Skip to content

Commit 052ac26

Browse files
authored
fix(vault): first time push should not fail (#67)
1 parent 4b0430e commit 052ac26

3 files changed

Lines changed: 35 additions & 17 deletions

File tree

CHANGELOG.md

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,12 @@
1+
## v2.1.8 - 2025-03-24
2+
3+
- Bump cert-amaneger to v1.17.1
4+
- Bump prometheus/client_golang to v1.21.1
5+
- Bump k8s packages to v0.32.3
6+
- Bump controller-runtime to v0.20.3
7+
- Bump go to 1.23.7
8+
- First time push to vault failed
9+
110
## v2.1.7 - 2025-03-14
211

312
- Bump cert-manager to v1.15.5

VERSION

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1 +1 @@
1-
v2.1.7
1+
v2.1.8

pkg/vault/client.go

Lines changed: 25 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -112,10 +112,7 @@ func (c *Client) UpdateCertificate(data CertificateData, certStatus certmanagerv
112112
// we only want to write the secret and therefore produce a new version when actually necessary
113113
secret, err := c.client.Logical().Read(fullSecretPath)
114114
if err != nil {
115-
return err
116-
}
117-
secretMeta, err := c.client.KVv2(c.Options.KVEngineName).GetMetadata(context.TODO(), data.VaultPath)
118-
if err != nil {
115+
c.Log.Error(err, "failed to read secret", "path", fullSecretPath)
119116
return err
120117
}
121118

@@ -126,23 +123,35 @@ func (c *Client) UpdateCertificate(data CertificateData, certStatus certmanagerv
126123
needsWrite = !reflect.DeepEqual(secret.Data["data"], payload)
127124
}
128125

129-
if needsWrite || secretMeta.CustomMetadata["expiry_date"] != fmt.Sprintf("%d-%02d-%02d", certStatus.NotAfter.Year(), certStatus.NotAfter.Month(), certStatus.NotAfter.Day()) {
130-
if c.Options.PushCertificates {
131-
_, err := c.client.Logical().Write(fullSecretPath, map[string]interface{}{"data": payload})
132-
if err != nil {
133-
return fmt.Errorf("while writing payload to vault: %w", err)
134-
}
135-
} else {
136-
c.Log.Info("skipping writing to vault", "path", fullSecretPath)
126+
if needsWrite && c.Options.PushCertificates {
127+
_, err := c.client.Logical().Write(fullSecretPath, map[string]interface{}{"data": payload})
128+
if err != nil {
129+
return fmt.Errorf("while writing payload to vault: %w", err)
137130
}
138-
if c.Options.UpdateMetaData {
139-
err = c.patchMetadata(data.VaultPath, certStatus)
140-
} else {
141-
c.Log.Info("skipping updated metadata", "path", fullSecretPath, "vaultMetaData", secretMeta.CustomMetadata, "secretMetaData", certStatus)
131+
132+
err = c.patchMetadata(data.VaultPath, certStatus)
133+
if err != nil {
134+
return fmt.Errorf("while updating metadata: %w", err)
142135
}
136+
} else {
137+
c.Log.Info("skipping writing to vault", "path", fullSecretPath)
138+
}
139+
140+
secretMeta, err := c.client.KVv2(c.Options.KVEngineName).GetMetadata(context.TODO(), data.VaultPath)
141+
if err != nil {
142+
c.Log.Error(err, "failed to read secret metadata", "path", fullSecretPath)
143143
return err
144144
}
145145

146+
if c.Options.UpdateMetaData && secretMeta.CustomMetadata["expiry_date"] != fmt.Sprintf("%d-%02d-%02d", certStatus.NotAfter.Year(), certStatus.NotAfter.Month(), certStatus.NotAfter.Day()) {
147+
err = c.patchMetadata(data.VaultPath, certStatus)
148+
if err != nil {
149+
return fmt.Errorf("while updating metadata: %w", err)
150+
}
151+
} else {
152+
c.Log.Info("skipping updated metadata", "path", fullSecretPath, "vaultMetaData", secretMeta.CustomMetadata, "secretMetaData", certStatus)
153+
}
154+
146155
return nil
147156
}
148157

0 commit comments

Comments
 (0)