Comments (10)
raffaelespazzoli
commented on June 20, 2024
1
let's use the configmap creation time. can you send a PR?
from cert-utils-operator.
raffaelespazzoli
commented on June 20, 2024
I think your assessment is correct. not sure what to do to prevent this. Asking internally...
from cert-utils-operator.
vinzent
commented on June 20, 2024
maybe the CreationTimestamp of the ConfigMap could be used?
diff --git a/Dockerfile b/Dockerfile
index 2c1b7ca..4a107d5 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,5 +1,5 @@
# Build the manager binary
-FROM golang:1.16 as builder
+FROM docker.io/library/golang:1.19 as builder
WORKDIR /workspace
# Copy the Go Modules manifests
diff --git a/controllers/configmaptokeystore/configmap_to_keystore_controller.go b/controllers/configmaptokeystore/configmap_to_keystore_controller.go
index 97c2233..a1ecb13 100644
--- a/controllers/configmaptokeystore/configmap_to_keystore_controller.go
+++ b/controllers/configmaptokeystore/configmap_to_keystore_controller.go
@@ -7,7 +7,6 @@ import (
"errors"
"reflect"
"strconv"
- "time"
"github.com/go-logr/logr"
keystore "github.com/pavel-v-chernykh/keystore-go"
@@ -136,7 +135,7 @@ func (r *ConfigMapToKeystoreReconciler) getTrustStoreFromConfigMap(configMap *co
for p, rest := pem.Decode([]byte(ca)); p != nil; p, rest = pem.Decode(rest) {
keyStore["alias"+strconv.Itoa(i)] = &keystore.TrustedCertificateEntry{
Entry: keystore.Entry{
- CreationDate: time.Now(),
+ CreationDate: configMap.GetCreationTimestamp().Time,
},
Certificate: keystore.Certificate{
Type: "X.509",or a checksum of the ca-bundle.crt content could be computed and be persisted as annotation.
from cert-utils-operator.
raffaelespazzoli
commented on June 20, 2024
it would still be different than the one used to create the truststore. Maybe it's possible to inspect the truststore (if it exists) and use exactly that timestamp
from cert-utils-operator.
vinzent
commented on June 20, 2024
but if you update the ca-bundle.crt content then the truststore.jks will still have the same timestamp from the first time it was created. I don't think the CreationDate jks property has much meaning.
from cert-utils-operator.
vinzent
commented on June 20, 2024
@raffaelespazzoli I want to proceed with this., because it "hurts" our cluster every pod restart (dozens of java pods restarted).
found out the secrets keystore controller writes a annotation:
I see these possible ways to fix this situation:
- use a fixed value for creation timestamp (1970-01-01...). As this CreationDate has no real value IMHO the value can be anything.
- use the same as for the secrets keystore controller. Store timestamp as annotation.
- use the CreationTime timestamp from the ConfigMap
- parse the keystore and re-use the effective keystore creationdate
any method but the last will trigger a final "useless" update of the configmap.
from cert-utils-operator.
vinzent
commented on June 20, 2024
i've created a patch: https://github.com/redhat-cop/cert-utils-operator/compare/master...vinzent:cert-utils-operator:persistent-jks-creationdate-property?expand=1
Built image (https://quay.io/mueller/cert-utils-operator:latest).
Testing:
- truststore.jks in ConfigMap still gets updated every restart.
- comparing "keytool -list -keystore xyz.jks" before and after shows no difference
Stumbled upon this pavlo-v-chernykh/keystore-go#34 (fun fact: created by @raffaelespazzoli ;-) ). Maybe the WithOrderedAliases and WithCustomRandomNumberGenerator options also needs to be used?
from cert-utils-operator.
vinzent
commented on June 20, 2024
I figured out that the configmaptokeystore uses an outdated keystore-go (2.0.1) lib. Current is 4.4.1. Also path to lib changed (pavel -> pavlo). And it requires at least go 1.17.
more changes pushed to my branch: https://github.com/redhat-cop/cert-utils-operator/compare/master...vinzent:cert-utils-operator:persistent-jks-creationdate-property?expand=1
So I think to fix this issue, following changes are needed:
- update builder image go >1.17
- update all code to use keystore-go 4.4.1
- use configMap CreattionTimestamp for JKS CreationTime and WithOrderedAliases feature of keystore-go
from cert-utils-operator.
raffaelespazzoli
commented on June 20, 2024
ok, please confirm that this change fixes the issue, then send a PR?
from cert-utils-operator.
vinzent
commented on June 20, 2024
The #144 is now ready to be reviewed.
from cert-utils-operator.
Related Issues (20)
- Possible Issue stemming from null password on keystore
- Problem with certificate in route sinced a changed has been made in cert-manager HOT 12
- Ability to create truststore from Operator controlled Secrets HOT 3
- Unable to stop expiry alert HOT 7
- false alerts HOT 1
- Helm installation is broken
- generating the truststore in an new secret of type Opaque HOT 3
- unable to update route error HOT 3
- ConstraintsNotSatisfiable - V1.3.9 HOT 3
- Missing webhook-server-cert Secret when installed with Helm HOT 1
- Cert-Manager vs. OpenShift Service serving-cert-secret-name Annotation (1.3.9) HOT 6
- ServiceMonitor contains a hard-coded serverName that assumes the operator namespace is cert-utils-operator HOT 22
- Ability to inject openshift-service-ca.crt ConfigMap as route destinationCACertificate
- Image is out of date HOT 3
- Problem with high memory consumption on kube-apiserver HOT 2
- Operator logs access token HOT 6
- Dependency Dashboard
- It should be possible to use multiple source-ca-keys to generate a truststore
- regarding storing CA bundle in a secret to populate route certificates in openshift HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cert-utils-operator.