fix: correctly handle multiple registries with the same Host

Write out a single CA file for multiple registries with the same url.Host.
Return an error if the CA content for those registries do not match.

Author: dkoshkin

pkg/handlers/generic/mutation/mirrors/containerd_files.go

@@ -9,6 +9,7 @@ import (
 	"fmt"
 	"net/url"
 	"path"
+	"slices"
 	"strings"
 	"text/template"
 
@@ -139,21 +140,17 @@ func generateRegistryCACertFiles(
 
 	var files []cabpkv1.File //nolint:prealloc // We don't know the size of the slice yet.
 
-	for _, config := range configs {
-		if config.CASecretName == "" {
-			continue
-		}
-
-		registryCACertPathOnRemote, err := config.filePathFromURL()
-		if err != nil {
-			return nil, fmt.Errorf("failed generating CA certificate file path from URL: %w", err)
-		}
+	filesToGenerate, err := registryCACertFiles(configs)
+	if err != nil {
+		return nil, err
+	}
+	for _, file := range filesToGenerate {
 		files = append(files, cabpkv1.File{
-			Path:        registryCACertPathOnRemote,
+			Path:        file.path,
 			Permissions: "0600",
 			ContentFrom: &cabpkv1.FileSource{
 				Secret: cabpkv1.SecretFileSource{
-					Name: config.CASecretName,
+					Name: file.caSecretName,
 					Key:  secretKeyForCACert,
 				},
 			},
@@ -189,3 +186,52 @@ func formatURLForContainerd(uri string) (string, error) {
 	// using path.Join on all elements incorrectly drops a "/" from "https://"
 	return fmt.Sprintf("%s/%s", mirror, mirrorPath), nil
 }
+
+type containerdConfigFile struct {
+	path         string
+	url          string
+	caSecretName string
+	caCert       string
+}
+
+// registryCACertFiles returns a list of CA certificate files
+// that should be generated for the given containerd configurations.
+// If any of the provided configurations share the same url.Host only a single file will be generated.
+// An error will be returned, if the CA certificate content for the same URL.Host do not match.
+func registryCACertFiles(configs []containerdConfig) ([]containerdConfigFile, error) {
+	filesToGenerate := make([]containerdConfigFile, 0)
+	for _, config := range configs {
+		// Skip if CA certificate is not provided.
+		if config.CASecretName == "" {
+			continue
+		}
+		registryCACertPathOnRemote, err := config.filePathFromURL()
+		if err != nil {
+			return nil, fmt.Errorf("failed generating CA certificate file path from URL: %w", err)
+		}
+
+		foundIndex := slices.IndexFunc(filesToGenerate, func(f containerdConfigFile) bool {
+			return registryCACertPathOnRemote == f.path
+		})
+		// File not already found and needs to be generated.
+		if foundIndex == -1 {
+			filesToGenerate = append(filesToGenerate, containerdConfigFile{
+				path:         registryCACertPathOnRemote,
+				url:          config.URL,
+				caSecretName: config.CASecretName,
+				caCert:       config.CACert,
+			})
+			continue
+		}
+		// File is already in the list, check if the CA certificate content matches.
+		if config.CACert != filesToGenerate[foundIndex].caCert {
+			return nil, fmt.Errorf(
+				"CA certificate content for %q does not match one for %q",
+				config.URL,
+				filesToGenerate[foundIndex].url,
+			)
+		}
+	}
+
+	return filesToGenerate, nil
+}

pkg/handlers/generic/mutation/mirrors/containerd_files_test.go

@@ -4,6 +4,7 @@
 package mirrors
 
 import (
+	"fmt"
 	"testing"
 
 	"github.com/stretchr/testify/assert"
@@ -156,6 +157,7 @@ func Test_generateRegistryCACertFiles(t *testing.T) {
 		name    string
 		configs []containerdConfig
 		want    []cabpkv1.File
+		wantErr error
 	}{
 		{
 			name: "ECR mirror image registry with no CA certificate",
@@ -173,6 +175,39 @@ func Test_generateRegistryCACertFiles(t *testing.T) {
 				{
 					URL:          "https://registry.example.com",
 					CASecretName: "my-registry-credentials-secret",
+					CACert:       "-----BEGIN CERTIFICATE-----",
+					Mirror:       true,
+				},
+			},
+			want: []cabpkv1.File{
+				{
+					Path:        "/etc/containerd/certs.d/registry.example.com/ca.crt",
+					Owner:       "",
+					Permissions: "0600",
+					Encoding:    "",
+					Append:      false,
+					ContentFrom: &cabpkv1.FileSource{
+						Secret: cabpkv1.SecretFileSource{
+							Name: "my-registry-credentials-secret",
+							Key:  "ca.crt",
+						},
+					},
+				},
+			},
+		},
+		{
+			name: "Mirror image registry and registry with the same CA certificate",
+			configs: []containerdConfig{
+				{
+					URL:          "https://registry.example.com/mirror",
+					CASecretName: "my-registry-credentials-secret",
+					CACert:       "-----BEGIN CERTIFICATE-----",
+					Mirror:       true,
+				},
+				{
+					URL:          "https://registry.example.com/library",
+					CASecretName: "my-registry-credentials-secret",
+					CACert:       "-----BEGIN CERTIFICATE-----",
 					Mirror:       true,
 				},
 			},
@@ -192,13 +227,39 @@ func Test_generateRegistryCACertFiles(t *testing.T) {
 				},
 			},
 		},
+		{
+			name: "Mirror image registry and registry with different CA certificates",
+			configs: []containerdConfig{
+				{
+					URL:          "https://registry.example.com/mirror",
+					CASecretName: "my-registry-credentials-secret",
+					CACert:       "-----BEGIN CERTIFICATE-----",
+					Mirror:       true,
+				},
+				{
+					URL:          "https://registry.example.com/library",
+					CASecretName: "my-registry-credentials-secret",
+					CACert:       "-----BEGIN CERTIFICATE----------END CERTIFICATE-----",
+					Mirror:       true,
+				},
+			},
+			wantErr: fmt.Errorf(
+				"CA certificate content for \"https://registry.example.com/library\" " +
+					"does not match one for \"https://registry.example.com/mirror\"",
+			),
+		},
 	}
 	for idx := range tests {
 		tt := tests[idx]
 		t.Run(tt.name, func(t *testing.T) {
 			t.Parallel()
 			file, err := generateRegistryCACertFiles(tt.configs)
-			require.NoError(t, err)
+			if tt.wantErr != nil {
+				assert.Equal(t, tt.wantErr.Error(), err.Error())
+				return
+			} else {
+				require.NoError(t, err)
+			}
 			assert.Equal(t, tt.want, file)
 		})
 	}