Cherry-pick #4396 and #4493: Fix cert reissuance on SAN mismatch [v1.40]#4542
Open
rene-dekker wants to merge 5 commits intorelease-v1.40from
Open
Cherry-pick #4396 and #4493: Fix cert reissuance on SAN mismatch [v1.40]#4542rene-dekker wants to merge 5 commits intorelease-v1.40from
rene-dekker wants to merge 5 commits intorelease-v1.40from
Conversation
…d not actually test the replacement functionality.
The issuer identity check at the end of getKeyPair used exact match against TigeraOperatorCAIssuerPrefix, but legacy operator CAs use the format "tigera-operator-signer@<timestamp>". This caused valid legacy certs to be misidentified as BYO, skipping SAN revalidation. Fixes the calico-apiserver TLS failure after the namespace migration from calico-apiserver to calico-system in v3.31, where the cert had SANs for the old namespace but was never reissued.
Use 365-day cert durations instead of 1-hour so tests actually exercise the code paths past the 30-day grace period check. Also use legacyWithClientKeyUsage (with legacySecretName) in the existing "does replace a legacy secret" test so it hits line 504 instead of bailing out early on invalid key usage. Remove the separate validLegacyCASecret test since the existing test now covers the scenario properly.
The test intended to simulate a user-supplied cert but passed nil as the CA, which creates an operator-signed cert via DefaultOperatorCASignerName. With the HasPrefix fix, this cert is now correctly identified as operator-signed and reissued instead of preserved. Use a real non-operator CA (test.MakeTestCA) to properly simulate BYO behavior.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
release-v1.40calico-apiservertocalico-systemgetKeyPairissuer identity check now usesstrings.HasPrefixconsistently, so legacy certs are correctly identified and reissued instead of being treated as BYOTest plan
go test ./pkg/controller/certificatemanager/...— 27/27 passgo test ./pkg/controller/compliance/...— pass🤖 Generated with Claude Code