|
1 | 1 | package operator2 |
2 | 2 |
|
3 | 3 | import ( |
4 | | - "crypto/x509" |
5 | 4 | "fmt" |
6 | 5 |
|
7 | 6 | corev1 "k8s.io/api/core/v1" |
@@ -127,31 +126,6 @@ func routerSecretToSNI(routerSecret *corev1.Secret) []configv1.NamedCertificate |
127 | 126 | return out |
128 | 127 | } |
129 | 128 |
|
130 | | -func routerSecretToCA(route *routev1.Route, routerSecret *corev1.Secret, ingress *configv1.Ingress) []byte { |
131 | | - var caData []byte |
132 | | - |
133 | | - // find the domain that matches our route |
134 | | - if certs, ok := routerSecret.Data[ingress.Spec.Domain]; ok { |
135 | | - caData = certs |
136 | | - } |
137 | | - |
138 | | - // if we have no CA, use system roots (or more correctly, if we have no CERTIFICATE block) |
139 | | - // TODO so this branch is effectively never taken, because the value of caData |
140 | | - // is the concatenation of tls.crt and tls.key - the .crt data gets parsed |
141 | | - // as a valid cert by AppendCertsFromPEM meaning ok is always true. |
142 | | - // because Go is weird with how it validates TLS connections, having the actual |
143 | | - // peer cert loaded in the transport is totally fine with the connection even |
144 | | - // without having the CA loaded. this is weird but it lets us tolerate scenarios |
145 | | - // where we do not have the CA (i.e. admin is using a cert from an internal company CA). |
146 | | - // thus the only way we take this branch is if len(caData) == 0 |
147 | | - if ok := x509.NewCertPool().AppendCertsFromPEM(caData); !ok { |
148 | | - klog.Infof("using global CAs for %s, ingress domain=%s, cert data len=%d", route.Spec.Host, ingress.Spec.Domain, len(caData)) |
149 | | - return nil |
150 | | - } |
151 | | - |
152 | | - return caData |
153 | | -} |
154 | | - |
155 | 129 | func getCanonicalHost(route *routev1.Route, ingressConfig *configv1.Ingress) string { |
156 | 130 | host := ingressToHost(ingressConfig) |
157 | 131 | for _, ingress := range route.Status.Ingress { |
|
0 commit comments