Pass caBundle instead of an object

vmware-tanzu · Jul 6, 2023 · 4ce4c9f · 4ce4c9f
1 parent ae80e00
commit 4ce4c9f
Showing 1 changed file with 9 additions and 5 deletions.
diff --git a/internal/controller/impersonatorconfig/impersonator_config.go b/internal/controller/impersonatorconfig/impersonator_config.go
@@ -1,4 +1,4 @@
-// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2023 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package impersonatorconfig
@@ -285,22 +285,26 @@ func (c *impersonatorConfigController) doSync(syncCtx controllerlib.Context, cre
 		return nil, err
 	}
 
-	var impersonationCA *certauthority.CA
+	var impersonationCABundle []byte
 	if c.shouldHaveImpersonator(impersonationSpec) {
+		var impersonationCA *certauthority.CA
 		if impersonationCA, err = c.ensureCASecretIsCreated(ctx); err != nil {
 			return nil, err
 		}
 		if err = c.ensureTLSSecret(ctx, nameInfo, impersonationCA); err != nil {
 			return nil, err
 		}
+		if impersonationCA != nil {
+			impersonationCABundle = impersonationCA.Bundle()
+		}
 	} else {
 		if err = c.ensureTLSSecretIsRemoved(ctx); err != nil {
 			return nil, err
 		}
 		c.clearTLSSecret()
 	}
 
-	credentialIssuerStrategyResult := c.doSyncResult(nameInfo, impersonationSpec, impersonationCA)
+	credentialIssuerStrategyResult := c.doSyncResult(nameInfo, impersonationSpec, impersonationCABundle)
 
 	if c.shouldHaveImpersonator(impersonationSpec) {
 		if err = c.loadSignerCA(); err != nil {
@@ -1018,7 +1022,7 @@ func (c *impersonatorConfigController) clearSignerCA() {
 	c.impersonationSigningCertProvider.UnsetCertKeyContent()
 }
 
-func (c *impersonatorConfigController) doSyncResult(nameInfo *certNameInfo, config *v1alpha1.ImpersonationProxySpec, ca *certauthority.CA) *v1alpha1.CredentialIssuerStrategy {
+func (c *impersonatorConfigController) doSyncResult(nameInfo *certNameInfo, config *v1alpha1.ImpersonationProxySpec, caBundle []byte) *v1alpha1.CredentialIssuerStrategy {
 	switch {
 	case c.disabledExplicitly(config):
 		return &v1alpha1.CredentialIssuerStrategy{
@@ -1055,7 +1059,7 @@ func (c *impersonatorConfigController) doSyncResult(nameInfo *certNameInfo, conf
 				Type: v1alpha1.ImpersonationProxyFrontendType,
 				ImpersonationProxyInfo: &v1alpha1.ImpersonationProxyInfo{
 					Endpoint:                 "https://" + nameInfo.clientEndpoint,
-					CertificateAuthorityData: base64.StdEncoding.EncodeToString(ca.Bundle()),
+					CertificateAuthorityData: base64.StdEncoding.EncodeToString(caBundle),
 				},
 			},
 		}