Filter out ocp certs from the external ones

When using RHACM to deploy disconnected IBU seed SNO clusters, the trusted-ca-bundle, which should only contain external to OCP CA certificates, can contain also OCP internal CA certificates. E.g.: - internal-loadbalancer-serving - service-network-serving-cert - localhost-serving-cert - external-loadbalancer-serving This change filters out all certs found in there with their subject containing openshift as the organisation unit (i.e. OU=openshift), as they are not external certs and should not be ignored by recert when regenerating and re-signing OCP certificates. Signed-off-by: Michail Resvanis <[email protected]>
rh-ecosystem-edge · Mar 5, 2025 · 6421985 · 6421985
1 parent 0587575
commit 6421985
Showing 1 changed file with 28 additions and 10 deletions.
diff --git a/src/cluster_crypto/scanning/external_certs.rs b/src/cluster_crypto/scanning/external_certs.rs
@@ -1,12 +1,24 @@
 use super::super::locations::K8sResourceLocation;
 use crate::k8s_etcd::get_etcd_json;
 use crate::k8s_etcd::InMemoryK8sEtcd;
-use anyhow::{bail, Context, Result};
+use anyhow::{Context, Result};
 use itertools::Itertools;
 use std::collections::HashSet;
 use std::sync::Arc;
 use x509_certificate::X509Certificate;
 
+const OPENSHIFT_CN_PATTERNS: &[&str] = &[
+    "ou=openshift",
+    "cn=ingress-operator@",
+    "cn=openshift-kube-apiserver-operator_localhost-recovery-serving-signer@",
+];
+
+fn is_openshift_certificate(subject: &str) -> bool {
+    OPENSHIFT_CN_PATTERNS
+        .iter()
+        .any(|pattern| subject.to_lowercase().contains(*pattern))
+}
+
 pub(crate) async fn discover_external_certs(in_memory_etcd_client: Arc<InMemoryK8sEtcd>) -> Result<HashSet<String>> {
     let proxy_trusted_certs = vec![get_openshift_proxy_trusted_certs(&in_memory_etcd_client)
         .await
@@ -35,16 +47,22 @@ pub(crate) async fn discover_external_certs(in_memory_etcd_client: Arc<InMemoryK
     pem::parse_many(all_certs_bundled)
         .context("parsing")?
         .into_iter()
-        .map(|pem| match pem.tag() {
-            "CERTIFICATE" => Ok({
-                let crt = X509Certificate::from_der(pem.contents()).context("from der")?;
-                let cn = crt.subject_name().user_friendly_str().unwrap_or("undecodable".to_string());
+        .filter_map(|pem| match pem.tag() {
+            "CERTIFICATE" => match X509Certificate::from_der(pem.contents()) {
+                Ok(crt) => {
+                    let cn = crt.subject_name().user_friendly_str().unwrap_or("undecodable".to_string());
 
-                log::trace!("Found external certificate: {}", cn);
-
-                cn.to_string()
-            }),
-            _ => bail!("unexpected tag"),
+                    if is_openshift_certificate(&cn) {
+                        log::trace!("Ignoring OpenShift certificate found in external certificates: {}", cn);
+                        None
+                    } else {
+                        log::trace!("Found external certificate: {}", cn);
+                        Some(Ok(cn))
+                    }
+                }
+                Err(e) => Some(Err(anyhow::Error::new(e).context("from der"))),
+            },
+            _ => Some(Err(anyhow::anyhow!("unexpected tag"))),
         })
         .collect::<Result<HashSet<_>>>()
 }