ValidCert Secret Annotation Check (#2933)

* Annotation check for Secrets Signed-off-by: Kumar Mallikarjuna <kumar@nirmata.com> * Fix inconsistent errors Signed-off-by: Kumar Mallikarjuna <kumar@nirmata.com> * Fix linting error Signed-off-by: Kumar Mallikarjuna <kumar@nirmata.com>
2025-03-31 03:45:17 +00:00 · 2022-01-08 01:45:00 +05:30 · 2022-01-08 01:45:00 +05:30 · 9e16e763a0
commit 9e16e763a0
parent 4410b6adc3
1 changed files with 35 additions and 0 deletions
--- a/pkg/tls/certRenewer.go
+++ b/pkg/tls/certRenewer.go
@ -332,6 +332,41 @@ func (c *CertRenewer) RollingUpdate() error {
 func (c *CertRenewer) ValidCert() (bool, error) {
 	logger := c.log.WithName("ValidCert")

+	certProps, err := GetTLSCertProps(c.clientConfig)
+	if err != nil {
+		return false, nil
+	}
+	var managedByKyverno bool
+	snameTLS := generateTLSPairSecretName(certProps)
+	snameCA := generateRootCASecretName(certProps)
+	unstrSecret, err := c.client.GetResource("", "Secret", certProps.Namespace, snameTLS)
+	if err != nil {
+		return false, nil
+	}
+
+	if label, ok := unstrSecret.GetLabels()[ManagedByLabel]; ok {
+		managedByKyverno = label == "kyverno"
+	}
+
+	_, ok := unstrSecret.GetAnnotations()[MasterDeploymentUID]
+	if managedByKyverno && !ok {
+		return false, nil
+	}
+
+	unstrSecret, err = c.client.GetResource("", "Secret", certProps.Namespace, snameCA)
+	if err != nil {
+		return false, nil
+	}
+
+	if label, ok := unstrSecret.GetLabels()[ManagedByLabel]; ok {
+		managedByKyverno = label == "kyverno"
+	}
+
+	_, ok = unstrSecret.GetAnnotations()[MasterDeploymentUID]
+	if managedByKyverno && !ok {
+		return false, nil
+	}
+
 	rootCA, err := ReadRootCASecret(c.clientConfig, c.client)
 	if err != nil {
 		return false, errors.Wrap(err, "unable to read CA from secret")