Merge pull request #122 from SgtCoDFish/chain-fix

Ensure that chain is copied in full to route
cert-manager · Jan 16, 2025 · a3cf5e0 · a3cf5e0
2 parents f9d3163 + adeb103
commit a3cf5e0
Show file tree

Hide file tree

Showing 2 changed files with 43 additions and 7 deletions.
diff --git a/internal/controller/sync.go b/internal/controller/sync.go
@@ -567,11 +567,18 @@ func (r *RouteController) populateRoute(ctx context.Context, route *routev1.Rout
 	}
 	key = k
 
-	certificate, err := utilpki.DecodeX509CertificateBytes(secret.Data["tls.crt"])
+	certificates, err := utilpki.DecodeX509CertificateChainBytes(secret.Data["tls.crt"])
 	if err != nil {
 		return err
 	}
-	matches, err := utilpki.PublicKeyMatchesCertificate(key.Public(), certificate)
+
+	if len(certificates) == 0 {
+		// this shouldn't happen; DecodeX509CertificateChainBytes should error in this situation
+		// but just in case, catch this case so we don't panic when accessing certificates[0]
+		return fmt.Errorf("found no valid certs from DecodeX509CertificateChainBytes")
+	}
+
+	matches, err := utilpki.PublicKeyMatchesCertificate(key.Public(), certificates[0])
 	if err != nil {
 		return err
 	}
@@ -585,16 +592,20 @@ func (r *RouteController) populateRoute(ctx context.Context, route *routev1.Rout
 			InsecureEdgeTerminationPolicy: routev1.InsecureEdgeTerminationPolicyRedirect,
 		}
 	}
+
 	encodedKey, err := utilpki.EncodePrivateKey(key, cmapi.PKCS1)
 	if err != nil {
 		return err
 	}
+
 	route.Spec.TLS.Key = string(encodedKey)
-	encodedCert, err := utilpki.EncodeX509(certificate)
+
+	encodedCerts, err := utilpki.EncodeX509Chain(certificates)
 	if err != nil {
 		return err
 	}
-	route.Spec.TLS.Certificate = string(encodedCert)
+
+	route.Spec.TLS.Certificate = string(encodedCerts)
 
 	_, err = r.routeClient.RouteV1().Routes(route.Namespace).Update(ctx, route, metav1.UpdateOptions{})
 	return err

diff --git a/test/test-smoke.sh b/test/test-smoke.sh
@@ -20,7 +20,8 @@ set -o pipefail
 
 YQ=${1:-yq}
 
-# Create a self-signed CA certificate and Issuer
+# Create a self-signed root CA certificate and Issuer
+# Then create an intermediate CA and issuer
 
 cat <<EOF | kubectl apply -f -
 ---
@@ -50,10 +51,34 @@ spec:
 apiVersion: cert-manager.io/v1
 kind: Issuer
 metadata:
-  name: my-ca-issuer
+  name: my-root-issuer
 spec:
   ca:
     secretName: root-secret
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: my-intermediate-ca
+spec:
+  isCA: true
+  commonName: my-intermediate-ca
+  secretName: intermediate-secret
+  privateKey:
+    algorithm: RSA
+    size: 2048
+  issuerRef:
+    name: my-root-issuer
+    kind: Issuer
+    group: cert-manager.io
+---
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: my-ca-issuer
+spec:
+  ca:
+    secretName: intermediate-secret
 EOF
 
 # Create a Route and patch the status with multiple hosts
@@ -126,7 +151,7 @@ kubectl patch route "$route_name" --type=merge --subresource=status -p="$patch"
 # Wait for the certificate to be issued
 SLEEP_TIME=2
 
-for _ in {1..10}; do
+for _ in {1..30}; do
   certificate=$(kubectl get route "$route_name" -o jsonpath='{.spec.tls.certificate}')
   if [ "$certificate" != "" ]; then
     break