzUyS0NKK29HZXUwLzFLNG1uT2FqTkFRTVd3CjA5VE5kRDVLM0g3VGJyR0h1SVc4UnhtOEJtMUEvSmFHOVVhQjF4aTlRdWYvK0JGWnFCME5SRzRRQklFZ2ZzQUEKSS9kU3JYSFhVSytEb2pGR0ptdlZyT1NiNjc5TnlpL2RERHd6dUJQb1F0WVRNRHNza01nZEJWaTZKUUtCZ0NkRgp5VDB0RWJzZVBUR2NSdHlMZkg3c2IxWXJ1UlAwTm4vY1FqZGFsUDNYOXI3VWRpK1VqWkV3V1Fwb3ZEQU1oY3M2CnV0TjAwVGg4ZDBRRjRCT2hHYUxLeE1lSXU0cGpBa25rMjRhSWVOZjQ5UWxhclZ4aXhFcHVtYmxRbkx6dWIyRisKWUhLUCtYdGUzWmg5bzB4cVVXRGNRNWQxeWpmb1RPVFdoSlRDV2pZcEFvR0JBSlZzVXFaRkRobHhCYmlmemc3OQpadzRMaVVsR1J6MjVZNFQzemkxN292MFgrZmc2WWJyejJNOEhKaTJBeEJTcEtwTDRjSWpLZmRodnl3em9wemlyCnRsVVowaHE0b2JaSFc2K3kvbjM1dFludHgrMHlHc1Z4cXBGN2UxS3I0OCtyWENRcEtZbWpsb0dIZG91emhFbWEKbUJDV1ZTaTA0a1p0WGJyT01RaEJSdEJrCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K
$ ./build/artifacts-darwin-amd64/kumactl/kumactl apply -f /tmp/ca-key 
$./build/artifacts-darwin-amd64/kumactl/kumactl get secrets
MESH      NAME                                    AGE
default   dataplane-token-signing-key-default-1   1m
default   manually-generated-ca-key               3s
$ cat /tmp/mesh.yaml 
type: Mesh
name: default
mtls:
  enabledBackend: ca-inline
  backends:
    - name: ca-inline
      type: provided
      conf:
        cert:
          secret: manually-generated-ca-cert
        key:
          secret: manually-generated-ca-key
$ ./build/artifacts-darwin-amd64/kumactl/kumactl apply -f /tmp/mesh.yaml 
Error: Could not update a resource (Resource is not valid)
* mtls.backends[0].conf.cert: could not load data: Resource not found: type="Secret" name="manually-generated-ca-cert" mesh="default"
* mtls.backends[0].conf.key: could not load data: Resource not found: type="Secret" name="manually-generated-ca-cert" mesh="default"

Here, we would expect only one error message, for the cert that is missing. The key should not be mentioned.

For the record, when I add the cert, it works (meaning that the key was there before):

$ ./build/artifacts-darwin-amd64/kumactl/kumactl apply -f /tmp/ca-cert 
$ ./build/artifacts-darwin-amd64/kumactl/kumactl get secrets
MESH      NAME                                    AGE
default   dataplane-token-signing-key-default-1   5m
default   manually-generated-ca-cert              2s
default   manually-generated-ca-key               3m
$ ./build/artifacts-darwin-amd64/kumactl/kumactl apply -f /tmp/mesh.yaml
$

nicoche avatar Sep 04 '23 15:09 nicoche