Comments (10)
let's use the configmap creation time. can you send a PR?
from cert-utils-operator.
I think your assessment is correct. not sure what to do to prevent this. Asking internally...
from cert-utils-operator.
maybe the CreationTimestamp of the ConfigMap could be used?
diff --git a/Dockerfile b/Dockerfile
index 2c1b7ca..4a107d5 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,5 +1,5 @@
# Build the manager binary
-FROM golang:1.16 as builder
+FROM docker.io/library/golang:1.19 as builder
WORKDIR /workspace
# Copy the Go Modules manifests
diff --git a/controllers/configmaptokeystore/configmap_to_keystore_controller.go b/controllers/configmaptokeystore/configmap_to_keystore_controller.go
index 97c2233..a1ecb13 100644
--- a/controllers/configmaptokeystore/configmap_to_keystore_controller.go
+++ b/controllers/configmaptokeystore/configmap_to_keystore_controller.go
@@ -7,7 +7,6 @@ import (
"errors"
"reflect"
"strconv"
- "time"
"github.com/go-logr/logr"
keystore "github.com/pavel-v-chernykh/keystore-go"
@@ -136,7 +135,7 @@ func (r *ConfigMapToKeystoreReconciler) getTrustStoreFromConfigMap(configMap *co
for p, rest := pem.Decode([]byte(ca)); p != nil; p, rest = pem.Decode(rest) {
keyStore["alias"+strconv.Itoa(i)] = &keystore.TrustedCertificateEntry{
Entry: keystore.Entry{
- CreationDate: time.Now(),
+ CreationDate: configMap.GetCreationTimestamp().Time,
},
Certificate: keystore.Certificate{
Type: "X.509",
or a checksum of the ca-bundle.crt content could be computed and be persisted as annotation.
from cert-utils-operator.
it would still be different than the one used to create the truststore. Maybe it's possible to inspect the truststore (if it exists) and use exactly that timestamp
from cert-utils-operator.
but if you update the ca-bundle.crt content then the truststore.jks will still have the same timestamp from the first time it was created. I don't think the CreationDate jks property has much meaning.
from cert-utils-operator.
@raffaelespazzoli I want to proceed with this., because it "hurts" our cluster every pod restart (dozens of java pods restarted).
found out the secrets keystore controller writes a annotation:
I see these possible ways to fix this situation:
- use a fixed value for creation timestamp (1970-01-01...). As this CreationDate has no real value IMHO the value can be anything.
- use the same as for the secrets keystore controller. Store timestamp as annotation.
- use the CreationTime timestamp from the ConfigMap
- parse the keystore and re-use the effective keystore creationdate
any method but the last will trigger a final "useless" update of the configmap.
from cert-utils-operator.
i've created a patch: https://github.com/redhat-cop/cert-utils-operator/compare/master...vinzent:cert-utils-operator:persistent-jks-creationdate-property?expand=1
Built image (https://quay.io/mueller/cert-utils-operator:latest).
Testing:
- truststore.jks in ConfigMap still gets updated every restart.
- comparing "keytool -list -keystore xyz.jks" before and after shows no difference
Stumbled upon this pavlo-v-chernykh/keystore-go#34 (fun fact: created by @raffaelespazzoli ;-) ). Maybe the WithOrderedAliases and WithCustomRandomNumberGenerator options also needs to be used?
from cert-utils-operator.
I figured out that the configmaptokeystore uses an outdated keystore-go (2.0.1) lib. Current is 4.4.1. Also path to lib changed (pavel -> pavlo). And it requires at least go 1.17.
more changes pushed to my branch: https://github.com/redhat-cop/cert-utils-operator/compare/master...vinzent:cert-utils-operator:persistent-jks-creationdate-property?expand=1
So I think to fix this issue, following changes are needed:
- update builder image go >1.17
- update all code to use keystore-go 4.4.1
- use configMap CreattionTimestamp for JKS CreationTime and WithOrderedAliases feature of keystore-go
from cert-utils-operator.
ok, please confirm that this change fixes the issue, then send a PR?
from cert-utils-operator.
The #144 is now ready to be reviewed.
from cert-utils-operator.
Related Issues (20)
- Possible Issue stemming from null password on keystore
- Problem with certificate in route sinced a changed has been made in cert-manager HOT 12
- Ability to create truststore from Operator controlled Secrets HOT 3
- Unable to stop expiry alert HOT 7
- false alerts HOT 1
- Helm installation is broken
- generating the truststore in an new secret of type Opaque HOT 3
- unable to update route error HOT 3
- ConstraintsNotSatisfiable - V1.3.9 HOT 3
- Missing webhook-server-cert Secret when installed with Helm HOT 1
- Cert-Manager vs. OpenShift Service serving-cert-secret-name Annotation (1.3.9) HOT 6
- ServiceMonitor contains a hard-coded serverName that assumes the operator namespace is cert-utils-operator HOT 22
- Ability to inject openshift-service-ca.crt ConfigMap as route destinationCACertificate
- Image is out of date HOT 3
- Problem with high memory consumption on kube-apiserver HOT 2
- Operator logs access token HOT 6
- Dependency Dashboard
- It should be possible to use multiple source-ca-keys to generate a truststore
- regarding storing CA bundle in a secret to populate route certificates in openshift HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cert-utils-operator.