Goldmane: trust Cloud Linseed signer for flow uploads (#4913)#4936
Open
Brian-McM wants to merge 1 commit into
Open
Goldmane: trust Cloud Linseed signer for flow uploads (#4913)#4936Brian-McM wants to merge 1 commit into
Brian-McM wants to merge 1 commit into
Conversation
On Calico OSS clusters connected to Calico Cloud via ManagementClusterConnection, Goldmane's flow emitter could not verify Guardian and failed with "certificate signed by unknown authority". The Goldmane controller builds its trusted CA bundle from render.VoltronLinseedPublicCert. PR tigera#4153 renamed that constant from tigera-voltron-linseed-certs-public to calico-voltron-linseed-certs-public, but the management cluster (Calico Cloud) still delivers the operator-signer to managed clusters under the legacy tigera- name. The name mismatch caused GetCertificate to return nil, which AddCertificates silently skipped, leaving the bundle with only the local signer. Trust whichever of the current/legacy Linseed public cert secrets is present, and degrade (ResourceNotReady) when connected to a management cluster but neither exists, so this class of misconfiguration surfaces early instead of failing silently. Also migrate the whisker controller tests to ginkgo v2. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Brian-McM
force-pushed
the
bm-goldmane-cloud-linseed-ca-4913
branch
from
16ec3ad to
0f9e31c
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Fixes #4913.
On Calico OSS clusters connected to Calico Cloud via
ManagementClusterConnection, Goldmane's flow emitter could not verify Guardian and failed with:Root cause
The Goldmane controller builds its trusted CA bundle (
goldmane-ca-bundle) fromrender.VoltronLinseedPublicCert. PR #4153 renamed that constant fromtigera-voltron-linseed-certs-public→calico-voltron-linseed-certs-public, but the management cluster (Calico Cloud) still delivers its operator-signer to managed clusters under the legacytigera-name.Because the names no longer matched,
GetCertificatereturnednilfor a not-found secret andAddCertificates(nil)silently skipped it, leaving the bundle with only the local signer (the reported "1 cert" symptom). Goldmane reuses that bundle asCA_CERT_PATHfor the HTTP flow emitter, so uploads to Guardian's Cloud-signed leaf failed TLS verification.Fix
calico-voltron-linseed-certs-public) and legacy (tigera-voltron-linseed-certs-public) Linseed public cert secrets is present.ResourceNotReady) when connected to a management cluster but neither secret exists, instead of silently shipping an incomplete bundle — so this class of misconfiguration surfaces early. (Also added the missingreturnafter a bundle-creation error, and a watch on the legacy secret name.)Tests
goldmanecontroller test suite (ginkgo v2) covering: trusts the legacy secret, trusts the current secret, degrades when connected but neither is present, and does not require the cert on standalone clusters.whiskercontroller tests to ginkgo v2 (they were on stale v1 imports and did not compile).🤖 Generated with Claude Code
Release Note