From cacf47b10babf17b38330cf05e178cfc04701b8b Mon Sep 17 00:00:00 2001 From: chengjingtao Date: Wed, 13 May 2026 05:54:34 +0000 Subject: [PATCH] fix: restore USE_OLM_TLS vendor patches dropped by vuln-0512 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit PR #28 (fix: vuln 0512) ran `go mod tidy` + `go mod vendor` and regenerated the vendor tree from upstream, which silently reverted PR #25 (fix: using olm cert) — its manual patches lived directly in vendor/knative.dev/pkg/webhook/{webhook.go,resourcesemantics/conversion/reconciler.go}. Without those patches, an OLM-installed operator-webhook fails to start: - webhook server: "server key missing" + "tls: no certificates configured" (default code reads server-key.pem / server-cert.pem; OLM populates tls.key / tls.crt) - WebhookCertificates reconciler: "Secret operator-webhook-service-cert is invalid: data[tls.crt]/data[tls.key] Required value" (tries to write server-*.pem / ca-cert.pem into a kubernetes.io/tls secret, apiserver rejects the type) - ConversionWebhook reconciler: 'secret operator-webhook-service-cert is missing "ca-cert.pem" key' This commit re-applies PR #25's diff verbatim on top of c861803 so the next hotfix build carries both the OLM TLS support and the 0512 dependency bumps. Follow-up: move these patches into a knative-pkg fork referenced via `replace` so future `go mod vendor` runs don't drop them again. Co-Authored-By: Claude Opus 4.7 --- .../conversion/reconciler.go | 5 ++ vendor/knative.dev/pkg/webhook/webhook.go | 53 ++++++++++++++----- 2 files changed, 46 insertions(+), 12 deletions(-) diff --git a/vendor/knative.dev/pkg/webhook/resourcesemantics/conversion/reconciler.go b/vendor/knative.dev/pkg/webhook/resourcesemantics/conversion/reconciler.go index 103e6a5eba..9a79579a95 100644 --- a/vendor/knative.dev/pkg/webhook/resourcesemantics/conversion/reconciler.go +++ b/vendor/knative.dev/pkg/webhook/resourcesemantics/conversion/reconciler.go @@ -19,6 +19,7 @@ package conversion import ( "context" "fmt" + "os" "go.uber.org/zap" apixv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1" @@ -75,6 +76,10 @@ func (r *reconciler) Reconcile(ctx context.Context, key string) error { return err } + if os.Getenv("USE_OLM_TLS") != "" { // olm will do the crd update + return nil + } + cacert, ok := secret.Data[certresources.CACert] if !ok { return fmt.Errorf("secret %q is missing %q key", r.secretName, certresources.CACert) diff --git a/vendor/knative.dev/pkg/webhook/webhook.go b/vendor/knative.dev/pkg/webhook/webhook.go index eff693e80d..05b5f44cad 100644 --- a/vendor/knative.dev/pkg/webhook/webhook.go +++ b/vendor/knative.dev/pkg/webhook/webhook.go @@ -25,6 +25,7 @@ import ( "log" "net" "net/http" + "os" "time" // Injection stuff @@ -174,27 +175,45 @@ func New( // a new secret informer from it. secretInformer := kubeinformerfactory.Get(ctx).Core().V1().Secrets() - webhook.tlsConfig = &tls.Config{ - MinVersion: opts.TLSMinVersion, + var getCertificate = func(*tls.ClientHelloInfo) (*tls.Certificate, error) { + secret, err := secretInformer.Lister().Secrets(system.Namespace()).Get(opts.SecretName) + if err != nil { + logger.Errorw("failed to fetch secret", zap.Error(err)) + return nil, nil + } + webOpts := GetOptions(ctx) + sKey, sCert := getSecretDataKeyNamesOrDefault(webOpts.ServerPrivateKeyName, webOpts.ServerCertificateName) + serverKey, ok := secret.Data[sKey] + if !ok { + logger.Warn("server key missing") + return nil, nil + } + serverCert, ok := secret.Data[sCert] + if !ok { + logger.Warn("server cert missing") + return nil, nil + } + cert, err := tls.X509KeyPair(serverCert, serverKey) + if err != nil { + return nil, err + } + return &cert, nil + } - // If we return (nil, error) the client sees - 'tls: internal error" - // If we return (nil, nil) the client sees - 'tls: no certificates configured' - // - // We'll return (nil, nil) when we don't find a certificate - GetCertificate: func(*tls.ClientHelloInfo) (*tls.Certificate, error) { + if os.Getenv("USE_OLM_TLS") != "" { + getCertificate = func(*tls.ClientHelloInfo) (*tls.Certificate, error) { secret, err := secretInformer.Lister().Secrets(system.Namespace()).Get(opts.SecretName) if err != nil { logger.Errorw("failed to fetch secret", zap.Error(err)) return nil, nil } - webOpts := GetOptions(ctx) - sKey, sCert := getSecretDataKeyNamesOrDefault(webOpts.ServerPrivateKeyName, webOpts.ServerCertificateName) - serverKey, ok := secret.Data[sKey] + + serverKey, ok := secret.Data["tls.key"] if !ok { logger.Warn("server key missing") return nil, nil } - serverCert, ok := secret.Data[sCert] + serverCert, ok := secret.Data["tls.crt"] if !ok { logger.Warn("server cert missing") return nil, nil @@ -204,7 +223,17 @@ func New( return nil, err } return &cert, nil - }, + } + } + + webhook.tlsConfig = &tls.Config{ + MinVersion: tls.VersionTLS12, + + // If we return (nil, error) the client sees - 'tls: internal error" + // If we return (nil, nil) the client sees - 'tls: no certificates configured' + // + // We'll return (nil, nil) when we don't find a certificate + GetCertificate: getCertificate, } }