From a9a5d8f5d4ecde3b54692385dbb6cb05848ea15b Mon Sep 17 00:00:00 2001 From: AmaliMatharaarachchi Date: Fri, 26 Jan 2024 17:00:29 +0530 Subject: [PATCH] fix token issuer reconcillations --- adapter/go.sum | 2 +- .../controllers/dp/tokenissuer_controller.go | 48 +++++-------------- adapter/internal/operator/utils/utils.go | 43 ++++++++--------- common-controller/go.sum | 2 +- common-go-libs/go.mod | 2 +- common-go-libs/go.sum | 6 ++- 6 files changed, 39 insertions(+), 64 deletions(-) diff --git a/adapter/go.sum b/adapter/go.sum index bb2d67ed1..e35c88480 100644 --- a/adapter/go.sum +++ b/adapter/go.sum @@ -144,8 +144,8 @@ github.com/prometheus/common v0.42.0/go.mod h1:xBwqVerjNdUDjgODMpudtOMwlOwf2SaTr github.com/prometheus/procfs v0.9.0 h1:wzCHvIvM5SxWqYvwgVL7yJY8Lz3PKn49KQtpgMYJfhI= github.com/prometheus/procfs v0.9.0/go.mod h1:+pB4zwohETzFnmlpe6yd2lSc+0/46IYZRB/chUwxUZY= github.com/rogpeppe/go-internal v1.11.0 h1:cWPaGQEPrBb5/AsnsZesgZZ9yb1OQ+GOISoDNXVBh4M= -github.com/sergi/go-diff v1.0.0 h1:Kpca3qRNrduNnOQeazBd0ysaKrUJiIuISHxogkT9RPQ= github.com/sergi/go-diff v1.0.0/go.mod h1:0CfEIISq7TuYL3j771MWULgwwjU+GofnZX9QAmXWZgo= +github.com/sergi/go-diff v1.3.1 h1:xkr+Oxo4BOQKmkn/B9eMK0g5Kg/983T9DqqPHwYqD+8= github.com/sirupsen/logrus v1.9.0 h1:trlNQbNUG3OdDrDil03MCb1H2o9nJ1x4/5LYw7byDE0= github.com/sirupsen/logrus v1.9.0/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ= github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= diff --git a/adapter/internal/operator/controllers/dp/tokenissuer_controller.go b/adapter/internal/operator/controllers/dp/tokenissuer_controller.go index a399da059..b4e5b987f 100644 --- a/adapter/internal/operator/controllers/dp/tokenissuer_controller.go +++ b/adapter/internal/operator/controllers/dp/tokenissuer_controller.go @@ -20,7 +20,6 @@ package dp import ( "context" "encoding/json" - "fmt" "github.com/wso2/apk/adapter/internal/discovery/xds" "github.com/wso2/apk/adapter/internal/loggers" @@ -38,7 +37,6 @@ import ( "sigs.k8s.io/controller-runtime/pkg/handler" "sigs.k8s.io/controller-runtime/pkg/manager" "sigs.k8s.io/controller-runtime/pkg/predicate" - "sigs.k8s.io/controller-runtime/pkg/reconcile" "sigs.k8s.io/controller-runtime/pkg/source" ) @@ -70,19 +68,13 @@ type TokenssuerReconciler struct { // - https://pkg.go.dev/sigs.k8s.io/controller-runtime@v0.13.0/pkg/reconcile func (r *TokenssuerReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) { var err error - loggers.LoggerAPKOperator.Debugf("Reconciling jwtIssuer: %v", req.NamespacedName.String()) - jwtKey := req.NamespacedName - var jwtIssuerList = new(dpv1alpha1.TokenIssuerList) - if err := r.client.List(ctx, jwtIssuerList); err != nil { - return reconcile.Result{}, fmt.Errorf("failed to get jwtIssuer %s/%s", jwtKey.Namespace, jwtKey.Name) - } jwtIssuerMapping, err := getJWTIssuers(ctx, r.client, jwtKey) if err != nil { loggers.LoggerAPKOperator.ErrorC(logging.PrintError(logging.Error2660, logging.CRITICAL, "Unable to find associated JWTIssuers for %s : %s", req.NamespacedName.String(), err.Error())) - return ctrl.Result{}, err + return ctrl.Result{}, nil } UpdateEnforcerJWTIssuers(jwtIssuerMapping) return ctrl.Result{}, nil @@ -223,19 +215,12 @@ func getJWTIssuers(ctx context.Context, client k8client.Client, namespace types. jwks := &dpv1alpha1.ResolvedJWKS{} jwks.URL = jwtIssuer.Spec.SignatureValidation.JWKS.URL if jwtIssuer.Spec.SignatureValidation.JWKS.TLS != nil { - - var tlsConfigMapRef *dpv1alpha1.RefConfig - var tlsSecretRef *dpv1alpha1.RefConfig - if jwtIssuer.Spec.SignatureValidation.JWKS.TLS.ConfigMapRef != nil { - tlsConfigMapRef = utils.ConvertRefConfigsV2ToV1(jwtIssuer.Spec.SignatureValidation.JWKS.TLS.ConfigMapRef) - } - if jwtIssuer.Spec.SignatureValidation.JWKS.TLS.SecretRef != nil { - tlsSecretRef = utils.ConvertRefConfigsV2ToV1(jwtIssuer.Spec.SignatureValidation.JWKS.TLS.SecretRef) - } - - tlsCertificate, err := utils.ResolveCertificate(ctx, client, jwtIssuer.ObjectMeta.Namespace, jwtIssuer.Spec.SignatureValidation.JWKS.TLS.CertificateInline, tlsConfigMapRef, tlsSecretRef) - if err != nil || tlsCertificate == "" { - loggers.LoggerAPKOperator.ErrorC(logging.PrintError(logging.Error2659, logging.MAJOR, "Error resolving certificate for JWKS %v", err.Error())) + tlsCertificate, err := utils.ResolveCertificate(ctx, client, jwtIssuer.ObjectMeta.Namespace, + jwtIssuer.Spec.SignatureValidation.JWKS.TLS.CertificateInline, + jwtIssuer.Spec.SignatureValidation.JWKS.TLS.ConfigMapRef, jwtIssuer.Spec.SignatureValidation.JWKS.TLS.SecretRef) + if err != nil { + loggers.LoggerAPKOperator.ErrorC(logging.PrintError(logging.Error2659, logging.MAJOR, + "Error resolving certificate for JWKS %v", err.Error())) continue } jwks.TLS = &dpv1alpha1.ResolvedTLSConfig{ResolvedCertificate: tlsCertificate} @@ -243,19 +228,12 @@ func getJWTIssuers(ctx context.Context, client k8client.Client, namespace types. signatureValidation.JWKS = jwks } if jwtIssuer.Spec.SignatureValidation.Certificate != nil { - - var tlsConfigMapRef *dpv1alpha1.RefConfig - var tlsSecretRef *dpv1alpha1.RefConfig - if jwtIssuer.Spec.SignatureValidation.Certificate.ConfigMapRef != nil { - tlsConfigMapRef = utils.ConvertRefConfigsV2ToV1(jwtIssuer.Spec.SignatureValidation.Certificate.ConfigMapRef) - } - if jwtIssuer.Spec.SignatureValidation.Certificate.SecretRef != nil { - tlsSecretRef = utils.ConvertRefConfigsV2ToV1(jwtIssuer.Spec.SignatureValidation.Certificate.SecretRef) - } - - tlsCertificate, err := utils.ResolveCertificate(ctx, client, jwtIssuer.ObjectMeta.Namespace, jwtIssuer.Spec.SignatureValidation.Certificate.CertificateInline, tlsConfigMapRef, tlsSecretRef) - if err != nil || tlsCertificate == "" { - loggers.LoggerAPKOperator.ErrorC(logging.PrintError(logging.Error2659, logging.MAJOR, "Error resolving certificate for JWKS %v", err.Error())) + tlsCertificate, err := utils.ResolveCertificate(ctx, client, jwtIssuer.ObjectMeta.Namespace, + jwtIssuer.Spec.SignatureValidation.Certificate.CertificateInline, + jwtIssuer.Spec.SignatureValidation.Certificate.ConfigMapRef, jwtIssuer.Spec.SignatureValidation.Certificate.SecretRef) + if err != nil { + loggers.LoggerAPKOperator.ErrorC(logging.PrintError(logging.Error2659, logging.MAJOR, + "Error resolving certificate for JWKS %v", err.Error())) return nil, err } signatureValidation.Certificate = &dpv1alpha1.ResolvedTLSConfig{ResolvedCertificate: tlsCertificate} diff --git a/adapter/internal/operator/utils/utils.go b/adapter/internal/operator/utils/utils.go index 8f5f32d39..d2b3acf5a 100644 --- a/adapter/internal/operator/utils/utils.go +++ b/adapter/internal/operator/utils/utils.go @@ -310,7 +310,7 @@ func ResolveAndAddBackendToMapping(ctx context.Context, client k8client.Client, // ResolveRef this function will return k8client object and update owner func ResolveRef(ctx context.Context, client k8client.Client, api *dpv1alpha2.API, namespacedName types.NamespacedName, isReplace bool, obj k8client.Object, opts ...k8client.GetOption) error { - err := client.Get(ctx, namespacedName, obj, opts...); + err := client.Get(ctx, namespacedName, obj, opts...) return err } @@ -361,15 +361,11 @@ func GetResolvedBackend(ctx context.Context, client k8client.Client, var err error if backend.Spec.TLS != nil { resolvedTLSConfig.ResolvedCertificate, err = ResolveCertificate(ctx, client, - backend.Namespace, backend.Spec.TLS.CertificateInline, backend.Spec.TLS.ConfigMapRef, backend.Spec.TLS.SecretRef) + backend.Namespace, backend.Spec.TLS.CertificateInline, ConvertRefConfigsV1ToV2(backend.Spec.TLS.ConfigMapRef), ConvertRefConfigsV1ToV2(backend.Spec.TLS.SecretRef)) if err != nil { loggers.LoggerAPKOperator.ErrorC(logging.PrintError(logging.Error2654, logging.CRITICAL, "Error resolving certificate for Backend %v", err.Error())) return nil } - if resolvedTLSConfig.ResolvedCertificate == "" { - loggers.LoggerAPKOperator.ErrorC(logging.PrintError(logging.Error2654, logging.CRITICAL, "Error resolving certificate for Backend. Resolved certificate is empty")) - return nil - } resolvedTLSConfig.AllowedSANs = backend.Spec.TLS.AllowedSANs resolvedBackend.TLS = resolvedTLSConfig } @@ -456,16 +452,14 @@ func ResolveAllmTLSCertificates(ctx context.Context, mutualSSL *dpv1alpha2.Mutua certificate, err = ResolveCertificate(ctx, client, namespace, cert, nil, nil) resolvedCertificates = append(resolvedCertificates, certificate) } - } - if mutualSSL.ConfigMapRefs != nil { + } else if mutualSSL.ConfigMapRefs != nil { for _, cert := range mutualSSL.ConfigMapRefs { - certificate, err = ResolveCertificate(ctx, client, namespace, nil, ConvertRefConfigsV2ToV1(cert), nil) + certificate, err = ResolveCertificate(ctx, client, namespace, nil, cert, nil) resolvedCertificates = append(resolvedCertificates, certificate) } - } - if mutualSSL.SecretRefs != nil { + } else if mutualSSL.SecretRefs != nil { for _, cert := range mutualSSL.SecretRefs { - certificate, err = ResolveCertificate(ctx, client, namespace, nil, nil, ConvertRefConfigsV2ToV1(cert)) + certificate, err = ResolveCertificate(ctx, client, namespace, nil, nil, cert) resolvedCertificates = append(resolvedCertificates, certificate) } } @@ -475,7 +469,7 @@ func ResolveAllmTLSCertificates(ctx context.Context, mutualSSL *dpv1alpha2.Mutua // ResolveCertificate reads the certificate from TLSConfig, first checks the certificateInline field, // if no value then load the certificate from secretRef using util function called getSecretValue func ResolveCertificate(ctx context.Context, client k8client.Client, namespace string, certificateInline *string, - configMapRef *dpv1alpha1.RefConfig, secretRef *dpv1alpha1.RefConfig) (string, error) { + configMapRef *dpv1alpha2.RefConfig, secretRef *dpv1alpha2.RefConfig) (string, error) { var certificate string var err error if certificateInline != nil && len(*certificateInline) > 0 { @@ -485,27 +479,26 @@ func ResolveCertificate(ctx context.Context, client k8client.Client, namespace s namespace, secretRef.Name, secretRef.Key); err != nil { loggers.LoggerAPKOperator.ErrorC(logging.PrintError(logging.Error2642, logging.CRITICAL, "Error while reading certificate from secretRef %s: %s", secretRef, err.Error())) + return "", err } } else if configMapRef != nil { if certificate, err = getConfigMapValue(ctx, client, namespace, configMapRef.Name, configMapRef.Key); err != nil { loggers.LoggerAPKOperator.ErrorC(logging.PrintError(logging.Error2643, logging.CRITICAL, "Error while reading certificate from configMapRef %s : %s", configMapRef, err.Error())) + return "", err } } - if err != nil { - return "", err - } if len(certificate) > 0 { block, _ := pem.Decode([]byte(certificate)) if block == nil { loggers.LoggerAPKOperator.ErrorC(logging.PrintError(logging.Error2627, logging.CRITICAL, "Failed to decode certificate PEM.")) - return "", nil + return "", fmt.Errorf("failed to decode certificate PEM") } _, err = x509.ParseCertificate(block.Bytes) if err != nil { loggers.LoggerAPKOperator.ErrorC(logging.PrintError(logging.Error2641, logging.CRITICAL, "Error while parsing certificate: %s", err.Error())) - return "", err + return "", fmt.Errorf("error while parsing certificate: %s", err.Error()) } } return certificate, nil @@ -579,11 +572,13 @@ func RetrieveAPIList(k8sclient k8client.Client) ([]dpv1alpha2.API, error) { return apis, nil } -// ConvertRefConfigsV2ToV1 converts RefConfig v2 to v1 -func ConvertRefConfigsV2ToV1(refConfig *dpv1alpha2.RefConfig) *dpv1alpha1.RefConfig { - - return &dpv1alpha1.RefConfig{ - Name: refConfig.Name, - Key: refConfig.Key, +// ConvertRefConfigsV1ToV2 converts RefConfig v2 to v1 +func ConvertRefConfigsV1ToV2(refConfig *dpv1alpha1.RefConfig) *dpv1alpha2.RefConfig { + if refConfig != nil { + return &dpv1alpha2.RefConfig{ + Name: refConfig.Name, + Key: refConfig.Key, + } } + return nil } diff --git a/common-controller/go.sum b/common-controller/go.sum index db465248f..caa9595a8 100644 --- a/common-controller/go.sum +++ b/common-controller/go.sum @@ -178,8 +178,8 @@ github.com/prometheus/procfs v0.9.0/go.mod h1:+pB4zwohETzFnmlpe6yd2lSc+0/46IYZRB github.com/redis/go-redis/v9 v9.2.1 h1:WlYJg71ODF0dVspZZCpYmoF1+U1Jjk9Rwd7pq6QmlCg= github.com/redis/go-redis/v9 v9.2.1/go.mod h1:hdY0cQFCN4fnSYT6TkisLufl/4W5UIXyv0b/CLO2V2M= github.com/rogpeppe/go-internal v1.11.0 h1:cWPaGQEPrBb5/AsnsZesgZZ9yb1OQ+GOISoDNXVBh4M= -github.com/sergi/go-diff v1.0.0 h1:Kpca3qRNrduNnOQeazBd0ysaKrUJiIuISHxogkT9RPQ= github.com/sergi/go-diff v1.0.0/go.mod h1:0CfEIISq7TuYL3j771MWULgwwjU+GofnZX9QAmXWZgo= +github.com/sergi/go-diff v1.3.1 h1:xkr+Oxo4BOQKmkn/B9eMK0g5Kg/983T9DqqPHwYqD+8= github.com/sirupsen/logrus v1.9.0 h1:trlNQbNUG3OdDrDil03MCb1H2o9nJ1x4/5LYw7byDE0= github.com/sirupsen/logrus v1.9.0/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ= github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= diff --git a/common-go-libs/go.mod b/common-go-libs/go.mod index d3f1f662d..3d2c8aab0 100644 --- a/common-go-libs/go.mod +++ b/common-go-libs/go.mod @@ -10,7 +10,6 @@ require ( github.com/sirupsen/logrus v1.9.0 github.com/stretchr/testify v1.8.4 github.com/vektah/gqlparser v1.3.1 - github.com/vektah/gqlparser/v2 v2.5.10 github.com/wso2/apk/adapter v0.0.0-20231207051518-6dd728943082 golang.org/x/exp v0.0.0-20231206192017-f3f8817b8deb google.golang.org/grpc v1.58.3 @@ -61,6 +60,7 @@ require ( github.com/prometheus/common v0.42.0 // indirect github.com/prometheus/procfs v0.9.0 // indirect github.com/rogpeppe/go-internal v1.11.0 // indirect + github.com/sergi/go-diff v1.3.1 // indirect github.com/spf13/pflag v1.0.5 // indirect go.uber.org/atomic v1.7.0 // indirect go.uber.org/multierr v1.6.0 // indirect diff --git a/common-go-libs/go.sum b/common-go-libs/go.sum index b9bfc209f..744240e75 100644 --- a/common-go-libs/go.sum +++ b/common-go-libs/go.sum @@ -143,6 +143,7 @@ github.com/rogpeppe/go-internal v1.11.0 h1:cWPaGQEPrBb5/AsnsZesgZZ9yb1OQ+GOISoDN github.com/rogpeppe/go-internal v1.11.0/go.mod h1:ddIwULY96R17DhadqLgMfk9H9tvdUzkipdSkR5nkCZA= github.com/sergi/go-diff v1.0.0/go.mod h1:0CfEIISq7TuYL3j771MWULgwwjU+GofnZX9QAmXWZgo= github.com/sergi/go-diff v1.3.1 h1:xkr+Oxo4BOQKmkn/B9eMK0g5Kg/983T9DqqPHwYqD+8= +github.com/sergi/go-diff v1.3.1/go.mod h1:aMJSSKb2lpPvRNec0+w3fl7LP9IOFzdc9Pa4NFbPK1I= github.com/sirupsen/logrus v1.9.0 h1:trlNQbNUG3OdDrDil03MCb1H2o9nJ1x4/5LYw7byDE0= github.com/sirupsen/logrus v1.9.0/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ= github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= @@ -152,6 +153,7 @@ github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+ github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw= github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo= github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= +github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4= github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA= github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= @@ -162,8 +164,8 @@ github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcU github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo= github.com/vektah/gqlparser v1.3.1 h1:8b0IcD3qZKWJQHSzynbDlrtP3IxVydZ2DZepCGofqfU= github.com/vektah/gqlparser v1.3.1/go.mod h1:bkVf0FX+Stjg/MHnm8mEyubuaArhNEqfQhF+OTiAL74= -github.com/vektah/gqlparser/v2 v2.5.10 h1:6zSM4azXC9u4Nxy5YmdmGu4uKamfwsdKTwp5zsEealU= -github.com/vektah/gqlparser/v2 v2.5.10/go.mod h1:1rCcfwB2ekJofmluGWXMSEnPMZgbxzwj6FaZ/4OT8Cc= +github.com/wso2/apk/adapter v0.0.0-20231207051518-6dd728943082 h1:l+OdeDCNWPgie7L1fCjpfH04mAL3rFi4U+/idE8eduA= +github.com/wso2/apk/adapter v0.0.0-20231207051518-6dd728943082/go.mod h1:9xso4vL5oW6sgCig2raPuutrsGCR6Pcn3wjtD+2GzNM= github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=