-
Notifications
You must be signed in to change notification settings - Fork 69
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix issue with updating of JKS/PKCS targets when password changes #449
base: main
Are you sure you want to change the base?
Conversation
Hi @arsenalzp. Thanks for your PR. I'm waiting for a cert-manager member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
But the password hash needs to be added to the targets, and not the bundle resource. 😊 |
In our case it is configMap which holds additional binary data for jks/pkcs12 formats. |
I made changes as was discussed. However, it was made for |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for looking into this @arsenalzp! First review pass done. Before this can be merged we need tests for this and a similar implementation for target secrets.
All remarks have been removed. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
IMO, this is moving in the right direction now. I would still love to see this new stuff better aligned/integrated with the existing data hash. I also think it's time to write some tests - before we finally implement this for all target resource types.
Were my changes accepted? Can I proceed with the hardest step - test? |
Looking good to me, @arsenalzp! Well done and thanks! Please add some testing of this! 😺 |
Existing tests were modified |
/ok-to-test |
It seems the issue on my side with gomarkdoc. |
If you run |
/retest |
It is necessary to exclude these constants, as they have the same conditions like constant |
@arsenalzp I think this is a false positive that you have to suppress to pass gosec linting.
|
@arsenalzp, please run |
I did it, it is replacing
|
@arsenalzp Are you giving up? 🤠 There should be no need for a new PR. Just fix the branch. 😺 |
No, it is not so easy to get rid of me :-D |
/reopen |
@erikgb: Failed to re-open PR: state cannot be changed. There are no new commits on the arsenalzp:issue_433 branch. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
@arsenalzp: The
Use In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
/test all |
@arsenalzp, please ping me for another review when you have addressed all the present remarks! |
It seems all remarks have already been resolved... |
I still can't find any test of the issue this PR is solving. I think it will fix it, but it would be nice with a test verifying it's fixed. |
I agree. |
Hello colleagues, |
@arsenalzp The fix looks good, but I would still love to see a test verifying that the reported issue is fixed. However I tend to accept your proposed changes and leave the test improvement for a follow-up PR - since this PR appears to fix an annoying bug and has been open for a while. 🤠 But can you please fix the commit message on your single commit? |
Signed-off-by: Oleksandr Krutko <alexander.krutko@gmail.com> fix typo in variable name, regenerate API doc Signed-off-by: Oleksandr Krutko <alexander.krutko@gmail.com> fix bundle test with annotation zero strings Signed-off-by: Oleksandr Krutko <alexander.krutko@gmail.com>
Fixed. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
/approve
/hold
Looks good to me, but since @inteon had some comments on this PR I am putting a hold for now. Tim, could you please take a look? @arsenalzp has been working on this for a long time now.
I am going to prepare a PR for deduplicating the target logic more after this is merged.
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: erikgb The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
What happened with deduplication? Those changes were introduced by me last year. |
I meant deduplication of source code. Not certs in trust bundle. 😉 You fixed the latter, yes. |
This draft PR is trying to fix #433
As was advised be @erikgb I added additional field named
passwordHash
.However, as user shouldn't care of calculating password hash, I added mutation webhook to set
passwordHash
value duringBundle
creation.Let's consider this PR as draft one, therefore I would like to discuss my solution with you, then I'm gonna modify tests, prepare documentation for functions which were added.