weiguoqiang/cert-manager
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity

Don't overwrite existing certificates when issuing a temporary certificate

Browse Source 
Signed-off-by: James Munnelly <james@munnelly.eu>
This commit is contained in:
James Munnelly 2019-12-16 13:53:38 +00:00
parent 45785999f9
commit 7076041de6
1 changed files with 5 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
pkg/controller/certificates/sync.go
View File

@ -336,15 +336,14 @@ func (c *certificateRequestManager) processCertificate(ctx context.Context, crt
log.Info("no existing certificate data found in secret, issuing temporary certificate")
return c.issueTemporaryCertificate(ctx, existingSecret, crt, existingKey)
}
// We don't issue a temporary certificate if the existing stored
// certificate already 'matches', even if it isn't a temporary certificate.
matches, _ := certificateMatchesSpec(crt, privateKey, existingX509Cert, existingSecret)
if !matches {
log.Info("existing certificate fields do not match certificate spec, issuing temporary certificate")
matches, err := pki.PublicKeyMatchesCertificate(privateKey.Public(), existingX509Cert)
if err != nil || !matches {
log.Info("private key for certificate does not match, issuing temporary certificate")
return c.issueTemporaryCertificate(ctx, existingSecret, crt, existingKey)
}
log.Info("not issuing temporary certificate as existing certificate matches requirements")
log.Info("not issuing temporary certificate as existing certificate is sufficient")
// Ensure the secret metadata is up to date
updated, err := c.ensureSecretMetadataUpToDate(ctx, existingSecret, crt)