fix token issuer reconcillations

wso2 · Jan 26, 2024 · a9a5d8f · a9a5d8f
1 parent 1ede74f
commit a9a5d8f
Show file tree

Hide file tree

Showing 6 changed files with 39 additions and 64 deletions.
diff --git a/adapter/go.sum b/adapter/go.sum
@@ -144,8 +144,8 @@ github.com/prometheus/common v0.42.0/go.mod h1:xBwqVerjNdUDjgODMpudtOMwlOwf2SaTr
 github.com/prometheus/procfs v0.9.0 h1:wzCHvIvM5SxWqYvwgVL7yJY8Lz3PKn49KQtpgMYJfhI=
 github.com/prometheus/procfs v0.9.0/go.mod h1:+pB4zwohETzFnmlpe6yd2lSc+0/46IYZRB/chUwxUZY=
 github.com/rogpeppe/go-internal v1.11.0 h1:cWPaGQEPrBb5/AsnsZesgZZ9yb1OQ+GOISoDNXVBh4M=
-github.com/sergi/go-diff v1.0.0 h1:Kpca3qRNrduNnOQeazBd0ysaKrUJiIuISHxogkT9RPQ=
 github.com/sergi/go-diff v1.0.0/go.mod h1:0CfEIISq7TuYL3j771MWULgwwjU+GofnZX9QAmXWZgo=
+github.com/sergi/go-diff v1.3.1 h1:xkr+Oxo4BOQKmkn/B9eMK0g5Kg/983T9DqqPHwYqD+8=
 github.com/sirupsen/logrus v1.9.0 h1:trlNQbNUG3OdDrDil03MCb1H2o9nJ1x4/5LYw7byDE0=
 github.com/sirupsen/logrus v1.9.0/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
 github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=

diff --git a/adapter/internal/operator/controllers/dp/tokenissuer_controller.go b/adapter/internal/operator/controllers/dp/tokenissuer_controller.go
@@ -20,7 +20,6 @@ package dp
 import (
 	"context"
 	"encoding/json"
-	"fmt"
 
 	"github.com/wso2/apk/adapter/internal/discovery/xds"
 	"github.com/wso2/apk/adapter/internal/loggers"
@@ -38,7 +37,6 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/handler"
 	"sigs.k8s.io/controller-runtime/pkg/manager"
 	"sigs.k8s.io/controller-runtime/pkg/predicate"
-	"sigs.k8s.io/controller-runtime/pkg/reconcile"
 	"sigs.k8s.io/controller-runtime/pkg/source"
 )
 
@@ -70,19 +68,13 @@ type TokenssuerReconciler struct {
 // - https://pkg.go.dev/sigs.k8s.io/[email protected]/pkg/reconcile
 func (r *TokenssuerReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
 	var err error
-
 	loggers.LoggerAPKOperator.Debugf("Reconciling jwtIssuer: %v", req.NamespacedName.String())
-
 	jwtKey := req.NamespacedName
-	var jwtIssuerList = new(dpv1alpha1.TokenIssuerList)
-	if err := r.client.List(ctx, jwtIssuerList); err != nil {
-		return reconcile.Result{}, fmt.Errorf("failed to get jwtIssuer %s/%s", jwtKey.Namespace, jwtKey.Name)
-	}
 	jwtIssuerMapping, err := getJWTIssuers(ctx, r.client, jwtKey)
 	if err != nil {
 		loggers.LoggerAPKOperator.ErrorC(logging.PrintError(logging.Error2660, logging.CRITICAL,
 			"Unable to find associated JWTIssuers for %s : %s", req.NamespacedName.String(), err.Error()))
-		return ctrl.Result{}, err
+		return ctrl.Result{}, nil
 	}
 	UpdateEnforcerJWTIssuers(jwtIssuerMapping)
 	return ctrl.Result{}, nil
@@ -223,39 +215,25 @@ func getJWTIssuers(ctx context.Context, client k8client.Client, namespace types.
 			jwks := &dpv1alpha1.ResolvedJWKS{}
 			jwks.URL = jwtIssuer.Spec.SignatureValidation.JWKS.URL
 			if jwtIssuer.Spec.SignatureValidation.JWKS.TLS != nil {
-
-				var tlsConfigMapRef *dpv1alpha1.RefConfig
-				var tlsSecretRef *dpv1alpha1.RefConfig
-				if jwtIssuer.Spec.SignatureValidation.JWKS.TLS.ConfigMapRef != nil {
-					tlsConfigMapRef = utils.ConvertRefConfigsV2ToV1(jwtIssuer.Spec.SignatureValidation.JWKS.TLS.ConfigMapRef)
-				}
-				if jwtIssuer.Spec.SignatureValidation.JWKS.TLS.SecretRef != nil {
-					tlsSecretRef = utils.ConvertRefConfigsV2ToV1(jwtIssuer.Spec.SignatureValidation.JWKS.TLS.SecretRef)
-				}
-
-				tlsCertificate, err := utils.ResolveCertificate(ctx, client, jwtIssuer.ObjectMeta.Namespace, jwtIssuer.Spec.SignatureValidation.JWKS.TLS.CertificateInline, tlsConfigMapRef, tlsSecretRef)
-				if err != nil || tlsCertificate == "" {
-					loggers.LoggerAPKOperator.ErrorC(logging.PrintError(logging.Error2659, logging.MAJOR, "Error resolving certificate for JWKS %v", err.Error()))
+				tlsCertificate, err := utils.ResolveCertificate(ctx, client, jwtIssuer.ObjectMeta.Namespace,
+					jwtIssuer.Spec.SignatureValidation.JWKS.TLS.CertificateInline,
+					jwtIssuer.Spec.SignatureValidation.JWKS.TLS.ConfigMapRef, jwtIssuer.Spec.SignatureValidation.JWKS.TLS.SecretRef)
+				if err != nil {
+					loggers.LoggerAPKOperator.ErrorC(logging.PrintError(logging.Error2659, logging.MAJOR,
+						"Error resolving certificate for JWKS %v", err.Error()))
 					continue
 				}
 				jwks.TLS = &dpv1alpha1.ResolvedTLSConfig{ResolvedCertificate: tlsCertificate}
 			}
 			signatureValidation.JWKS = jwks
 		}
 		if jwtIssuer.Spec.SignatureValidation.Certificate != nil {
-
-			var tlsConfigMapRef *dpv1alpha1.RefConfig
-			var tlsSecretRef *dpv1alpha1.RefConfig
-			if jwtIssuer.Spec.SignatureValidation.Certificate.ConfigMapRef != nil {
-				tlsConfigMapRef = utils.ConvertRefConfigsV2ToV1(jwtIssuer.Spec.SignatureValidation.Certificate.ConfigMapRef)
-			}
-			if jwtIssuer.Spec.SignatureValidation.Certificate.SecretRef != nil {
-				tlsSecretRef = utils.ConvertRefConfigsV2ToV1(jwtIssuer.Spec.SignatureValidation.Certificate.SecretRef)
-			}
-
-			tlsCertificate, err := utils.ResolveCertificate(ctx, client, jwtIssuer.ObjectMeta.Namespace, jwtIssuer.Spec.SignatureValidation.Certificate.CertificateInline, tlsConfigMapRef, tlsSecretRef)
-			if err != nil || tlsCertificate == "" {
-				loggers.LoggerAPKOperator.ErrorC(logging.PrintError(logging.Error2659, logging.MAJOR, "Error resolving certificate for JWKS %v", err.Error()))
+			tlsCertificate, err := utils.ResolveCertificate(ctx, client, jwtIssuer.ObjectMeta.Namespace,
+				jwtIssuer.Spec.SignatureValidation.Certificate.CertificateInline,
+				jwtIssuer.Spec.SignatureValidation.Certificate.ConfigMapRef, jwtIssuer.Spec.SignatureValidation.Certificate.SecretRef)
+			if err != nil {
+				loggers.LoggerAPKOperator.ErrorC(logging.PrintError(logging.Error2659, logging.MAJOR,
+					"Error resolving certificate for JWKS %v", err.Error()))
 				return nil, err
 			}
 			signatureValidation.Certificate = &dpv1alpha1.ResolvedTLSConfig{ResolvedCertificate: tlsCertificate}

diff --git a/adapter/internal/operator/utils/utils.go b/adapter/internal/operator/utils/utils.go
@@ -310,7 +310,7 @@ func ResolveAndAddBackendToMapping(ctx context.Context, client k8client.Client,
 // ResolveRef this function will return k8client object and update owner
 func ResolveRef(ctx context.Context, client k8client.Client, api *dpv1alpha2.API,
 	namespacedName types.NamespacedName, isReplace bool, obj k8client.Object, opts ...k8client.GetOption) error {
-	err := client.Get(ctx, namespacedName, obj, opts...); 
+	err := client.Get(ctx, namespacedName, obj, opts...)
 	return err
 }
 
@@ -361,15 +361,11 @@ func GetResolvedBackend(ctx context.Context, client k8client.Client,
 	var err error
 	if backend.Spec.TLS != nil {
 		resolvedTLSConfig.ResolvedCertificate, err = ResolveCertificate(ctx, client,
-			backend.Namespace, backend.Spec.TLS.CertificateInline, backend.Spec.TLS.ConfigMapRef, backend.Spec.TLS.SecretRef)
+			backend.Namespace, backend.Spec.TLS.CertificateInline, ConvertRefConfigsV1ToV2(backend.Spec.TLS.ConfigMapRef), ConvertRefConfigsV1ToV2(backend.Spec.TLS.SecretRef))
 		if err != nil {
 			loggers.LoggerAPKOperator.ErrorC(logging.PrintError(logging.Error2654, logging.CRITICAL, "Error resolving certificate for Backend %v", err.Error()))
 			return nil
 		}
-		if resolvedTLSConfig.ResolvedCertificate == "" {
-			loggers.LoggerAPKOperator.ErrorC(logging.PrintError(logging.Error2654, logging.CRITICAL, "Error resolving certificate for Backend. Resolved certificate is empty"))
-			return nil
-		}
 		resolvedTLSConfig.AllowedSANs = backend.Spec.TLS.AllowedSANs
 		resolvedBackend.TLS = resolvedTLSConfig
 	}
@@ -456,16 +452,14 @@ func ResolveAllmTLSCertificates(ctx context.Context, mutualSSL *dpv1alpha2.Mutua
 			certificate, err = ResolveCertificate(ctx, client, namespace, cert, nil, nil)
 			resolvedCertificates = append(resolvedCertificates, certificate)
 		}
-	}
-	if mutualSSL.ConfigMapRefs != nil {
+	} else if mutualSSL.ConfigMapRefs != nil {
 		for _, cert := range mutualSSL.ConfigMapRefs {
-			certificate, err = ResolveCertificate(ctx, client, namespace, nil, ConvertRefConfigsV2ToV1(cert), nil)
+			certificate, err = ResolveCertificate(ctx, client, namespace, nil, cert, nil)
 			resolvedCertificates = append(resolvedCertificates, certificate)
 		}
-	}
-	if mutualSSL.SecretRefs != nil {
+	} else if mutualSSL.SecretRefs != nil {
 		for _, cert := range mutualSSL.SecretRefs {
-			certificate, err = ResolveCertificate(ctx, client, namespace, nil, nil, ConvertRefConfigsV2ToV1(cert))
+			certificate, err = ResolveCertificate(ctx, client, namespace, nil, nil, cert)
 			resolvedCertificates = append(resolvedCertificates, certificate)
 		}
 	}
@@ -475,7 +469,7 @@ func ResolveAllmTLSCertificates(ctx context.Context, mutualSSL *dpv1alpha2.Mutua
 // ResolveCertificate reads the certificate from TLSConfig, first checks the certificateInline field,
 // if no value then load the certificate from secretRef using util function called getSecretValue
 func ResolveCertificate(ctx context.Context, client k8client.Client, namespace string, certificateInline *string,
-	configMapRef *dpv1alpha1.RefConfig, secretRef *dpv1alpha1.RefConfig) (string, error) {
+	configMapRef *dpv1alpha2.RefConfig, secretRef *dpv1alpha2.RefConfig) (string, error) {
 	var certificate string
 	var err error
 	if certificateInline != nil && len(*certificateInline) > 0 {
@@ -485,27 +479,26 @@ func ResolveCertificate(ctx context.Context, client k8client.Client, namespace s
 			namespace, secretRef.Name, secretRef.Key); err != nil {
 			loggers.LoggerAPKOperator.ErrorC(logging.PrintError(logging.Error2642, logging.CRITICAL,
 				"Error while reading certificate from secretRef %s: %s", secretRef, err.Error()))
+			return "", err
 		}
 	} else if configMapRef != nil {
 		if certificate, err = getConfigMapValue(ctx, client,
 			namespace, configMapRef.Name, configMapRef.Key); err != nil {
 			loggers.LoggerAPKOperator.ErrorC(logging.PrintError(logging.Error2643, logging.CRITICAL,
 				"Error while reading certificate from configMapRef %s : %s", configMapRef, err.Error()))
+			return "", err
 		}
 	}
-	if err != nil {
-		return "", err
-	}
 	if len(certificate) > 0 {
 		block, _ := pem.Decode([]byte(certificate))
 		if block == nil {
 			loggers.LoggerAPKOperator.ErrorC(logging.PrintError(logging.Error2627, logging.CRITICAL, "Failed to decode certificate PEM."))
-			return "", nil
+			return "", fmt.Errorf("failed to decode certificate PEM")
 		}
 		_, err = x509.ParseCertificate(block.Bytes)
 		if err != nil {
 			loggers.LoggerAPKOperator.ErrorC(logging.PrintError(logging.Error2641, logging.CRITICAL, "Error while parsing certificate: %s", err.Error()))
-			return "", err
+			return "", fmt.Errorf("error while parsing certificate: %s", err.Error())
 		}
 	}
 	return certificate, nil
@@ -579,11 +572,13 @@ func RetrieveAPIList(k8sclient k8client.Client) ([]dpv1alpha2.API, error) {
 	return apis, nil
 }
 
-// ConvertRefConfigsV2ToV1 converts RefConfig v2 to v1
-func ConvertRefConfigsV2ToV1(refConfig *dpv1alpha2.RefConfig) *dpv1alpha1.RefConfig {
-
-	return &dpv1alpha1.RefConfig{
-		Name: refConfig.Name,
-		Key:  refConfig.Key,
+// ConvertRefConfigsV1ToV2 converts RefConfig v2 to v1
+func ConvertRefConfigsV1ToV2(refConfig *dpv1alpha1.RefConfig) *dpv1alpha2.RefConfig {
+	if refConfig != nil {
+		return &dpv1alpha2.RefConfig{
+			Name: refConfig.Name,
+			Key:  refConfig.Key,
+		}
 	}
+	return nil
 }
diff --git a/common-controller/go.sum b/common-controller/go.sum
@@ -178,8 +178,8 @@ github.com/prometheus/procfs v0.9.0/go.mod h1:+pB4zwohETzFnmlpe6yd2lSc+0/46IYZRB
 github.com/redis/go-redis/v9 v9.2.1 h1:WlYJg71ODF0dVspZZCpYmoF1+U1Jjk9Rwd7pq6QmlCg=
 github.com/redis/go-redis/v9 v9.2.1/go.mod h1:hdY0cQFCN4fnSYT6TkisLufl/4W5UIXyv0b/CLO2V2M=
 github.com/rogpeppe/go-internal v1.11.0 h1:cWPaGQEPrBb5/AsnsZesgZZ9yb1OQ+GOISoDNXVBh4M=
-github.com/sergi/go-diff v1.0.0 h1:Kpca3qRNrduNnOQeazBd0ysaKrUJiIuISHxogkT9RPQ=
 github.com/sergi/go-diff v1.0.0/go.mod h1:0CfEIISq7TuYL3j771MWULgwwjU+GofnZX9QAmXWZgo=
+github.com/sergi/go-diff v1.3.1 h1:xkr+Oxo4BOQKmkn/B9eMK0g5Kg/983T9DqqPHwYqD+8=
 github.com/sirupsen/logrus v1.9.0 h1:trlNQbNUG3OdDrDil03MCb1H2o9nJ1x4/5LYw7byDE0=
 github.com/sirupsen/logrus v1.9.0/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
 github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=

diff --git a/common-go-libs/go.mod b/common-go-libs/go.mod
@@ -10,7 +10,6 @@ require (
 	github.com/sirupsen/logrus v1.9.0
 	github.com/stretchr/testify v1.8.4
 	github.com/vektah/gqlparser v1.3.1
-	github.com/vektah/gqlparser/v2 v2.5.10
 	github.com/wso2/apk/adapter v0.0.0-20231207051518-6dd728943082
 	golang.org/x/exp v0.0.0-20231206192017-f3f8817b8deb
 	google.golang.org/grpc v1.58.3
@@ -61,6 +60,7 @@ require (
 	github.com/prometheus/common v0.42.0 // indirect
 	github.com/prometheus/procfs v0.9.0 // indirect
 	github.com/rogpeppe/go-internal v1.11.0 // indirect
+	github.com/sergi/go-diff v1.3.1 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
 	go.uber.org/atomic v1.7.0 // indirect
 	go.uber.org/multierr v1.6.0 // indirect

diff --git a/common-go-libs/go.sum b/common-go-libs/go.sum
@@ -143,6 +143,7 @@ github.com/rogpeppe/go-internal v1.11.0 h1:cWPaGQEPrBb5/AsnsZesgZZ9yb1OQ+GOISoDN
 github.com/rogpeppe/go-internal v1.11.0/go.mod h1:ddIwULY96R17DhadqLgMfk9H9tvdUzkipdSkR5nkCZA=
 github.com/sergi/go-diff v1.0.0/go.mod h1:0CfEIISq7TuYL3j771MWULgwwjU+GofnZX9QAmXWZgo=
 github.com/sergi/go-diff v1.3.1 h1:xkr+Oxo4BOQKmkn/B9eMK0g5Kg/983T9DqqPHwYqD+8=
+github.com/sergi/go-diff v1.3.1/go.mod h1:aMJSSKb2lpPvRNec0+w3fl7LP9IOFzdc9Pa4NFbPK1I=
 github.com/sirupsen/logrus v1.9.0 h1:trlNQbNUG3OdDrDil03MCb1H2o9nJ1x4/5LYw7byDE0=
 github.com/sirupsen/logrus v1.9.0/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
 github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
@@ -152,6 +153,7 @@ github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+
 github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
 github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
+github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
 github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
 github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
@@ -162,8 +164,8 @@ github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcU
 github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
 github.com/vektah/gqlparser v1.3.1 h1:8b0IcD3qZKWJQHSzynbDlrtP3IxVydZ2DZepCGofqfU=
 github.com/vektah/gqlparser v1.3.1/go.mod h1:bkVf0FX+Stjg/MHnm8mEyubuaArhNEqfQhF+OTiAL74=
-github.com/vektah/gqlparser/v2 v2.5.10 h1:6zSM4azXC9u4Nxy5YmdmGu4uKamfwsdKTwp5zsEealU=
-github.com/vektah/gqlparser/v2 v2.5.10/go.mod h1:1rCcfwB2ekJofmluGWXMSEnPMZgbxzwj6FaZ/4OT8Cc=
+github.com/wso2/apk/adapter v0.0.0-20231207051518-6dd728943082 h1:l+OdeDCNWPgie7L1fCjpfH04mAL3rFi4U+/idE8eduA=
+github.com/wso2/apk/adapter v0.0.0-20231207051518-6dd728943082/go.mod h1:9xso4vL5oW6sgCig2raPuutrsGCR6Pcn3wjtD+2GzNM=
 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=