Skip to content

feat: Keep all unexpired certs in istio-gatway-secret ca.crt#3033

Merged
lindnerby merged 13 commits intokyma-project:mainfrom
c-pius:feat/keep-all-unxpired-certs-in-ca-bundle
Feb 8, 2026
Merged

feat: Keep all unexpired certs in istio-gatway-secret ca.crt#3033
lindnerby merged 13 commits intokyma-project:mainfrom
c-pius:feat/keep-all-unxpired-certs-in-ca-bundle

Conversation

@c-pius
Copy link
Contributor

@c-pius c-pius commented Feb 5, 2026
edited
Loading

Description

Changes proposed in this pull request:

  • introduces the bundler.go with the functionality to
    • add new certs to a bundle
    • drop expired certs from a bundler
  • updated the handler.go to use bundler adding for managing the istio-gateway-secret CA bundle (ca.crt)
  • this PR just introduces the plain changes needed to fulfill the story so we can included in this weeks release. There will be a follow-up PR with some refactorings in the handler.go to make things nicer.

Related issue(s)

@c-pius c-pius linked an issue Feb 6, 2026 that may be closed by this pull request
Keep all unexpired CA certs in the CA bundle #2983
Open
6 tasks
@c-pius c-pius marked this pull request as ready for review February 6, 2026 08:18
@c-pius c-pius requested a review from a team as a code owner February 6, 2026 08:18
@lindnerby lindnerby self-assigned this Feb 6, 2026
lindnerby
lindnerby reviewed Feb 6, 2026
View reviewed changes
Copy link
Member

@lindnerby lindnerby left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just a few questions basically.

lindnerby
lindnerby reviewed Feb 6, 2026
View reviewed changes
@c-pius c-pius mentioned this pull request Feb 6, 2026
Open
6 tasks
@c-pius
Copy link
Contributor Author

c-pius commented Feb 6, 2026
edited
Loading

@lindnerby FYI: noticed that there was a bug and fixed it fd55a8b

Not detected by the unit test as the NotAfter was explicitly set to zero, but the NotBefore was also implicitly zero:

	bndlr := certificate.NewBundler(
		certificate.WithParseX509Function(
			func(_ []byte) (*x509.Certificate, error) {
				return &x509.Certificate{
					NotAfter: time.Time{},
				}, nil
			},
		),
	)

c-pius
c-pius commented Feb 6, 2026
View reviewed changes
@c-pius c-pius requested a review from lindnerby February 6, 2026 14:43
@lindnerby lindnerby enabled auto-merge (squash) February 6, 2026 16:40
@lindnerby lindnerby merged commit e237f53 into kyma-project:main Feb 8, 2026
61 of 62 checks passed
@c-pius c-pius deleted the feat/keep-all-unxpired-certs-in-ca-bundle branch February 8, 2026 12:23
@lindnerby lindnerby removed their assignment Feb 8, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lindnerby lindnerby lindnerby approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Keep all unexpired CA certs in the CA bundle

2 participants

@c-pius @lindnerby