From 4a489b897951ac1c9c66687ef73125bcf2f7e937 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Charles-Edouard=20Br=C3=A9t=C3=A9ch=C3=A9?=
 <charled.breteche@gmail.com>
Date: Wed, 22 Feb 2023 10:04:17 +0100
Subject: [PATCH] fix: delete certificate secret if type is not TLS (#6368)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
---
 pkg/controllers/certmanager/controller.go |  8 ++++----
 pkg/tls/renewer.go                        | 16 ++++++++++++++++
 2 files changed, 20 insertions(+), 4 deletions(-)

diff --git a/pkg/controllers/certmanager/controller.go b/pkg/controllers/certmanager/controller.go
index bd36dc0316..537604401e 100644
--- a/pkg/controllers/certmanager/controller.go
+++ b/pkg/controllers/certmanager/controller.go
@@ -76,7 +76,7 @@ func (c *controller) reconcile(ctx context.Context, logger logr.Logger, key, nam
 	if name != tls.GenerateTLSPairSecretName() && name != tls.GenerateRootCASecretName() {
 		return nil
 	}
-	return c.renewCertificates()
+	return c.renewCertificates(ctx)
 }
 
 func (c *controller) ticker(ctx context.Context, logger logr.Logger) {
@@ -101,11 +101,11 @@ func (c *controller) ticker(ctx context.Context, logger logr.Logger) {
 	}
 }
 
-func (c *controller) renewCertificates() error {
-	if err := retryutils.RetryFunc(context.TODO(), time.Second, 5*time.Second, logger, "failed to renew CA", c.renewer.RenewCA)(); err != nil {
+func (c *controller) renewCertificates(ctx context.Context) error {
+	if err := retryutils.RetryFunc(ctx, time.Second, 5*time.Second, logger, "failed to renew CA", c.renewer.RenewCA)(); err != nil {
 		return err
 	}
-	if err := retryutils.RetryFunc(context.TODO(), time.Second, 5*time.Second, logger, "failed to renew TLS", c.renewer.RenewTLS)(); err != nil {
+	if err := retryutils.RetryFunc(ctx, time.Second, 5*time.Second, logger, "failed to renew TLS", c.renewer.RenewTLS)(); err != nil {
 		return err
 	}
 	return nil
diff --git a/pkg/tls/renewer.go b/pkg/tls/renewer.go
index 272dc757b7..b64f88f524 100644
--- a/pkg/tls/renewer.go
+++ b/pkg/tls/renewer.go
@@ -91,6 +91,14 @@ func (c *certRenewer) RenewCA(ctx context.Context) error {
 		logger.Error(err, "tls is not valid but certificates are not managed by kyverno, we can't renew them")
 		return err
 	}
+	if secret != nil && secret.Type != corev1.SecretTypeTLS {
+		logger.Info("CA secret type is not TLS, we're going to delete it and regenrate one")
+		err := c.client.Delete(ctx, secret.Name, metav1.DeleteOptions{})
+		if err != nil {
+			logger.Error(err, "failed to delete CA secret")
+		}
+		return err
+	}
 	caKey, caCert, err := generateCA(key, c.caValidityDuration)
 	if err != nil {
 		logger.Error(err, "failed to generate CA")
@@ -127,6 +135,14 @@ func (c *certRenewer) RenewTLS(ctx context.Context) error {
 		logger.Error(err, "tls is not valid but certificates are not managed by kyverno, we can't renew them")
 		return err
 	}
+	if secret != nil && secret.Type != corev1.SecretTypeTLS {
+		logger.Info("TLS secret type is not TLS, we're going to delete it and regenrate one")
+		err := c.client.Delete(ctx, secret.Name, metav1.DeleteOptions{})
+		if err != nil {
+			logger.Error(err, "failed to delete TLS secret")
+		}
+		return err
+	}
 	tlsKey, tlsCert, err := generateTLS(c.server, caCerts[len(caCerts)-1], caKey, c.tlsValidityDuration)
 	if err != nil {
 		logger.Error(err, "failed to generate TLS")