update jwtcachefiller to use new tlsconfigutil.CABundle type

Signed-off-by: Ashish Amarnath <ashish.amarnath@broadcom.com>
vmware-tanzu · Aug 5, 2024 · 282b949 · 282b949
1 parent 005dbf3
commit 282b949
Showing 1 changed file with 6 additions and 7 deletions.
diff --git a/internal/controller/authenticator/webhookcachefiller/webhookcachefiller.go b/internal/controller/authenticator/webhookcachefiller/webhookcachefiller.go
@@ -6,7 +6,6 @@ package webhookcachefiller
 
 import (
 	"context"
-	"crypto/sha256"
 	"crypto/tls"
 	"crypto/x509"
 	"fmt"
@@ -162,8 +161,8 @@ func (c *webhookCacheFillerController) syncIndividualWebhookAuthenticator(ctx co
 	}
 
 	conditions := make([]*metav1.Condition, 0)
-	certPool, caBundlePEM, conditions, tlsBundleOk := c.validateTLSBundle(webhookAuthenticator.Spec.TLS, conditions)
-	caBundlePEMSHA256 := sha256.Sum256(caBundlePEM) // note that this will always return the same hash for nil input
+	caBundle, conditions, tlsBundleOk := c.validateTLSBundle(webhookAuthenticator.Spec.TLS, conditions)
+	caBundlePEMSHA256 := caBundle.GetCABundleHash()
 
 	// Only revalidate and update the cache if the cached authenticator is different from the desired authenticator.
 	// There is no need to repeat validations for a spec that was already successfully validated. We are making a
@@ -190,15 +189,15 @@ func (c *webhookCacheFillerController) syncIndividualWebhookAuthenticator(ctx co
 	endpointHostPort, conditions, endpointOk := c.validateEndpoint(webhookAuthenticator.Spec.Endpoint, conditions)
 	okSoFar := tlsBundleOk && endpointOk
 
-	conditions, tlsNegotiateErr := c.validateConnection(certPool, endpointHostPort, conditions, okSoFar)
+	conditions, tlsNegotiateErr := c.validateConnection(caBundle.GetCertPool(), endpointHostPort, conditions, okSoFar)
 	errs = append(errs, tlsNegotiateErr)
 	okSoFar = okSoFar && tlsNegotiateErr == nil
 
 	newWebhookAuthenticatorForCache, conditions, err := newWebhookAuthenticator(
 		// Note that we use the whole URL when constructing the webhook client,
 		// not just the host and port that we validated above. We need the path, etc.
 		webhookAuthenticator.Spec.Endpoint,
-		caBundlePEM,
+		caBundle.GetCABundle(),
 		conditions,
 		okSoFar,
 	)
@@ -243,7 +242,7 @@ func (c *webhookCacheFillerController) cacheValueAsWebhookAuthenticator(value au
 	return webhookAuthenticator
 }
 
-func (c *webhookCacheFillerController) validateTLSBundle(tlsSpec *authenticationv1alpha1.TLSSpec, conditions []*metav1.Condition) (*x509.CertPool, []byte, []*metav1.Condition, bool) {
+func (c *webhookCacheFillerController) validateTLSBundle(tlsSpec *authenticationv1alpha1.TLSSpec, conditions []*metav1.Condition) (*tlsconfigutil.CABundle, []*metav1.Condition, bool) {
 	condition, caBundle := tlsconfigutil.ValidateTLSConfig(
 		tlsconfigutil.TLSSpecForConcierge(tlsSpec),
 		"spec.tls",
@@ -252,7 +251,7 @@ func (c *webhookCacheFillerController) validateTLSBundle(tlsSpec *authentication
 		c.configMapInformer)
 
 	conditions = append(conditions, condition)
-	return caBundle.GetCertPool(), caBundle.GetCABundle(), conditions, condition.Status == metav1.ConditionTrue
+	return caBundle, conditions, condition.Status == metav1.ConditionTrue
 }
 
 // newWebhookAuthenticator creates a webhook from the provided API server url and caBundle