Always check for certificate validation (#230)

* Always check for certificate validation * Update CHANGELOG * make nancy happy * go mod tidy
giantswarm · Mar 19, 2024 · 0f79fc1 · 0f79fc1
1 parent b6feb36
commit 0f79fc1
Show file tree

Hide file tree

Showing 4 changed files with 25 additions and 24 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -10,6 +10,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Changed
 
 - CAPA: check for deletion timestamp on the Cluster CR.
+- CAPA: always check if certificate should be validated
 
 ## [0.25.0] - 2024-02-13
 

diff --git a/go.mod b/go.mod
@@ -83,7 +83,7 @@ require (
 	golang.org/x/time v0.0.0-20220722155302-e5dcc9cfc0b9 // indirect
 	gomodules.xyz/jsonpatch/v2 v2.2.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
-	google.golang.org/protobuf v1.31.0 // indirect
+	google.golang.org/protobuf v1.33.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect

diff --git a/go.sum b/go.sum
@@ -371,8 +371,8 @@ google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlba
 google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
 google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
 google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
-google.golang.org/protobuf v1.31.0 h1:g0LDEJHgrBl9N9r17Ru3sqWhkIx2NB67okBHPwC7hs8=
-google.golang.org/protobuf v1.31.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
+google.golang.org/protobuf v1.33.0 h1:uNO2rsAINq/JlFpSdYEKIZ0uKD/R9cpdv0T+yoGwGmI=
+google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=

diff --git a/pkg/irsa/capa/capa.go b/pkg/irsa/capa/capa.go
@@ -133,35 +133,35 @@ func (s *Service) Reconcile(ctx context.Context, outRequeueAfter *time.Duration)
 				return err
 			}
 
-			if !issued {
-				s.Scope.Logger().Info("ACM certificate is not issued yet")
+			// Check if domain ownership is validated
+			validated, err := s.ACM.IsValidated(*certificateArn)
+			if err != nil {
+				ctrlmetrics.Errors.WithLabelValues(s.Scope.Installation(), s.Scope.AccountID(), s.Scope.ClusterName(), s.Scope.ClusterNamespace()).Inc()
+				s.Scope.Logger().Error(err, "failed to check if ACM certificate's ownership is validated")
+				return err
+			}
 
-				// Check if domain ownership is validated
-				validated, err := s.ACM.IsValidated(*certificateArn)
+			if !validated {
+				// Check if DNS record is present
+				cname, err := s.ACM.GetValidationCNAME(*certificateArn)
 				if err != nil {
 					ctrlmetrics.Errors.WithLabelValues(s.Scope.Installation(), s.Scope.AccountID(), s.Scope.ClusterName(), s.Scope.ClusterNamespace()).Inc()
-					s.Scope.Logger().Error(err, "failed to check if ACM certificate's ownership is validated")
+					s.Scope.Logger().Error(err, "failed to get ACM certificate's validation DNS record details")
 					return err
 				}
 
-				if !validated {
-					// Check if DNS record is present
-					cname, err := s.ACM.GetValidationCNAME(*certificateArn)
-					if err != nil {
-						ctrlmetrics.Errors.WithLabelValues(s.Scope.Installation(), s.Scope.AccountID(), s.Scope.ClusterName(), s.Scope.ClusterNamespace()).Inc()
-						s.Scope.Logger().Error(err, "failed to get ACM certificate's validation DNS record details")
-						return err
-					}
-
-					err = s.Route53.EnsureDNSRecord(hostedZoneID, *cname)
-					if err != nil {
-						ctrlmetrics.Errors.WithLabelValues(s.Scope.Installation(), s.Scope.AccountID(), s.Scope.ClusterName(), s.Scope.ClusterNamespace()).Inc()
-						s.Scope.Logger().Error(err, "failed to create ACM certificate's validation DNS record")
-						return err
-					}
-
+				err = s.Route53.EnsureDNSRecord(hostedZoneID, *cname)
+				if err != nil {
+					ctrlmetrics.Errors.WithLabelValues(s.Scope.Installation(), s.Scope.AccountID(), s.Scope.ClusterName(), s.Scope.ClusterNamespace()).Inc()
+					s.Scope.Logger().Error(err, "failed to create ACM certificate's validation DNS record")
+					return err
 				}
 
+			}
+
+			if !issued {
+				s.Scope.Logger().Info("ACM certificate is not issued yet")
+
 				return microerror.Mask(certificateNotIssuedError)
 			}