Skip to content

Fixed cert updates#24

Open
ananthb wants to merge 4 commits intomasterfrom
fix-updates
Open

Fixed cert updates#24
ananthb wants to merge 4 commits intomasterfrom
fix-updates

Conversation

@ananthb
Copy link
Member

@ananthb ananthb commented Feb 27, 2026
edited
Loading

Certificates with * in their filenames are not handled by dataplane API v2 correctly.
The old code assumed that normalizing the URL works, but dataplane doesn't do anything and doesn't error out.

Now if we encounter a cert like that, a new cert is uploaded with _ instead of *.
The old cert has to be manually deleted (rundeck job?) before haproxy starts using it.
This step is super important because haproxy is configured to serve ssl certs from a dir
and * beats _ in precedence, so the old cert will continue to be served until it is removed.

Added integration tests to cover all scenarios including this * -> _ one.

@ananthb
Fixed cert updates
12c39bd 
Certificates with * in their filenames are not handled by dataplane API.
So if we encounter a cert like that, then a new cert is uploaded with _
instead of *, but the old cert has to be deleted manually before haproxy
will start using it.

Added integration tests to cover all scenarios including this * -> _
one.
@ananthb
fix again
6e0aa07
@ananthb
update hash
7d76b64
@github-actions
Copy link

github-actions bot commented Feb 27, 2026
edited
Loading

Code Coverage Report

Total Coverage: total: (statements) 8.6%

Coverage by function 
github.com/vinted/certificator/cmd/certificatee/certsource.go:23:	GetCertificate			0.0%
github.com/vinted/certificator/cmd/certificatee/certsource.go:27:	GetPEMBundle			0.0%
github.com/vinted/certificator/cmd/certificatee/certsource.go:45:	GetCertificate			0.0%
github.com/vinted/certificator/cmd/certificatee/certsource.go:59:	GetPEMBundle			0.0%
github.com/vinted/certificator/cmd/certificatee/certsource.go:68:	certPath			0.0%
github.com/vinted/certificator/cmd/certificatee/certsource.go:72:	parseCertificateFromPEM		0.0%
github.com/vinted/certificator/cmd/certificatee/certsource.go:94:	buildPEMBundle			0.0%
github.com/vinted/certificator/cmd/certificatee/haproxy_config.go:11:	sanitizeWildcardCertName	0.0%
github.com/vinted/certificator/cmd/certificatee/haproxy_config.go:17:	ensureStorageCertificate	0.0%
github.com/vinted/certificator/cmd/certificatee/haproxy_config.go:46:	normalizeCertificateName	0.0%
github.com/vinted/certificator/cmd/certificatee/haproxy_config.go:58:	certRefMatches			0.0%
github.com/vinted/certificator/cmd/certificatee/helpers.go:9:		createHAProxyClients		0.0%
github.com/vinted/certificator/cmd/certificatee/main.go:22:		main				0.0%
github.com/vinted/certificator/cmd/certificatee/main.go:80:		maybeUpdateCertificates		0.0%
github.com/vinted/certificator/cmd/certificatee/main.go:96:		processHAProxyEndpoint		0.0%
github.com/vinted/certificator/cmd/certificatee/main.go:168:		shouldUpdateCertificate		0.0%
github.com/vinted/certificator/cmd/certificatee/main.go:207:		updateCertificate		0.0%
github.com/vinted/certificator/cmd/certificatee/main.go:235:		endsWith			0.0%
github.com/vinted/certificator/cmd/certificator/main.go:20:		main				0.0%
github.com/vinted/certificator/pkg/acme/acme.go:27:			GetEmail			0.0%
github.com/vinted/certificator/pkg/acme/acme.go:32:			GetRegistration			0.0%
github.com/vinted/certificator/pkg/acme/acme.go:37:			GetPrivateKey			0.0%
github.com/vinted/certificator/pkg/acme/acme.go:42:			NewClient			0.0%
github.com/vinted/certificator/pkg/acme/acme.go:61:			setupClient			0.0%
github.com/vinted/certificator/pkg/acme/acme.go:80:			setupAccount			0.0%
github.com/vinted/certificator/pkg/acme/acme.go:118:			newAccount			0.0%
github.com/vinted/certificator/pkg/acme/acme.go:130:			getAccountKey			0.0%
github.com/vinted/certificator/pkg/acme/acme.go:159:			registerAccount			0.0%
github.com/vinted/certificator/pkg/acme/acme.go:177:			recoverAccount			0.0%
github.com/vinted/certificator/pkg/acme/acme.go:211:			saveAccount			0.0%
github.com/vinted/certificator/pkg/acme/acme.go:221:			saveKey				0.0%
github.com/vinted/certificator/pkg/certificate/certificate.go:18:	ObtainCertificate		0.0%
github.com/vinted/certificator/pkg/certificate/certificate.go:50:	GetCertificate			0.0%
github.com/vinted/certificator/pkg/certificate/certificate.go:68:	NeedsReissuing			0.0%
github.com/vinted/certificator/pkg/certificate/certificate.go:96:	arraysEqual			0.0%
github.com/vinted/certificator/pkg/certificate/certificate.go:110:	arrayContains			0.0%
github.com/vinted/certificator/pkg/certificate/certificate.go:119:	VaultCertLocation		0.0%
github.com/vinted/certificator/pkg/certificate/certificate.go:123:	storeCertificateInVault		0.0%
github.com/vinted/certificator/pkg/certmetrics/metrics.go:65:		StartMetricsServer		0.0%
github.com/vinted/certificator/pkg/certmetrics/metrics.go:85:		PushMetrics			0.0%
github.com/vinted/certificator/pkg/config/config.go:75:			LoadConfig			0.0%
github.com/vinted/certificator/pkg/haproxy/client.go:51:		NewClient			100.0%
github.com/vinted/certificator/pkg/haproxy/client.go:86:		NewClients			92.3%
github.com/vinted/certificator/pkg/haproxy/client.go:111:		Endpoint			0.0%
github.com/vinted/certificator/pkg/haproxy/client.go:116:		doRequest			66.7%
github.com/vinted/certificator/pkg/haproxy/client.go:164:		ListCertificates		42.9%
github.com/vinted/certificator/pkg/haproxy/client.go:178:		ListCertificateRefs		23.1%
github.com/vinted/certificator/pkg/haproxy/client.go:203:		listCertificateRefsV2		25.0%
github.com/vinted/certificator/pkg/haproxy/client.go:223:		GetCertificateDetails		0.0%
github.com/vinted/certificator/pkg/haproxy/client.go:286:		UpdateCertificate		0.0%
github.com/vinted/certificator/pkg/haproxy/client.go:294:		updateCertificateStorageV2	0.0%
github.com/vinted/certificator/pkg/haproxy/client.go:312:		CreateCertificate		0.0%
github.com/vinted/certificator/pkg/haproxy/client.go:349:		DeleteCertificate		0.0%
github.com/vinted/certificator/pkg/haproxy/client.go:372:		ListFrontends			0.0%
github.com/vinted/certificator/pkg/haproxy/client.go:399:		ListBinds			0.0%
github.com/vinted/certificator/pkg/haproxy/client.go:421:		UpdateBind			0.0%
github.com/vinted/certificator/pkg/haproxy/client.go:450:		ExtractDomainFromPath		100.0%
github.com/vinted/certificator/pkg/haproxy/client.go:468:		IsExpiring			100.0%
github.com/vinted/certificator/pkg/haproxy/client.go:479:		NormalizeSerial			100.0%
github.com/vinted/certificator/pkg/haproxy/client.go:484:		parseDataPlaneTime		0.0%
github.com/vinted/certificator/pkg/haproxy/client.go:503:		parseStringOrArray		0.0%
github.com/vinted/certificator/pkg/haproxy/client.go:529:		Error				100.0%
github.com/vinted/certificator/pkg/haproxy/client.go:533:		Info				0.0%
github.com/vinted/certificator/pkg/haproxy/client.go:537:		Debug				100.0%
github.com/vinted/certificator/pkg/haproxy/client.go:541:		Warn				0.0%
github.com/vinted/certificator/pkg/haproxy/client.go:546:		toLogrusFields			85.7%
github.com/vinted/certificator/pkg/haproxy/client.go:558:		getConfigurationVersion		0.0%
github.com/vinted/certificator/pkg/haproxy/client.go:592:		parseVersionValue		0.0%
github.com/vinted/certificator/pkg/haproxy/client.go:603:		decodeDataArray			0.0%
github.com/vinted/certificator/pkg/vault/vault.go:18:			NewVaultClient			0.0%
github.com/vinted/certificator/pkg/vault/vault.go:27:			KVWrite				0.0%
github.com/vinted/certificator/pkg/vault/vault.go:41:			KVRead				0.0%
github.com/vinted/certificator/pkg/vault/vault.go:62:			vaultFullPath			0.0%
total:									(statements)			8.6%

@ananthb
certificatee checks API for updates
aa4d1d2 
certificatee checks the dataplane API to determine if a new
certificate is available to be installed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ananthb