If a certificate is external, we must ensure that there is a hash for…

… them. There can be a case that a user uses the same certs for two different components. We want to avoid that components get re-rendered due to having different hashes per reconciliation loop.
tigera · Oct 10, 2024 · 5aab7db · 5aab7db
1 parent ffdde8b
commit 5aab7db
Showing 1 changed file with 3 additions and 13 deletions.
diff --git a/pkg/tls/certificatemanagement/certificatebundle.go b/pkg/tls/certificatemanagement/certificatebundle.go
@@ -94,19 +94,9 @@ func createTrustedBundle(includeSystemBundle bool, name string, certificates ...
 // AddCertificates Adds the certificates to the bundle.
 func (t *trustedBundle) AddCertificates(certificates ...CertificateInterface) {
 	for _, cert := range certificates {
-		// Check if we already trust an issuer of this cert. In practice, this will be 0 or 1 iteration,
-		// because the issuer is only set when the tigera-ca-private is the issuer.
-		cur := cert
-		var skip bool
-		for cur != nil && !skip {
-			hash := rmeta.AnnotationHash(cur.GetCertificatePEM())
-			cur = cur.GetIssuer()
-			if _, found := t.certificates[hash]; found {
-				skip = true
-			}
-		}
-		if cert != nil && !skip {
-			// Add the leaf certificate
+		// cert.GetIssuer() is set only for certificates that are signed by our operator CA.
+		// If a certificate was not signed by our operator, we should add it to the bundle.
+		if cert != nil && cert.GetIssuer() == nil {
 			hash := rmeta.AnnotationHash(cert.GetCertificatePEM())
 			t.certificates[hash] = cert
 		}