Skip to content

[TSLA-11619] Make GetKeyCertPEM select key/cert pair deterministically (cherry-pick #5008, 1.43)#5036

Merged
marvin-tigera merged 1 commit into
release-v1.43from
cherry-pick-5008-release-v1.43
Jul 14, 2026
Merged

[TSLA-11619] Make GetKeyCertPEM select key/cert pair deterministically (cherry-pick #5008, 1.43)#5036
marvin-tigera merged 1 commit into
release-v1.43from
cherry-pick-5008-release-v1.43

Conversation

@tmjd

@tmjd tmjd commented Jul 14, 2026

Copy link
Copy Markdown
Member

Description

Cherry-pick of #5008 to release-v1.43.

Bug fix. GetKeyCertPEM ranged over a Go map of key/cert field-name pairs, so when a secret held more than one recognized pair (e.g. standard tls.crt/tls.key alongside a legacy cert/key kept during a cert-rotation overlap), the returned cert was non-deterministic due to randomized map iteration. For the Voltron tunnel secret this flipped the KeyPair hash annotation between reconciles, changing the tigera-manager pod template hash and triggering spurious Voltron rolling restarts that dropped managed-cluster tunnels.

The fix selects the key/cert pair in a fixed priority order (standard tls.crt/tls.key first, then legacy names) and adds a regression test asserting deterministic selection when both pairs are present.

Affects pkg/tls/certificatemanagement. Clean cherry-pick from master (b28e353d); pkg/tls/certificatemanagement package tests pass.

Release Note

NONE

For PR author

  • Tests for change.
  • If changing pkg/apis/, run make gen-files
  • If changing versions, run make gen-versions

For PR reviewers

A note for code reviewers - all pull requests must have the following:

  • Milestone set according to targeted release.
  • Appropriate labels:
    • kind/bug if this is a bugfix.
    • kind/enhancement if this is a a new feature.
    • enterprise if this PR applies to Calico Enterprise only.

@tmjd tmjd requested a review from a team as a code owner July 14, 2026 15:35
@marvin-tigera marvin-tigera added this to the v1.43.0 milestone Jul 14, 2026
@tmjd tmjd changed the title [TSLA-11619] Make GetKeyCertPEM select key/cert pair deterministically (cherry-pick #5008) [TSLA-11619] Make GetKeyCertPEM select key/cert pair deterministically (cherry-pick #5008, 1.43) Jul 14, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants