wip

src/ocp_postprocess/additional_trust_bundle.rs

@@ -52,7 +52,7 @@ async fn fix_dir_resources(additional_trust_bundle: &str, dir: &Path) -> Result<
     Ok(())
 }
 
-async fn fix_file_resources(additional_trust_bundle: &str, file: &Path) -> Result<(), anyhow::Error> {
+async fn fix_file_resources(_additional_trust_bundle: &str, _file: &Path) -> Result<()> {
     Ok(())
 }
 
@@ -62,9 +62,12 @@ async fn fix_etcd_resources(etcd_client: &Arc<InMemoryK8sEtcd>, additional_trust
         .await
         .context("fixing labeled configmaps")?;
 
-    let merged_bundle = utils::get_merged_bundle(additional_trust_bundle, original_additional_trust_bundle);
+    let system_certs = {
+        let all_certs = utils::get_merged_bundle(etcd_client).await.context("getting merged bundle")?;
+        utils::get_unmerged_bundle(original_additional_trust_bundle, all_certs).context("getting unmerged bundle")?
+    };
 
-    let original_system_bundle
+    let new_merged_bundle = utils::merge_certs(additional_trust_bundle, &system_certs).context("merging certs")?;
 
     etcd_rename::fix_labeled_configmaps(etcd_client, full_merged_bundle)
         .await

src/ocp_postprocess/additional_trust_bundle/utils.rs

@@ -1,4 +1,8 @@
-use crate::file_utils;
+use crate::{
+    cluster_crypto::locations::K8sResourceLocation,
+    file_utils,
+    k8s_etcd::{get_etcd_json, InMemoryK8sEtcd},
+};
 use anyhow::{Context, Result};
 use serde_json::Value;
 
@@ -37,3 +41,66 @@ pub(crate) fn fix_machineconfig(machineconfig: &mut Value, additional_trust_bund
 
     Ok(())
 }
+
+pub(crate) async fn get_merged_bundle(etcd_client: &InMemoryK8sEtcd) -> Result<String> {
+    let k8s_resource_location = K8sResourceLocation::new(Some("openshift-config-managed"), "ConfigMap", "trusted-ca-bundle", "v1");
+
+    let config = get_etcd_json(etcd_client, &k8s_resource_location)
+        .await
+        .context("failed to get trusted-ca-bundle configmap")?
+        .context("could not find trusted-ca-bundle configmap")?;
+
+    let data = config
+        .pointer("/data/ca-bundle.crt")
+        .context("no ca-bundle.crt in trusted-ca-bundle configmap")?
+        .as_str()
+        .context("ca-bundle.crt not a string")?;
+
+    Ok(data.to_string())
+}
+
+/// There's no place where we can get just the system certificates, that don't already contain the
+/// original additional trust bundle, so we have to calculate it ourselves by taking the entire
+/// merged bundle and removing from it the certs that also appear in the original additional trust
+/// bundle. What's left after removal should be just the system certs
+pub(crate) fn get_system_certs(original_additional_trust_bundle: String, merged_bundle: String) -> Result<String> {
+    let merged_certs = pem::parse_many(merged_bundle.as_bytes())
+        .context("failed to parse merged bundle")?
+        .into_iter()
+        .collect::<Vec<_>>();
+
+    let original_certs = pem::parse_many(original_additional_trust_bundle.as_bytes())
+        .context("failed to parse original additional trust bundle")?
+        .into_iter()
+        .collect::<Vec<_>>();
+
+    Ok(pem::encode_many(
+        merged_certs
+            .iter()
+            .filter(|cert| original_certs.iter().all(|original_cert| original_cert != *cert))
+            .cloned()
+            .collect::<Vec<_>>()
+            .as_slice(),
+    ))
+}
+
+pub(crate) fn merge_bundles(additional_trust_bundle: &str, system_certs: &str) -> Result<String> {
+    let additional_certs = pem::parse_many(additional_trust_bundle.as_bytes())
+        .context("failed to parse additional trust bundle")?
+        .into_iter()
+        .collect::<Vec<_>>();
+
+    let system_certs = pem::parse_many(system_certs.as_bytes())
+        .context("failed to parse system certs")?
+        .into_iter()
+        .collect::<Vec<_>>();
+
+    Ok(pem::encode_many(
+        additional_certs
+            .iter()
+            .chain(system_certs.iter())
+            .cloned()
+            .collect::<Vec<_>>()
+            .as_slice(),
+    ))
+}