fix: skip adding image registry CA file when not set

dkoshkin · dkoshkin · commit 6f8b4fb0026e · 2024-06-26T11:04:22.000-07:00
diff --git a/pkg/handlers/generic/mutation/mirrors/containerd_files.go b/pkg/handlers/generic/mutation/mirrors/containerd_files.go
@@ -19,7 +19,7 @@ import (
 
 const (
 	containerdHostsConfigurationOnRemote = "/etc/containerd/certs.d/_default/hosts.toml"
-	secretKeyForMirrorCACert             = "ca.crt"
+	secretKeyForCACert                   = "ca.crt"
 )
 
 var (
@@ -159,7 +159,7 @@ func generateRegistryCACertFiles(
 			ContentFrom: &cabpkv1.FileSource{
 				Secret: cabpkv1.SecretFileSource{
 					Name: config.CASecretName,
-					Key:  secretKeyForMirrorCACert,
+					Key:  secretKeyForCACert,
 				},
 			},
 		})
diff --git a/pkg/handlers/generic/mutation/mirrors/inject.go b/pkg/handlers/generic/mutation/mirrors/inject.go
@@ -7,6 +7,7 @@ import (
 	"context"
 	"fmt"
 
+	corev1 "k8s.io/api/core/v1"
 	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/runtime"
@@ -193,9 +194,9 @@ func containerdConfigFromGlobalMirror(
 		)
 	}
 
-	if secret != nil {
+	if secretHasCACert(secret) {
 		configWithOptionalCACert.CASecretName = secret.Name
-		configWithOptionalCACert.CACert = string(secret.Data[secretKeyForMirrorCACert])
+		configWithOptionalCACert.CACert = string(secret.Data[secretKeyForCACert])
 	}
 
 	return configWithOptionalCACert, nil
@@ -225,9 +226,9 @@ func containerdConfigFromImageRegistry(
 		)
 	}
 
-	if secret != nil {
+	if secretHasCACert(secret) {
 		configWithOptionalCACert.CASecretName = secret.Name
-		configWithOptionalCACert.CACert = string(secret.Data[secretKeyForMirrorCACert])
+		configWithOptionalCACert.CACert = string(secret.Data[secretKeyForCACert])
 	}
 
 	return configWithOptionalCACert, nil
@@ -271,3 +272,12 @@ func needContainerdConfiguration(configs []containerdConfig) bool {
 
 	return false
 }
+
+func secretHasCACert(secret *corev1.Secret) bool {
+	if secret == nil {
+		return false
+	}
+
+	_, ok := secret.Data[secretKeyForCACert]
+	return ok
+}

Original file line number	Diff line number	Diff line change
`@@ -7,6 +7,7 @@ import (`
`7`	`7`	`"context"`
`8`	`8`	`"fmt"`
`9`	`9`
	`10`	`+ corev1 "k8s.io/api/core/v1"`
`10`	`11`	`apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"`
`11`	`12`	`"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"`
`12`	`13`	`"k8s.io/apimachinery/pkg/runtime"`
`@@ -193,9 +194,9 @@ func containerdConfigFromGlobalMirror(`
`193`	`194`	`)`
`194`	`195`	`}`
`195`	`196`
`196`		`- if secret != nil {`
	`197`	`+ if secretHasCACert(secret) {`
`197`	`198`	`configWithOptionalCACert.CASecretName = secret.Name`
`198`		`- configWithOptionalCACert.CACert = string(secret.Data[secretKeyForMirrorCACert])`
	`199`	`+ configWithOptionalCACert.CACert = string(secret.Data[secretKeyForCACert])`
`199`	`200`	`}`
`200`	`201`
`201`	`202`	`return configWithOptionalCACert, nil`
`@@ -225,9 +226,9 @@ func containerdConfigFromImageRegistry(`
`225`	`226`	`)`
`226`	`227`	`}`
`227`	`228`
`228`		`- if secret != nil {`
	`229`	`+ if secretHasCACert(secret) {`
`229`	`230`	`configWithOptionalCACert.CASecretName = secret.Name`
`230`		`- configWithOptionalCACert.CACert = string(secret.Data[secretKeyForMirrorCACert])`
	`231`	`+ configWithOptionalCACert.CACert = string(secret.Data[secretKeyForCACert])`
`231`	`232`	`}`
`232`	`233`
`233`	`234`	`return configWithOptionalCACert, nil`
`@@ -271,3 +272,12 @@ func needContainerdConfiguration(configs []containerdConfig) bool {`
`271`	`272`
`272`	`273`	`return false`
`273`	`274`	`}`
	`275`	`+`
	`276`	`+func secretHasCACert(secret *corev1.Secret) bool {`
	`277`	`+ if secret == nil {`
	`278`	`+ return false`
	`279`	`+ }`
	`280`	`+`
	`281`	`+ _, ok := secret.Data[secretKeyForCACert]`
	`282`	`+ return ok`
	`283`	`+}`