From e5d8a84f0e2f35b51a3bb520ed096033139046f6 Mon Sep 17 00:00:00 2001 From: Humair Khan Date: Thu, 21 Mar 2024 15:48:42 -0400 Subject: [PATCH 1/2] chore: add system certs when not present Signed-off-by: Humair Khan --- controllers/config/defaults.go | 6 +++++ controllers/dspipeline_params.go | 34 +++++++++++++++++++++++--- controllers/util/util.go | 42 ++++++++++++++++++-------------- 3 files changed, 60 insertions(+), 22 deletions(-) diff --git a/controllers/config/defaults.go b/controllers/config/defaults.go index da74d646..51618d7d 100644 --- a/controllers/config/defaults.go +++ b/controllers/config/defaults.go @@ -33,10 +33,16 @@ const ( // GlobalODHCaBundleConfigMapName key and label values are a contract with // ODH Platform https://github.com/opendatahub-io/architecture-decision-records/pull/28 GlobalODHCaBundleConfigMapName = "odh-trusted-ca-bundle" + // GlobalODHCaBundleConfigMapSystemBundleKey is the key that is added by network operator + // https://docs.openshift.com/container-platform/4.15/networking/configuring-a-custom-pki.html#certificate-injection-using-operators_configuring-a-custom-pki + GlobalODHCaBundleConfigMapSystemBundleKey = "ca-bundle.crt" CustomDSPTrustedCAConfigMapNamePrefix = "dsp-trusted-ca" CustomDSPTrustedCAConfigMapKey = "dsp-ca.crt" + DefaultSystemSSLCertFile = "SSL_CERT_FILE" + DefaultSystemSSLCertFilePath = "/etc/pki/tls/certs/ca-bundle.crt" // Fedora/RHEL 6 + MLPipelineUIConfigMapPrefix = "ds-pipeline-ui-configmap-" ArtifactScriptConfigMapNamePrefix = "ds-pipeline-artifact-script-" ArtifactScriptConfigMapKey = "artifact_script" diff --git a/controllers/dspipeline_params.go b/controllers/dspipeline_params.go index 589a1577..192132a3 100644 --- a/controllers/dspipeline_params.go +++ b/controllers/dspipeline_params.go @@ -593,10 +593,16 @@ func (p *DSPAParams) ExtractParams(ctx context.Context, dsp *dspa.DataSciencePip } } + // Track whether the "ca-bundle.crt" configmap key from odh-trusted-ca bundle + // was found, this will be used to decide whether we need to account for this + // ourselves later or not. + odhTrustedCABundleAdded := false + // Check for cert bundle provided by the platform instead of by the DSPA user // If it exists, include this cert for tls verifications globalCABundleCFGMapName := config.GlobalODHCaBundleConfigMapName - err, globalCerts := util.GetConfigMapValues(ctx, globalCABundleCFGMapName, p.Namespace, client) + + odhTrustedCABundleConfigMap, err := util.GetConfigMap(ctx, globalCABundleCFGMapName, p.Namespace, client) if err != nil { // If the global cert configmap is not available, that is OK if !apierrs.IsNotFound(err) { @@ -604,7 +610,8 @@ func (p *DSPAParams) ExtractParams(ctx context.Context, dsp *dspa.DataSciencePip return err } } else { - // Found a cert provided by odh-operator. Consume it + // Found a cert provided by odh-operator. Consume it. + globalCerts := util.GetConfigMapValues(odhTrustedCABundleConfigMap) log.Info(fmt.Sprintf("Found global CA Bundle %s present in this namespace %s, this bundle will be included in external tls connections.", config.GlobalODHCaBundleConfigMapName, p.Namespace)) // "odh-trusted-ca-bundle" can have fields: "odh-ca-bundle.crt" and "ca-bundle.crt", we need to utilize both for _, val := range globalCerts { @@ -613,19 +620,26 @@ func (p *DSPAParams) ExtractParams(ctx context.Context, dsp *dspa.DataSciencePip p.APICustomPemCerts = append(p.APICustomPemCerts, []byte(val)) } } + // If odh-trusted-ca-bundle is created via network operator then this is always going to be present + // however if a user creates this, they may accidentally leave this out, so we need to account for this + _, ok := odhTrustedCABundleConfigMap.Data[config.GlobalODHCaBundleConfigMapSystemBundleKey] + if ok { + odhTrustedCABundleAdded = true + } } // If user provided a CA bundle, include this in tls verification if p.APIServer.CABundle != nil { dspaCaBundleCfgKey, dspaCaBundleCfgName := p.APIServer.CABundle.ConfigMapKey, p.APIServer.CABundle.ConfigMapName - dspaCACfgErr, dspaProvidedCABundle := util.GetConfigMapValue(ctx, dspaCaBundleCfgKey, dspaCaBundleCfgName, p.Namespace, client, log) + dspaCAConfigMap, dspaCACfgErr := util.GetConfigMap(ctx, dspaCaBundleCfgName, p.Namespace, client) if dspaCACfgErr != nil && apierrs.IsNotFound(dspaCACfgErr) { - log.Info(fmt.Sprintf("ConfigMap [%s] was not found in namespace [%s]", dspaCaBundleCfgKey, p.Namespace)) + log.Info(fmt.Sprintf("ConfigMap [%s] was not found in namespace [%s]", dspaCAConfigMap.Name, p.Namespace)) return dspaCACfgErr } else if dspaCACfgErr != nil { log.Info(fmt.Sprintf("Encountered error when attempting to fetch ConfigMap: [%s], Error: %v", dspaCaBundleCfgName, dspaCACfgErr)) return dspaCACfgErr } + dspaProvidedCABundle := util.GetConfigMapValue(dspaCaBundleCfgKey, dspaCAConfigMap) // If the ca-bundle field is empty, ignore it if dspaProvidedCABundle != "" { p.APICustomPemCerts = append(p.APICustomPemCerts, []byte(dspaProvidedCABundle)) @@ -643,6 +657,18 @@ func (p *DSPAParams) ExtractParams(ctx context.Context, dsp *dspa.DataSciencePip // 2) populate CustomCABundle SOT var for pipeline pods and artifact script to utilize during templating // 3) set ssl_cert_dir for api server if len(p.APICustomPemCerts) > 0 { + + // We need to ensure system certs are always part of this new configmap + // We can either source this from odh-trusted-ca-bundle cfgmap if provided, + // or fetch one from "config-trusted-cabundle" configmap, which is always present in an ocp ns + if !odhTrustedCABundleAdded { + certs, sysCertsErr := util.GetSystemCerts() + if sysCertsErr != nil { + return sysCertsErr + } + p.APICustomPemCerts = append(p.APICustomPemCerts, certs) + } + p.CustomCABundle = &dspa.CABundle{ ConfigMapKey: config.CustomDSPTrustedCAConfigMapKey, ConfigMapName: fmt.Sprintf("%s-%s", config.CustomDSPTrustedCAConfigMapNamePrefix, p.Name), diff --git a/controllers/util/util.go b/controllers/util/util.go index 5d9555d7..5bb26945 100644 --- a/controllers/util/util.go +++ b/controllers/util/util.go @@ -17,13 +17,12 @@ limitations under the License. package util import ( + "github.com/opendatahub-io/data-science-pipelines-operator/controllers/config" "os" "path/filepath" "context" "crypto/x509" - "fmt" - "github.com/go-logr/logr" appsv1 "k8s.io/api/apps/v1" v1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -81,8 +80,7 @@ func IsX509UnknownAuthorityError(err error) bool { return ok } -// GetConfigMapValue fetches the value for the provided configmap mapped to a given key -func GetConfigMapValue(ctx context.Context, cfgKey, cfgName, ns string, client client.Client, log logr.Logger) (error, string) { +func GetConfigMap(ctx context.Context, cfgName, ns string, client client.Client) (*v1.ConfigMap, error) { cfgMap := &v1.ConfigMap{} namespacedName := types.NamespacedName{ Name: cfgName, @@ -90,29 +88,37 @@ func GetConfigMapValue(ctx context.Context, cfgKey, cfgName, ns string, client c } err := client.Get(ctx, namespacedName, cfgMap) if err != nil { - return err, "" + return &v1.ConfigMap{}, err } + return cfgMap, nil +} + +// GetConfigMapValue fetches the value for the provided configmap mapped to a given key +func GetConfigMapValue(cfgKey string, cfgMap *v1.ConfigMap) string { if val, ok := cfgMap.Data[cfgKey]; ok { - return nil, val + return val } else { - return fmt.Errorf("ConfigMap %s does not contain expected key %s", cfgName, cfgKey), "" + return "" } } // GetConfigMapValues fetches the value for the provided configmap mapped to a given key -func GetConfigMapValues(ctx context.Context, cfgName, ns string, client client.Client) (error, []string) { - cfgMap := &v1.ConfigMap{} - namespacedName := types.NamespacedName{ - Name: cfgName, - Namespace: ns, - } - err := client.Get(ctx, namespacedName, cfgMap) - if err != nil { - return err, []string{} - } +func GetConfigMapValues(cfgMap *v1.ConfigMap) []string { var values []string for _, val := range cfgMap.Data { values = append(values, val) } - return nil, values + return values +} + +func GetSystemCerts() ([]byte, error) { + sslCertFile := os.Getenv(config.DefaultSystemSSLCertFile) + if sslCertFile == "" { + sslCertFile = config.DefaultSystemSSLCertFilePath + } + data, err := os.ReadFile(sslCertFile) + if err != nil { + return []byte{}, err + } + return data, err } From 7cab9235722fda5c2058f11c02a295d25684ff80 Mon Sep 17 00:00:00 2001 From: Humair Khan Date: Thu, 21 Mar 2024 16:33:21 -0400 Subject: [PATCH 2/2] chore: update func tests for sys certs Signed-off-by: Humair Khan --- .github/workflows/functests.yml | 2 + .pre-commit-config.yaml | 3 +- .../case_8/deploy/00_configmap.yaml | 54 ++++++------ .../created/configmap_dspa_trusted_ca.yaml | 86 ++++++++++++------- controllers/testdata/tls/ca-bundle.crt | 30 +++++++ 5 files changed, 117 insertions(+), 58 deletions(-) create mode 100644 controllers/testdata/tls/ca-bundle.crt diff --git a/.github/workflows/functests.yml b/.github/workflows/functests.yml index 7e9ca38f..92ee6f8e 100644 --- a/.github/workflows/functests.yml +++ b/.github/workflows/functests.yml @@ -11,4 +11,6 @@ jobs: with: go-version: '1.19.x' - name: Run Functional Tests + env: + SSL_CERT_FILE: ${{ github.workspace }}/controllers/testdata/tls/ca-bundle.crt run: make functest diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index ba68a441..8bde3ce7 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -6,6 +6,7 @@ repos: exclude: README.md - id: check-merge-conflict - id: end-of-file-fixer + exclude: controllers/testdata/tls/ca-bundle.crt - id: check-added-large-files - id: check-case-conflict - id: check-json @@ -18,7 +19,7 @@ repos: - id: yamllint files: \.(yaml|yml)$ types: [file, yaml] - entry: yamllint --strict + entry: yamllint --strict -c .yamllint.yaml - repo: https://github.com/dnephin/pre-commit-golang rev: c17f835cf9 diff --git a/controllers/testdata/declarative/case_8/deploy/00_configmap.yaml b/controllers/testdata/declarative/case_8/deploy/00_configmap.yaml index 67a9f071..1dc6a89f 100644 --- a/controllers/testdata/declarative/case_8/deploy/00_configmap.yaml +++ b/controllers/testdata/declarative/case_8/deploy/00_configmap.yaml @@ -5,34 +5,32 @@ metadata: data: testcabundleconfigmapkey8.crt: | -----BEGIN CERTIFICATE----- - MIIFlTCCA32gAwIBAgIUQTPwwkR17jDrdIe4VqhzNQ6OY0swDQYJKoZIhvcNAQEL + MIIFLTCCAxWgAwIBAgIUIvY4jV0212P/ddjuCZhcUyJfoocwDQYJKoZIhvcNAQEL BQAwJjELMAkGA1UEBhMCWFgxFzAVBgNVBAMMDnJoLWRzcC1kZXZzLmlvMB4XDTI0 MDMwNTAxMTExN1oXDTM0MDMwMzAxMTExN1owJjELMAkGA1UEBhMCWFgxFzAVBgNV - BAMMDioudGNwLm5ncm9rLmlvMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKC - AgEApZbmrvisGgN2XmPbWSD8A89g2CwUgqUIfd1yU6TyZMmvnP+c+xG6SzqDZkxI - oiQ0fierPuMyrp0Yv+mRBvYtZ+Rv4zZ8OASD5UGDblKa6U8EJvXEKa5K9rZsqYpW - MOaZv8M5/KAr8AkH4zmXvgGtsfNT6xvBxIhUexJmSRB5lRLtZZr7ea/XQiuzJYPr - 2CqHitm6MUWLG74vKetRi9ZDaDxgcW78nhBwM2Ujh0qrSeb4QhEcHP3Lhom0WObd - te+ipK5fqqMSQl1mj5W6tKORIm256TbG+uHY8e3lsT2fnCVL/zgFGROr0NqNbies - 90dH7i6Wr1yn74umJ1HNF5nXem1jaqYVhQWWBlTurSqkHtRpIE2OWygpM4IoSTu8 - gbIaKJdexx9GN9ch/zQBeevsYT1Wb/wQVZUp4TgJJIq1fCAkz3yQNsojUwZqsAPT - worehTHFT20onAutnkGv0lgGQH9ur1Gm4VipWbBQTRCEhEKIFVDDkQtbPZwQBjl/ - voj7O659pIuPsGW5HYWawTbdU4ymEP4672KLpIaDxJHnA9sJsz2ns2KgsUesjGdQ - SnlMoanph1kW+qFM4tMnHFTad3yz6TLL0Mp1ej8gUd1FnYHrVewVeFl83gRFKhqP - XZX/hl7SAYn1Bnc6OsFegtQukcJc+AqZBja+8k+xc8yWC38CAwEAAaOBujCBtzAf - BgNVHSMEGDAWgBQ4+5eH7tKVwoWbF1OQoLJq+U2KuzAJBgNVHRMEAjAAMGoGA1Ud - EQRjMGGCDHRjcC5uZ3Jvay5pb4IOKi50Y3Aubmdyb2suaW+CE21hcmlhZGIubWFy - aWFkYi5zdmOCIW1hcmlhZGIubWFyaWFkYi5zdmMuY2x1c3Rlci5sb2NhbIIJbG9j - YWxob3N0MB0GA1UdDgQWBBTJmuX3UrWQn6AKXAvkUw/h7g6PsjANBgkqhkiG9w0B - AQsFAAOCAgEAKk/pfGTH3xgQg5a+obLx9xkfYz0jwfr5+TiD+FTrNlIPZpvCiYYk - RWNjMyYqKpuEfHry6P9spgk28+wQx7CRSi+cGiiNSvPswI3Ww8KHJQoJzl2vPQYe - 1OESU6es8ZACIXdPcILj8zXHNFvfUD0rt7r34zqGw5PNWKQJ8gurqP9ZcBHNq9xz - nPG1QTdA5gOzAXQeOa8rGpK0lODo/WkRlV7KXU5ss737HcljGz8KSVUhfgy8io5z - xaKnCy8trt8CdGNb/ysK+a7oKZSqAYcKASwYxCrS1zgS06uLC78WjnYbxta/gnlC - a0XIfQt2dM/7L+ZvIwg0PbbPzBJU5zwiXSL9AMzp1/1hjlG4v06UKjv4V1t0McFC - xEaLG3AyDx9HHxbAIn/lkQ12Tg38rn5R0OKVKZSAzT6THCULbHC0Q+EQW4c8/No2 - gtZgaZfA9bUTtQRyxSxQJlWbm4c6KfQa5g+oGQ9BjPCFjPmEvN9SCWcvR/aZE/Uy - IRtueAdEz+FiXmVeaJd7BImvF6P6OVDP4zhfXh9NIq9vovVNlGReDGOsqPF0iW/7 - bLJ7EOwHNhqMkYbBvXnZmfmXpJ24S93M6OmjdkJIUN8iWtjX0yg8FqEGoCfFv4ub - a6IRpmyHdJoUJ4icStKB2m3sdRy7Aj5meAYQCVefvZYIQq4rRz/0chs= + BAMMDnJoLWRzcC1kZXZzLmlvMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKC + AgEAnCxNdQ0EUhswfu8/K6icQKc//2xpTvcp9Bn9QZ9UUy3f2UXv5hvd4W2PM/uX + FaZGoEzQsYagbjyuHDBxek8YOZvdRx9h7O+LLfN+DXeLbaY6tZ2AxNWwcaAmG0EH + nSDVORrk8/aZfFRoxgQigWyuK28YZn2SopjNyvOc8GkNjCFO4y7g4QuzWdGMgMIA + +whtt3EuYIwaRourKNFp4oR4InOVdPfuGezxbKRPcFfey1JEdTxGoWnHC+HDDMCf + R2vV8hAQB4fdvbOoz3+S7j7d8YiaFBK/P2us6Il5tsUw4kzhD2/OLzyERB7SloZk + NiIcSsU0USRGLb4/ybQsxu9UPIXUlKTK70HxIEIdPSPPMM84khIOuax0QXKORFHT + Ti9jgEfXjuX/2RPijQoCMDrqRQvDxExnTVMncqud6PeDxOWfvSG4oyZBr4HgNAap + wX7FWEY6SOH0e3GrH9ceI3afDO4A4YR+EE426GgHgYe8g4NTfD1D79+txmSY6VvV + MBwEvPo1LJVmvz23HBC60+e6Ld3WjwE+viOktt20R5Td3NPj7qcBlMDs105yiz+l + Ex1h/WDrAssETrelppg3Xgkkz+iY5RwiUB2BTzeiiDbN+AE6X+S5c61Izc2qAeH2 + gVrvMDlAK6t6bQ696TzItdAs5SnXauxPjfwmK+F65SYy7z8CAwEAAaNTMFEwHQYD + VR0OBBYEFDj7l4fu0pXChZsXU5Cgsmr5TYq7MB8GA1UdIwQYMBaAFDj7l4fu0pXC + hZsXU5Cgsmr5TYq7MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggIB + AGr5DblOsH7JE9JM3M4p4eiXD40B/VIACEDMYJvyr6QjmcT8+XnHkiu7OV3OJV/G + S4NKhleBhfpaaP2ZPGO/vUTmqXwcK78jl0WEjPrMVjs1eDoSnUNi+KwFTBypIusD + gSEnICXa26v1CHCQG0QB+rUrIxJqjtq+bnlw/Ns1wxTYfZBFW1ykCJuMsekPo0pN + yTH1eWr0eSVWgljqHKaUjKbRRTSTWvk2Sewaq004W+6QOSb3nb1+GHVMov/Q6vsz + j6/3B7+7wybR80UTBI/1DfTlefQaOOgEPBjQZ92NXSxMKe2J7FPD+7NHvwTNzzVD + jg3cmW8pbtLEyxa+C+6EN8xnmklVfyzuzVsRJvrZvzYcOgLK2ji35oq9FYGXm0yH + HRpQPBFkcgNedD3qrJNYKkIBiAh2SSKKA+J8eP3uD9NUOScgl2aKVz/phU5rSDwt + NlhRuX8sS7q4gpL9qk4jWrMb8tNeN5nYRvmJj+Slf9sQSTfvukKo+2X8GpAecQNC + z6OeQyN+3C2zm4cLCHHWC0ZR/iHQyHIVKlFXznWe6qA64o4x1A0GurjVMAw0Pe0v + WBV3KJBsYK/wijtLeip1oKobU76oE0ML/bnhV10k6usvl4n8cDmcONo5FnGoT8Pk + 80htx6w5fanMFu4MnoBeyJhhzNfg7ywJcc2VZSM27s2B -----END CERTIFICATE----- diff --git a/controllers/testdata/declarative/case_8/expected/created/configmap_dspa_trusted_ca.yaml b/controllers/testdata/declarative/case_8/expected/created/configmap_dspa_trusted_ca.yaml index c389c74a..1abb9890 100644 --- a/controllers/testdata/declarative/case_8/expected/created/configmap_dspa_trusted_ca.yaml +++ b/controllers/testdata/declarative/case_8/expected/created/configmap_dspa_trusted_ca.yaml @@ -3,36 +3,64 @@ apiVersion: v1 metadata: name: dsp-trusted-ca-testdsp8 data: - dsp-ca.crt: | + dsp-ca.crt: |- -----BEGIN CERTIFICATE----- - MIIFlTCCA32gAwIBAgIUQTPwwkR17jDrdIe4VqhzNQ6OY0swDQYJKoZIhvcNAQEL + MIIFLTCCAxWgAwIBAgIUIvY4jV0212P/ddjuCZhcUyJfoocwDQYJKoZIhvcNAQEL BQAwJjELMAkGA1UEBhMCWFgxFzAVBgNVBAMMDnJoLWRzcC1kZXZzLmlvMB4XDTI0 MDMwNTAxMTExN1oXDTM0MDMwMzAxMTExN1owJjELMAkGA1UEBhMCWFgxFzAVBgNV - BAMMDioudGNwLm5ncm9rLmlvMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKC - AgEApZbmrvisGgN2XmPbWSD8A89g2CwUgqUIfd1yU6TyZMmvnP+c+xG6SzqDZkxI - oiQ0fierPuMyrp0Yv+mRBvYtZ+Rv4zZ8OASD5UGDblKa6U8EJvXEKa5K9rZsqYpW - MOaZv8M5/KAr8AkH4zmXvgGtsfNT6xvBxIhUexJmSRB5lRLtZZr7ea/XQiuzJYPr - 2CqHitm6MUWLG74vKetRi9ZDaDxgcW78nhBwM2Ujh0qrSeb4QhEcHP3Lhom0WObd - te+ipK5fqqMSQl1mj5W6tKORIm256TbG+uHY8e3lsT2fnCVL/zgFGROr0NqNbies - 90dH7i6Wr1yn74umJ1HNF5nXem1jaqYVhQWWBlTurSqkHtRpIE2OWygpM4IoSTu8 - gbIaKJdexx9GN9ch/zQBeevsYT1Wb/wQVZUp4TgJJIq1fCAkz3yQNsojUwZqsAPT - worehTHFT20onAutnkGv0lgGQH9ur1Gm4VipWbBQTRCEhEKIFVDDkQtbPZwQBjl/ - voj7O659pIuPsGW5HYWawTbdU4ymEP4672KLpIaDxJHnA9sJsz2ns2KgsUesjGdQ - SnlMoanph1kW+qFM4tMnHFTad3yz6TLL0Mp1ej8gUd1FnYHrVewVeFl83gRFKhqP - XZX/hl7SAYn1Bnc6OsFegtQukcJc+AqZBja+8k+xc8yWC38CAwEAAaOBujCBtzAf - BgNVHSMEGDAWgBQ4+5eH7tKVwoWbF1OQoLJq+U2KuzAJBgNVHRMEAjAAMGoGA1Ud - EQRjMGGCDHRjcC5uZ3Jvay5pb4IOKi50Y3Aubmdyb2suaW+CE21hcmlhZGIubWFy - aWFkYi5zdmOCIW1hcmlhZGIubWFyaWFkYi5zdmMuY2x1c3Rlci5sb2NhbIIJbG9j - YWxob3N0MB0GA1UdDgQWBBTJmuX3UrWQn6AKXAvkUw/h7g6PsjANBgkqhkiG9w0B - AQsFAAOCAgEAKk/pfGTH3xgQg5a+obLx9xkfYz0jwfr5+TiD+FTrNlIPZpvCiYYk - RWNjMyYqKpuEfHry6P9spgk28+wQx7CRSi+cGiiNSvPswI3Ww8KHJQoJzl2vPQYe - 1OESU6es8ZACIXdPcILj8zXHNFvfUD0rt7r34zqGw5PNWKQJ8gurqP9ZcBHNq9xz - nPG1QTdA5gOzAXQeOa8rGpK0lODo/WkRlV7KXU5ss737HcljGz8KSVUhfgy8io5z - xaKnCy8trt8CdGNb/ysK+a7oKZSqAYcKASwYxCrS1zgS06uLC78WjnYbxta/gnlC - a0XIfQt2dM/7L+ZvIwg0PbbPzBJU5zwiXSL9AMzp1/1hjlG4v06UKjv4V1t0McFC - xEaLG3AyDx9HHxbAIn/lkQ12Tg38rn5R0OKVKZSAzT6THCULbHC0Q+EQW4c8/No2 - gtZgaZfA9bUTtQRyxSxQJlWbm4c6KfQa5g+oGQ9BjPCFjPmEvN9SCWcvR/aZE/Uy - IRtueAdEz+FiXmVeaJd7BImvF6P6OVDP4zhfXh9NIq9vovVNlGReDGOsqPF0iW/7 - bLJ7EOwHNhqMkYbBvXnZmfmXpJ24S93M6OmjdkJIUN8iWtjX0yg8FqEGoCfFv4ub - a6IRpmyHdJoUJ4icStKB2m3sdRy7Aj5meAYQCVefvZYIQq4rRz/0chs= + BAMMDnJoLWRzcC1kZXZzLmlvMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKC + AgEAnCxNdQ0EUhswfu8/K6icQKc//2xpTvcp9Bn9QZ9UUy3f2UXv5hvd4W2PM/uX + FaZGoEzQsYagbjyuHDBxek8YOZvdRx9h7O+LLfN+DXeLbaY6tZ2AxNWwcaAmG0EH + nSDVORrk8/aZfFRoxgQigWyuK28YZn2SopjNyvOc8GkNjCFO4y7g4QuzWdGMgMIA + +whtt3EuYIwaRourKNFp4oR4InOVdPfuGezxbKRPcFfey1JEdTxGoWnHC+HDDMCf + R2vV8hAQB4fdvbOoz3+S7j7d8YiaFBK/P2us6Il5tsUw4kzhD2/OLzyERB7SloZk + NiIcSsU0USRGLb4/ybQsxu9UPIXUlKTK70HxIEIdPSPPMM84khIOuax0QXKORFHT + Ti9jgEfXjuX/2RPijQoCMDrqRQvDxExnTVMncqud6PeDxOWfvSG4oyZBr4HgNAap + wX7FWEY6SOH0e3GrH9ceI3afDO4A4YR+EE426GgHgYe8g4NTfD1D79+txmSY6VvV + MBwEvPo1LJVmvz23HBC60+e6Ld3WjwE+viOktt20R5Td3NPj7qcBlMDs105yiz+l + Ex1h/WDrAssETrelppg3Xgkkz+iY5RwiUB2BTzeiiDbN+AE6X+S5c61Izc2qAeH2 + gVrvMDlAK6t6bQ696TzItdAs5SnXauxPjfwmK+F65SYy7z8CAwEAAaNTMFEwHQYD + VR0OBBYEFDj7l4fu0pXChZsXU5Cgsmr5TYq7MB8GA1UdIwQYMBaAFDj7l4fu0pXC + hZsXU5Cgsmr5TYq7MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggIB + AGr5DblOsH7JE9JM3M4p4eiXD40B/VIACEDMYJvyr6QjmcT8+XnHkiu7OV3OJV/G + S4NKhleBhfpaaP2ZPGO/vUTmqXwcK78jl0WEjPrMVjs1eDoSnUNi+KwFTBypIusD + gSEnICXa26v1CHCQG0QB+rUrIxJqjtq+bnlw/Ns1wxTYfZBFW1ykCJuMsekPo0pN + yTH1eWr0eSVWgljqHKaUjKbRRTSTWvk2Sewaq004W+6QOSb3nb1+GHVMov/Q6vsz + j6/3B7+7wybR80UTBI/1DfTlefQaOOgEPBjQZ92NXSxMKe2J7FPD+7NHvwTNzzVD + jg3cmW8pbtLEyxa+C+6EN8xnmklVfyzuzVsRJvrZvzYcOgLK2ji35oq9FYGXm0yH + HRpQPBFkcgNedD3qrJNYKkIBiAh2SSKKA+J8eP3uD9NUOScgl2aKVz/phU5rSDwt + NlhRuX8sS7q4gpL9qk4jWrMb8tNeN5nYRvmJj+Slf9sQSTfvukKo+2X8GpAecQNC + z6OeQyN+3C2zm4cLCHHWC0ZR/iHQyHIVKlFXznWe6qA64o4x1A0GurjVMAw0Pe0v + WBV3KJBsYK/wijtLeip1oKobU76oE0ML/bnhV10k6usvl4n8cDmcONo5FnGoT8Pk + 80htx6w5fanMFu4MnoBeyJhhzNfg7ywJcc2VZSM27s2B + -----END CERTIFICATE----- + -----BEGIN CERTIFICATE----- + MIIFLTCCAxWgAwIBAgIUIvY4jV0212P/ddjuCZhcUyJfoocwDQYJKoZIhvcNAQEL + BQAwJjELMAkGA1UEBhMCWFgxFzAVBgNVBAMMDnJoLWRzcC1kZXZzLmlvMB4XDTI0 + MDMwNTAxMTExN1oXDTM0MDMwMzAxMTExN1owJjELMAkGA1UEBhMCWFgxFzAVBgNV + BAMMDnJoLWRzcC1kZXZzLmlvMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKC + AgEAnCxNdQ0EUhswfu8/K6icQKc//2xpTvcp9Bn9QZ9UUy3f2UXv5hvd4W2PM/uX + FaZGoEzQsYagbjyuHDBxek8YOZvdRx9h7O+LLfN+DXeLbaY6tZ2AxNWwcaAmG0EH + nSDVORrk8/aZfFRoxgQigWyuK28YZn2SopjNyvOc8GkNjCFO4y7g4QuzWdGMgMIA + +whtt3EuYIwaRourKNFp4oR4InOVdPfuGezxbKRPcFfey1JEdTxGoWnHC+HDDMCf + R2vV8hAQB4fdvbOoz3+S7j7d8YiaFBK/P2us6Il5tsUw4kzhD2/OLzyERB7SloZk + NiIcSsU0USRGLb4/ybQsxu9UPIXUlKTK70HxIEIdPSPPMM84khIOuax0QXKORFHT + Ti9jgEfXjuX/2RPijQoCMDrqRQvDxExnTVMncqud6PeDxOWfvSG4oyZBr4HgNAap + wX7FWEY6SOH0e3GrH9ceI3afDO4A4YR+EE426GgHgYe8g4NTfD1D79+txmSY6VvV + MBwEvPo1LJVmvz23HBC60+e6Ld3WjwE+viOktt20R5Td3NPj7qcBlMDs105yiz+l + Ex1h/WDrAssETrelppg3Xgkkz+iY5RwiUB2BTzeiiDbN+AE6X+S5c61Izc2qAeH2 + gVrvMDlAK6t6bQ696TzItdAs5SnXauxPjfwmK+F65SYy7z8CAwEAAaNTMFEwHQYD + VR0OBBYEFDj7l4fu0pXChZsXU5Cgsmr5TYq7MB8GA1UdIwQYMBaAFDj7l4fu0pXC + hZsXU5Cgsmr5TYq7MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggIB + AGr5DblOsH7JE9JM3M4p4eiXD40B/VIACEDMYJvyr6QjmcT8+XnHkiu7OV3OJV/G + S4NKhleBhfpaaP2ZPGO/vUTmqXwcK78jl0WEjPrMVjs1eDoSnUNi+KwFTBypIusD + gSEnICXa26v1CHCQG0QB+rUrIxJqjtq+bnlw/Ns1wxTYfZBFW1ykCJuMsekPo0pN + yTH1eWr0eSVWgljqHKaUjKbRRTSTWvk2Sewaq004W+6QOSb3nb1+GHVMov/Q6vsz + j6/3B7+7wybR80UTBI/1DfTlefQaOOgEPBjQZ92NXSxMKe2J7FPD+7NHvwTNzzVD + jg3cmW8pbtLEyxa+C+6EN8xnmklVfyzuzVsRJvrZvzYcOgLK2ji35oq9FYGXm0yH + HRpQPBFkcgNedD3qrJNYKkIBiAh2SSKKA+J8eP3uD9NUOScgl2aKVz/phU5rSDwt + NlhRuX8sS7q4gpL9qk4jWrMb8tNeN5nYRvmJj+Slf9sQSTfvukKo+2X8GpAecQNC + z6OeQyN+3C2zm4cLCHHWC0ZR/iHQyHIVKlFXznWe6qA64o4x1A0GurjVMAw0Pe0v + WBV3KJBsYK/wijtLeip1oKobU76oE0ML/bnhV10k6usvl4n8cDmcONo5FnGoT8Pk + 80htx6w5fanMFu4MnoBeyJhhzNfg7ywJcc2VZSM27s2B -----END CERTIFICATE----- diff --git a/controllers/testdata/tls/ca-bundle.crt b/controllers/testdata/tls/ca-bundle.crt new file mode 100644 index 00000000..3a6f9077 --- /dev/null +++ b/controllers/testdata/tls/ca-bundle.crt @@ -0,0 +1,30 @@ +-----BEGIN CERTIFICATE----- +MIIFLTCCAxWgAwIBAgIUIvY4jV0212P/ddjuCZhcUyJfoocwDQYJKoZIhvcNAQEL +BQAwJjELMAkGA1UEBhMCWFgxFzAVBgNVBAMMDnJoLWRzcC1kZXZzLmlvMB4XDTI0 +MDMwNTAxMTExN1oXDTM0MDMwMzAxMTExN1owJjELMAkGA1UEBhMCWFgxFzAVBgNV +BAMMDnJoLWRzcC1kZXZzLmlvMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKC +AgEAnCxNdQ0EUhswfu8/K6icQKc//2xpTvcp9Bn9QZ9UUy3f2UXv5hvd4W2PM/uX +FaZGoEzQsYagbjyuHDBxek8YOZvdRx9h7O+LLfN+DXeLbaY6tZ2AxNWwcaAmG0EH +nSDVORrk8/aZfFRoxgQigWyuK28YZn2SopjNyvOc8GkNjCFO4y7g4QuzWdGMgMIA ++whtt3EuYIwaRourKNFp4oR4InOVdPfuGezxbKRPcFfey1JEdTxGoWnHC+HDDMCf +R2vV8hAQB4fdvbOoz3+S7j7d8YiaFBK/P2us6Il5tsUw4kzhD2/OLzyERB7SloZk +NiIcSsU0USRGLb4/ybQsxu9UPIXUlKTK70HxIEIdPSPPMM84khIOuax0QXKORFHT +Ti9jgEfXjuX/2RPijQoCMDrqRQvDxExnTVMncqud6PeDxOWfvSG4oyZBr4HgNAap +wX7FWEY6SOH0e3GrH9ceI3afDO4A4YR+EE426GgHgYe8g4NTfD1D79+txmSY6VvV +MBwEvPo1LJVmvz23HBC60+e6Ld3WjwE+viOktt20R5Td3NPj7qcBlMDs105yiz+l +Ex1h/WDrAssETrelppg3Xgkkz+iY5RwiUB2BTzeiiDbN+AE6X+S5c61Izc2qAeH2 +gVrvMDlAK6t6bQ696TzItdAs5SnXauxPjfwmK+F65SYy7z8CAwEAAaNTMFEwHQYD +VR0OBBYEFDj7l4fu0pXChZsXU5Cgsmr5TYq7MB8GA1UdIwQYMBaAFDj7l4fu0pXC +hZsXU5Cgsmr5TYq7MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggIB +AGr5DblOsH7JE9JM3M4p4eiXD40B/VIACEDMYJvyr6QjmcT8+XnHkiu7OV3OJV/G +S4NKhleBhfpaaP2ZPGO/vUTmqXwcK78jl0WEjPrMVjs1eDoSnUNi+KwFTBypIusD +gSEnICXa26v1CHCQG0QB+rUrIxJqjtq+bnlw/Ns1wxTYfZBFW1ykCJuMsekPo0pN +yTH1eWr0eSVWgljqHKaUjKbRRTSTWvk2Sewaq004W+6QOSb3nb1+GHVMov/Q6vsz +j6/3B7+7wybR80UTBI/1DfTlefQaOOgEPBjQZ92NXSxMKe2J7FPD+7NHvwTNzzVD +jg3cmW8pbtLEyxa+C+6EN8xnmklVfyzuzVsRJvrZvzYcOgLK2ji35oq9FYGXm0yH +HRpQPBFkcgNedD3qrJNYKkIBiAh2SSKKA+J8eP3uD9NUOScgl2aKVz/phU5rSDwt +NlhRuX8sS7q4gpL9qk4jWrMb8tNeN5nYRvmJj+Slf9sQSTfvukKo+2X8GpAecQNC +z6OeQyN+3C2zm4cLCHHWC0ZR/iHQyHIVKlFXznWe6qA64o4x1A0GurjVMAw0Pe0v +WBV3KJBsYK/wijtLeip1oKobU76oE0ML/bnhV10k6usvl4n8cDmcONo5FnGoT8Pk +80htx6w5fanMFu4MnoBeyJhhzNfg7ywJcc2VZSM27s2B +-----END CERTIFICATE----- \ No newline at end of file