update kustomize

Signed-off-by: Foysal Iqbal <mqb@qlik.com>
Merge pull request #444 from qlik-oss/fix_crds
2020-09-30 16:32:49 -04:00 · 2020-09-30 10:07:41 -04:00 · 2020-09-30 09:07:01 -04:00 · 2020-09-30 09:03:56 -04:00 · 2020-06-25 16:50:51 -04:00
3 changed files with 22 additions and 13 deletions
--- a/go.mod
+++ b/go.mod
@@ -10,7 +10,7 @@ replace (
 	k8s.io/client-go => k8s.io/client-go v0.17.0
 	k8s.io/kubectl => k8s.io/kubectl v0.0.0-20191219154910-1528d4eea6dd

-	sigs.k8s.io/kustomize/api => github.com/qlik-oss/kustomize/api v0.3.3-0.20200612023448-4c1f2f38ea9b
+	sigs.k8s.io/kustomize/api => github.com/qlik-oss/kustomize/api v0.5.2-0.20200820111149-1a59db58525f
 )

 require (
--- a/pkg/preflight/verify_ca.go
+++ b/pkg/preflight/verify_ca.go
@@ -93,25 +93,30 @@ func (qp *QliksensePreflight) extractCertAndVerify(server string, caCertificates
 	// Get the ConnectionState struct as that's the one which gives us x509.Certificate struct
 	x509Certificates := conn.ConnectionState().PeerCertificates

+	var serverCert *x509.Certificate
 	if len(x509Certificates) == 0 {
 		return fmt.Errorf("no server certificates retrieved from the server")
 	}
-	if len(x509Certificates) > 1 {
-		return fmt.Errorf("more than 1 server certificate retrieved from the server")
+	// we retrieve and verify the server certificate, we ignore intermediate certificates at this point.
+	for _, x509Cert := range x509Certificates {
+		if !x509Cert.IsCA {
+			serverCert = x509Cert
+			break
+		}
+	}
+	if serverCert == nil {
+		return fmt.Errorf("no valid server certificates retrieved from the server")
 	}
-	//  execute verify cmd
 	roots := x509.NewCertPool()
-	ok := roots.AppendCertsFromPEM([]byte(caCertificates))
-	if !ok {
+	if ok := roots.AppendCertsFromPEM([]byte(caCertificates)); !ok {
 		return fmt.Errorf("failed to parse root certificate.")
 	}

 	opts := x509.VerifyOptions{
-		Roots:         roots,
-		DNSName:       u.Hostname(),
-		Intermediates: x509.NewCertPool(),
+		Roots:   roots,
+		DNSName: u.Hostname(),
 	}
-	if _, err := x509Certificates[0].Verify(opts); err != nil {
+	if _, err := serverCert.Verify(opts); err != nil {
 		return fmt.Errorf("failed to verify certificate: " + err.Error())
 	}
 	return nil
--- a/pkg/qliksense/crds.go
+++ b/pkg/qliksense/crds.go
@@ -93,11 +93,15 @@ func getQliksenseInitCrds(qcr *qapi.QliksenseCR) (string, error) {
 		}
 	}

-	qInitMsPath := filepath.Join(repoPath, Q_INIT_CRD_PATH)
+	qInitMsPath := filepath.Join(repoPath, "manifests", qcr.Spec.Profile, "crds")
 	if _, err := os.Lstat(qInitMsPath); err != nil {
-		// older version of qliksense-init used
-		qInitMsPath = filepath.Join(repoPath, "manifests/base/manifests/qliksense-init")
+		qInitMsPath = filepath.Join(repoPath, Q_INIT_CRD_PATH)
+		if _, err := os.Lstat(qInitMsPath); err != nil {
+			// older version of qliksense-init used
+			qInitMsPath = filepath.Join(repoPath, "manifests/base/manifests/qliksense-init")
+		}
 	}
+
 	qInitByte, err := ExecuteKustomizeBuild(qInitMsPath)
 	if err != nil {
 		fmt.Println("cannot generate crds for qliksense-init", err)
Author	SHA1	Message	Date
Foysal Iqbal	94768d2cd4	update kustomize Signed-off-by: Foysal Iqbal <mqb@qlik.com>	2020-09-30 16:32:49 -04:00
Boris Kuschel	6ab9317638	Merge pull request #444 from qlik-oss/fix_crds Fix crds	2020-09-30 10:07:41 -04:00
Boris Kuschel	5899760c16	retain old qliksense-init func Signed-off-by: Boris Kuschel <boris.kuschel@qlik.com>	2020-09-30 09:07:01 -04:00
Boris Kuschel	a63c400106	Use crds in profile, if exists Signed-off-by: Boris Kuschel <boris.kuschel@qlik.com>	2020-09-30 09:03:56 -04:00
Ashwathi Shiva	568012edd8	Preflight openssl verify (#438 ) * verify only server cert, not intermediate certs at this point	2020-06-25 16:50:51 -04:00