From 9e16e763a00f54acea402d3259743cee80c23034 Mon Sep 17 00:00:00 2001
From: Kumar Mallikarjuna <kumarmallikarjuna1@gmail.com>
Date: Sat, 8 Jan 2022 01:45:00 +0530
Subject: [PATCH] ValidCert Secret Annotation Check (#2933)

* Annotation check for Secrets

Signed-off-by: Kumar Mallikarjuna <kumar@nirmata.com>

* Fix inconsistent errors

Signed-off-by: Kumar Mallikarjuna <kumar@nirmata.com>

* Fix linting error

Signed-off-by: Kumar Mallikarjuna <kumar@nirmata.com>
---
 pkg/tls/certRenewer.go | 35 +++++++++++++++++++++++++++++++++++
 1 file changed, 35 insertions(+)

diff --git a/pkg/tls/certRenewer.go b/pkg/tls/certRenewer.go
index 54158fe095..95dd3cb971 100644
--- a/pkg/tls/certRenewer.go
+++ b/pkg/tls/certRenewer.go
@@ -332,6 +332,41 @@ func (c *CertRenewer) RollingUpdate() error {
 func (c *CertRenewer) ValidCert() (bool, error) {
 	logger := c.log.WithName("ValidCert")
 
+	certProps, err := GetTLSCertProps(c.clientConfig)
+	if err != nil {
+		return false, nil
+	}
+	var managedByKyverno bool
+	snameTLS := generateTLSPairSecretName(certProps)
+	snameCA := generateRootCASecretName(certProps)
+	unstrSecret, err := c.client.GetResource("", "Secret", certProps.Namespace, snameTLS)
+	if err != nil {
+		return false, nil
+	}
+
+	if label, ok := unstrSecret.GetLabels()[ManagedByLabel]; ok {
+		managedByKyverno = label == "kyverno"
+	}
+
+	_, ok := unstrSecret.GetAnnotations()[MasterDeploymentUID]
+	if managedByKyverno && !ok {
+		return false, nil
+	}
+
+	unstrSecret, err = c.client.GetResource("", "Secret", certProps.Namespace, snameCA)
+	if err != nil {
+		return false, nil
+	}
+
+	if label, ok := unstrSecret.GetLabels()[ManagedByLabel]; ok {
+		managedByKyverno = label == "kyverno"
+	}
+
+	_, ok = unstrSecret.GetAnnotations()[MasterDeploymentUID]
+	if managedByKyverno && !ok {
+		return false, nil
+	}
+
 	rootCA, err := ReadRootCASecret(c.clientConfig, c.client)
 	if err != nil {
 		return false, errors.Wrap(err, "unable to read CA from secret")