20309154141

Committed 17 Dec 2025 04:03PM UTC coverage: 78.861% (+0.07%) from 78.794%

Build # 20309154141

Build Type

push

github

Committed by

OliverMKing

Commit Message

bump dependencies for cve reasons

Run Details

4197 of 5322 relevant lines covered (78.86%)

23.88 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

79.46

/pkg/controller/defaultdomaincert/default_domain_cert_controller.go

package defaultdomaincert

import (
        "context"
        "errors"
        "fmt"
        "time"

        approutingv1alpha1 "github.com/Azure/aks-app-routing-operator/api/v1alpha1"
        defaultdomain "github.com/Azure/aks-app-routing-operator/pkg/clients/default-domain"
        "github.com/Azure/aks-app-routing-operator/pkg/config"
        "github.com/Azure/aks-app-routing-operator/pkg/controller/controllername"
        "github.com/Azure/aks-app-routing-operator/pkg/controller/metrics"
        "github.com/Azure/aks-app-routing-operator/pkg/manifests"
        "github.com/Azure/aks-app-routing-operator/pkg/tls"
        "github.com/Azure/aks-app-routing-operator/pkg/util"
        corev1 "k8s.io/api/core/v1"
        apierrors "k8s.io/apimachinery/pkg/api/errors"
        metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
        "k8s.io/client-go/tools/record"
        ctrl "sigs.k8s.io/controller-runtime"
        "sigs.k8s.io/controller-runtime/pkg/client"
        "sigs.k8s.io/controller-runtime/pkg/log"
)

var name = controllername.New("default", "domain", "cert", "reconciler")

// defaultDomainClient is an interface for fetching TLS certificates from the default domain service
type defaultDomainClient interface {
        GetTLSCertificate(ctx context.Context) (*defaultdomain.TLSCertificate, error)
}

type defaultDomainCertControllerReconciler struct {
        client       client.Client
        events       record.EventRecorder
        conf         *config.Config
        defaultDomainClient defaultDomainClient
}

func NewReconciler(conf *config.Config, mgr ctrl.Manager, defaultDomainClient *defaultdomain.CachedClient) error {
        metrics.InitControllerMetrics(name)

        reconciler := &defaultDomainCertControllerReconciler{
                client:              mgr.GetClient(),
                events:              mgr.GetEventRecorderFor("aks-app-routing-operator"),
                conf:                conf,
                defaultDomainClient: defaultDomainClient,
        }

        // Verify we can fetch the certificate initially
        if _, _, err := reconciler.getAndVerifyCertAndKeyFromClient(context.Background()); err != nil {
                return fmt.Errorf("verifying cert and key from client: %w", err)
        }

        if err := name.AddToController(
                ctrl.NewControllerManagedBy(mgr).
                        For(&approutingv1alpha1.DefaultDomainCertificate{}).
                        Owns(&corev1.Secret{}),
                mgr.GetLogger(),
        ).Complete(reconciler); err != nil {
                return fmt.Errorf("building the controller: %w", err)
        }

        return nil
}

func (d *defaultDomainCertControllerReconciler) Reconcile(ctx context.Context, req ctrl.Request) (res ctrl.Result, err error) {
        start := time.Now()
        lgr := log.FromContext(ctx, "name", req.Name, "namespace", req.Namespace)
        ctx = log.IntoContext(ctx, lgr)

        lgr.Info("reconciling DefaultDomainCertificate")
        defer func() {
                lgr.Info("reconcile finished", "latency", time.Since(start))
        }()

        defaultDomainCertificate := &approutingv1alpha1.DefaultDomainCertificate{}
        if err := d.client.Get(ctx, req.NamespacedName, defaultDomainCertificate); err != nil {
                if apierrors.IsNotFound(err) { // object was deleted
                        lgr.Info("DefaultDomainCertificate not found")
                        return ctrl.Result{}, nil
                }

                lgr.Error(err, "unable to get DefaultDomainCertificate")
                return ctrl.Result{}, err
        }

        if defaultDomainCertificate.Spec.Target.Secret == nil {
                err := errors.New("DefaultDomainCertificate has no target secret specified")
                lgr.Error(err, "DefaultDomainCertificate has no target specified, this should be blocked by CRD CEL validation")
                return ctrl.Result{}, err
        }

        lgr = lgr.WithValues("secretTarget", *defaultDomainCertificate.Spec.Target.Secret)
        ctx = log.IntoContext(ctx, lgr)

        lgr.Info("upserting Secret for DefaultDomainCertificate")
        secret, err := d.generateSecret(ctx, defaultDomainCertificate)
        if err != nil {
                err := fmt.Errorf("generating Secret for DefaultDomainCertificate: %w", err)
                lgr.Error(err, "failed to generate Secret for DefaultDomainCertificate")
                return ctrl.Result{}, err
        }

        if err := util.Upsert(ctx, d.client, secret); err != nil {
                d.events.Eventf(defaultDomainCertificate, corev1.EventTypeWarning, "ApplyingCertificateSecretFailed", "Failed to apply Secret for DefaultDomainCertificate: %s", err.Error())
                lgr.Error(err, "failed to upsert Secret for DefaultDomainCertificate")
                return ctrl.Result{}, err
        }

        // Update the status of the DefaultDomainCertificate
        defaultDomainCertificate.SetCondition(metav1.Condition{
                Type:    approutingv1alpha1.DefaultDomainCertificateConditionTypeAvailable,
                Status:  metav1.ConditionTrue,
                Reason:  "CertificateSecretApplied",
                Message: fmt.Sprintf("Secret %s/%s successfully applied for DefaultDomainCertificate", secret.Namespace, secret.Name),
        })
        if err := d.client.Status().Update(ctx, defaultDomainCertificate); err != nil {
                lgr.Error(err, "failed to update status for DefaultDomainCertificate")
                return ctrl.Result{}, err
        }

        return ctrl.Result{}, nil
}

func (d *defaultDomainCertControllerReconciler) generateSecret(ctx context.Context, defaultDomainCertificate *approutingv1alpha1.DefaultDomainCertificate) (*corev1.Secret, error) {
        cert, key, err := d.getAndVerifyCertAndKeyFromClient(ctx)
        if err != nil {
                return nil, fmt.Errorf("getting and verifying cert and key: %w", err)
        }

        secret := &corev1.Secret{
                ObjectMeta: metav1.ObjectMeta{
                        Name:      *defaultDomainCertificate.Spec.Target.Secret,
                        Namespace: defaultDomainCertificate.Namespace,
                        Labels:    manifests.GetTopLevelLabels(),
                },
                TypeMeta: metav1.TypeMeta{
                        Kind:       "Secret",
                        APIVersion: corev1.SchemeGroupVersion.String(),
                },
                Type: corev1.SecretTypeTLS,
                Data: map[string][]byte{
                        "tls.crt": cert,
                        "tls.key": key,
                },
        }

        owner := manifests.GetOwnerRefs(defaultDomainCertificate, true)
        secret.SetOwnerReferences(owner)

        return secret, nil
}

func (d *defaultDomainCertControllerReconciler) getAndVerifyCertAndKeyFromClient(ctx context.Context) ([]byte, []byte, error) {
        tlsCert, err := d.defaultDomainClient.GetTLSCertificate(ctx)
        if err != nil {
                return nil, nil, fmt.Errorf("failed to get TLS certificate from client: %w", err)
        }

        if tlsCert.Key == nil || len(tlsCert.Key) == 0 {
                return nil, nil, fmt.Errorf("TLS certificate key is empty")
        }

        if tlsCert.Cert == nil || len(tlsCert.Cert) == 0 {
                return nil, nil, fmt.Errorf("TLS certificate cert is empty")
        }

        if _, err := tls.ParseTLSCertificate(tlsCert.Cert, tlsCert.Key); err != nil {
                return nil, nil, fmt.Errorf("validating cert and key: %w", err)
        }

        return tlsCert.Cert, tlsCert.Key, nil
}

1	package defaultdomaincert
2
3	import (
4	"context"
5	"errors"
6	"fmt"
7	"time"
8
9	approutingv1alpha1 "github.com/Azure/aks-app-routing-operator/api/v1alpha1"
10	defaultdomain "github.com/Azure/aks-app-routing-operator/pkg/clients/default-domain"
11	"github.com/Azure/aks-app-routing-operator/pkg/config"
12	"github.com/Azure/aks-app-routing-operator/pkg/controller/controllername"
13	"github.com/Azure/aks-app-routing-operator/pkg/controller/metrics"
14	"github.com/Azure/aks-app-routing-operator/pkg/manifests"
15	"github.com/Azure/aks-app-routing-operator/pkg/tls"
16	"github.com/Azure/aks-app-routing-operator/pkg/util"
17	corev1 "k8s.io/api/core/v1"
18	apierrors "k8s.io/apimachinery/pkg/api/errors"
19	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
20	"k8s.io/client-go/tools/record"
21	ctrl "sigs.k8s.io/controller-runtime"
22	"sigs.k8s.io/controller-runtime/pkg/client"
23	"sigs.k8s.io/controller-runtime/pkg/log"
24	)
25
26	var name = controllername.New("default", "domain", "cert", "reconciler")
27
28	// defaultDomainClient is an interface for fetching TLS certificates from the default domain service
29	type defaultDomainClient interface {
30	GetTLSCertificate(ctx context.Context) (*defaultdomain.TLSCertificate, error)
31	}
32
33	type defaultDomainCertControllerReconciler struct {
34	client client.Client
35	events record.EventRecorder
36	conf *config.Config
37	defaultDomainClient defaultDomainClient
38	}
39
40	func NewReconciler(conf config.Config, mgr ctrl.Manager, defaultDomainClient defaultdomain.CachedClient) error {	×
41	metrics.InitControllerMetrics(name)	×
42		×
43	reconciler := &defaultDomainCertControllerReconciler{	×
44	client: mgr.GetClient(),	×
45	events: mgr.GetEventRecorderFor("aks-app-routing-operator"),	×
46	conf: conf,	×
47	defaultDomainClient: defaultDomainClient,	×
48	}	×
49		×
50	// Verify we can fetch the certificate initially	×
51	if _, _, err := reconciler.getAndVerifyCertAndKeyFromClient(context.Background()); err != nil {	×
52	return fmt.Errorf("verifying cert and key from client: %w", err)	×
53	}	×
54
55	if err := name.AddToController(	×
56	ctrl.NewControllerManagedBy(mgr).	×
57	For(&approutingv1alpha1.DefaultDomainCertificate{}).	×
58	Owns(&corev1.Secret{}),	×
59	mgr.GetLogger(),	×
60	).Complete(reconciler); err != nil {	×
61	return fmt.Errorf("building the controller: %w", err)	×
62	}	×
63
64	return nil	×
65	}
66
67	func (d *defaultDomainCertControllerReconciler) Reconcile(ctx context.Context, req ctrl.Request) (res ctrl.Result, err error) {	11✔
68	start := time.Now()	11✔
69	lgr := log.FromContext(ctx, "name", req.Name, "namespace", req.Namespace)	11✔
70	ctx = log.IntoContext(ctx, lgr)	11✔
71		11✔
72	lgr.Info("reconciling DefaultDomainCertificate")	11✔
73	defer func() {	22✔
74	lgr.Info("reconcile finished", "latency", time.Since(start))	11✔
75	}()	11✔
76
77	defaultDomainCertificate := &approutingv1alpha1.DefaultDomainCertificate{}	11✔
78	if err := d.client.Get(ctx, req.NamespacedName, defaultDomainCertificate); err != nil {	13✔
79	if apierrors.IsNotFound(err) { // object was deleted	3✔
80	lgr.Info("DefaultDomainCertificate not found")	1✔
81	return ctrl.Result{}, nil	1✔
82	}	1✔
83
84	lgr.Error(err, "unable to get DefaultDomainCertificate")	1✔
85	return ctrl.Result{}, err	1✔
86	}
87
88	if defaultDomainCertificate.Spec.Target.Secret == nil {	10✔
89	err := errors.New("DefaultDomainCertificate has no target secret specified")	1✔
90	lgr.Error(err, "DefaultDomainCertificate has no target specified, this should be blocked by CRD CEL validation")	1✔
91	return ctrl.Result{}, err	1✔
92	}	1✔
93
94	lgr = lgr.WithValues("secretTarget", *defaultDomainCertificate.Spec.Target.Secret)	8✔
95	ctx = log.IntoContext(ctx, lgr)	8✔
96		8✔
97	lgr.Info("upserting Secret for DefaultDomainCertificate")	8✔
98	secret, err := d.generateSecret(ctx, defaultDomainCertificate)	8✔
99	if err != nil {	9✔
100	err := fmt.Errorf("generating Secret for DefaultDomainCertificate: %w", err)	1✔
101	lgr.Error(err, "failed to generate Secret for DefaultDomainCertificate")	1✔
102	return ctrl.Result{}, err	1✔
103	}	1✔
104
105	if err := util.Upsert(ctx, d.client, secret); err != nil {	9✔
106	d.events.Eventf(defaultDomainCertificate, corev1.EventTypeWarning, "ApplyingCertificateSecretFailed", "Failed to apply Secret for DefaultDomainCertificate: %s", err.Error())	2✔
107	lgr.Error(err, "failed to upsert Secret for DefaultDomainCertificate")	2✔
108	return ctrl.Result{}, err	2✔
109	}	2✔
110
111	// Update the status of the DefaultDomainCertificate
112	defaultDomainCertificate.SetCondition(metav1.Condition{	5✔
113	Type: approutingv1alpha1.DefaultDomainCertificateConditionTypeAvailable,	5✔
114	Status: metav1.ConditionTrue,	5✔
115	Reason: "CertificateSecretApplied",	5✔
116	Message: fmt.Sprintf("Secret %s/%s successfully applied for DefaultDomainCertificate", secret.Namespace, secret.Name),	5✔
117	})	5✔
118	if err := d.client.Status().Update(ctx, defaultDomainCertificate); err != nil {	6✔
119	lgr.Error(err, "failed to update status for DefaultDomainCertificate")	1✔
120	return ctrl.Result{}, err	1✔
121	}	1✔
122
123	return ctrl.Result{}, nil	4✔
124	}
125
126	func (d defaultDomainCertControllerReconciler) generateSecret(ctx context.Context, defaultDomainCertificate approutingv1alpha1.DefaultDomainCertificate) (*corev1.Secret, error) {	17✔
127	cert, key, err := d.getAndVerifyCertAndKeyFromClient(ctx)	17✔
128	if err != nil {	24✔
129	return nil, fmt.Errorf("getting and verifying cert and key: %w", err)	7✔
130	}	7✔
131
132	secret := &corev1.Secret{	10✔
133	ObjectMeta: metav1.ObjectMeta{	10✔
134	Name: *defaultDomainCertificate.Spec.Target.Secret,	10✔
135	Namespace: defaultDomainCertificate.Namespace,	10✔
136	Labels: manifests.GetTopLevelLabels(),	10✔
137	},	10✔
138	TypeMeta: metav1.TypeMeta{	10✔
139	Kind: "Secret",	10✔
140	APIVersion: corev1.SchemeGroupVersion.String(),	10✔
141	},	10✔
142	Type: corev1.SecretTypeTLS,	10✔
143	Data: map[string][]byte{	10✔
144	"tls.crt": cert,	10✔
145	"tls.key": key,	10✔
146	},	10✔
147	}	10✔
148		10✔
149	owner := manifests.GetOwnerRefs(defaultDomainCertificate, true)	10✔
150	secret.SetOwnerReferences(owner)	10✔
151		10✔
152	return secret, nil	10✔
153	}
154
155	func (d *defaultDomainCertControllerReconciler) getAndVerifyCertAndKeyFromClient(ctx context.Context) ([]byte, []byte, error) {	21✔
156	tlsCert, err := d.defaultDomainClient.GetTLSCertificate(ctx)	21✔
157	if err != nil {	22✔
158	return nil, nil, fmt.Errorf("failed to get TLS certificate from client: %w", err)	1✔
159	}	1✔
160
161	if tlsCert.Key == nil \|\| len(tlsCert.Key) == 0 {	23✔
162	return nil, nil, fmt.Errorf("TLS certificate key is empty")	3✔
163	}	3✔
164
165	if tlsCert.Cert == nil \|\| len(tlsCert.Cert) == 0 {	20✔
166	return nil, nil, fmt.Errorf("TLS certificate cert is empty")	3✔
167	}	3✔
168
169	if _, err := tls.ParseTLSCertificate(tlsCert.Cert, tlsCert.Key); err != nil {	17✔
170	return nil, nil, fmt.Errorf("validating cert and key: %w", err)	3✔
171	}	3✔
172
173	return tlsCert.Cert, tlsCert.Key, nil	11✔
174	}

Azure / aks-app-routing-operator / 20309154141

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous