fix(translator): reject CA Secrets with multiple PEM certs (#7763)

tao12345666333 · web-flow · commit 64e50933f068 · 2025-10-30T08:40:22.000Z
* docs: update API references and bump crd-ref-docs to 0.2.0

* fix(translator): reject CA Secrets with multiple PEM certs

* update CHANGELOG

Signed-off-by: Jintao Zhang &lt;zhangjintao9020@gmail.com&gt;

---------

Signed-off-by: Jintao Zhang &lt;zhangjintao9020@gmail.com&gt;
diff --git a/.tools_versions.yaml b/.tools_versions.yaml
@@ -11,7 +11,7 @@ skaffold: "2.16.1"
 # renovate: datasource=github-releases depName=kubernetes-sigs/controller-runtime
 setup-envtest: "0.21.0"
 # renovate: datasource=github-releases depName=elastic/crd-ref-docs
-crd-ref-docs: "0.1.0"
+crd-ref-docs: "0.2.0"
 # renovate: datasource=github-releases depName=mikefarah/yq
 yq: "4.47.2"
 # renovate: datasource=github-releases depName=jstemmer/go-junit-report
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -126,6 +126,8 @@ Adding a new version? You'll need three changes:
   that KIC deletes the certificates of listeners on dataplane pods deleted when
   KIC is running under the control of Kong gateway operator.
   [#7666](https://github.com/Kong/kubernetes-ingress-controller/pull/7666)
+- Reject CA Secrets with multiple PEM certs.
+  [#7763](https://github.com/Kong/kubernetes-ingress-controller/pull/7763)
 
 ## [3.5.1]
 
diff --git a/docs/api-reference.md b/docs/api-reference.md
diff --git a/docs/incubator-api-reference.md b/docs/incubator-api-reference.md
@@ -16,8 +16,7 @@ KongServiceFacade allows creating separate Kong Services for a single Kubernetes
 Service. It can be used as Kubernetes Ingress' backend (via its path's `backend.resource`
 field). It's designed to enable creating two "virtual" Services in Kong that will point
 to the same Kubernetes Service, but will have different configuration (e.g. different
-set of plugins, different load balancing algorithm, etc.).<br /><br />
-KongServiceFacade requires `kubernetes.io/ingress.class` annotation with a value
+set of plugins, different load balancing algorithm, etc.).<br /><br />KongServiceFacade requires `kubernetes.io/ingress.class` annotation with a value
 matching the ingressClass of the Kong Ingress Controller (`kong` by default) to be reconciled.
 
 <!-- kong_service_facade description placeholder -->
diff --git a/internal/dataplane/translator/translate_cacerts.go b/internal/dataplane/translator/translate_cacerts.go
@@ -1,6 +1,7 @@
 package translator
 
 import (
+	"bytes"
 	"crypto/x509"
 	"encoding/json"
 	"encoding/pem"
@@ -82,11 +83,29 @@ func (t *Translator) getCACerts() []kong.CACertificate {
 }
 
 func toKongCACertificate(caCertBytes []byte, object client.Object, secretID string) (kong.CACertificate, error) {
-	pemBlock, _ := pem.Decode(caCertBytes)
-	if pemBlock == nil {
+	rest := bytes.TrimSpace(caCertBytes)
+	pemBlocks := make([][]byte, 0, 1)
+
+	for len(rest) > 0 {
+		block, r := pem.Decode(rest)
+		if block == nil {
+			return kong.CACertificate{}, errors.New("invalid PEM block")
+		}
+		if block.Type != "CERTIFICATE" {
+			return kong.CACertificate{}, errors.New("invalid PEM block type")
+		}
+		pemBlocks = append(pemBlocks, block.Bytes)
+		rest = bytes.TrimSpace(r)
+	}
+
+	if len(pemBlocks) == 0 {
 		return kong.CACertificate{}, errors.New("invalid PEM block")
 	}
-	x509Cert, err := x509.ParseCertificate(pemBlock.Bytes)
+	if len(pemBlocks) > 1 {
+		return kong.CACertificate{}, errors.New("multiple PEM certificates found")
+	}
+
+	x509Cert, err := x509.ParseCertificate(pemBlocks[0])
 	if err != nil {
 		return kong.CACertificate{}, errors.New("failed to parse certificate")
 	}
@@ -97,9 +116,12 @@ func toKongCACertificate(caCertBytes []byte, object client.Object, secretID stri
 		return kong.CACertificate{}, errors.New("expired")
 	}
 
+	// Re-encode a single clean CERTIFICATE PEM block to ensure only one is sent to Kong.
+	singlePEM := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: pemBlocks[0]})
+
 	return kong.CACertificate{
 		ID:   kong.String(secretID),
-		Cert: kong.String(string(caCertBytes)),
+		Cert: kong.String(string(singlePEM)),
 		Tags: util.GenerateTagsForObject(object),
 	}, nil
 }
diff --git a/test/integration/translation_failures_test.go b/test/integration/translation_failures_test.go
@@ -9,6 +9,7 @@ import (
 	"testing"
 	"time"
 
+	"github.com/google/uuid"
 	"github.com/kong/go-kong/kong"
 	"github.com/kong/kubernetes-testing-framework/pkg/clusters"
 	"github.com/kong/kubernetes-testing-framework/pkg/utils/kubernetes/generators"
@@ -29,6 +30,7 @@ import (
 	"github.com/kong/kubernetes-ingress-controller/v3/internal/util"
 	"github.com/kong/kubernetes-ingress-controller/v3/test"
 	"github.com/kong/kubernetes-ingress-controller/v3/test/consts"
+	"github.com/kong/kubernetes-ingress-controller/v3/test/helpers/certificate"
 	"github.com/kong/kubernetes-ingress-controller/v3/test/internal/helpers"
 	testutils "github.com/kong/kubernetes-ingress-controller/v3/test/util"
 )
@@ -51,6 +53,38 @@ func TestTranslationFailures(t *testing.T) {
 		// that we expect translation failure warning events to be created for.
 		translationFailureTrigger func(t *testing.T, cleaner *clusters.Cleaner, ns string) expectedTranslationFailure
 	}{
+		{
+			name: "CA secret with multiple PEMs",
+			translationFailureTrigger: func(t *testing.T, cleaner *clusters.Cleaner, ns string) expectedTranslationFailure {
+				createdSecret, err := env.Cluster().Client().CoreV1().Secrets(ns).Create(ctx, multiPEMCASecret(ns, uuid.NewString()), metav1.CreateOptions{})
+				require.NoError(t, err)
+				cleaner.Add(createdSecret)
+
+				return expectedTranslationFailure{
+					causingObjects: []client.Object{createdSecret},
+					reasonContains: "multiple PEM certificates found",
+				}
+			},
+		},
+		{
+			name: "CA secret with multiple PEMs referred by a plugin",
+			translationFailureTrigger: func(t *testing.T, cleaner *clusters.Cleaner, ns string) expectedTranslationFailure {
+				createdSecret, err := env.Cluster().Client().CoreV1().Secrets(ns).Create(ctx, multiPEMCASecret(ns, invalidCASecretID), metav1.CreateOptions{})
+				require.NoError(t, err)
+				cleaner.Add(createdSecret)
+
+				c, err := clientset.NewForConfig(env.Cluster().Config())
+				require.NoError(t, err)
+				createdPlugin, err := c.ConfigurationV1().KongPlugins(ns).Create(ctx, pluginUsingInvalidCACert(ns), metav1.CreateOptions{})
+				require.NoError(t, err)
+				cleaner.Add(createdPlugin)
+
+				return expectedTranslationFailure{
+					causingObjects: []client.Object{createdSecret, createdPlugin},
+					reasonContains: "multiple PEM certificates found",
+				}
+			},
+		},
 		{
 			name: "invalid CA secret",
 			translationFailureTrigger: func(t *testing.T, cleaner *clusters.Cleaner, ns string) expectedTranslationFailure {
@@ -363,6 +397,34 @@ func invalidCASecret(ns string) *corev1.Secret {
 	}
 }
 
+func multiPEMCASecret(ns, id string) *corev1.Secret {
+	ca1, _ := certificate.MustGenerateCertPEMFormat(
+		certificate.WithCommonName("test-ca-1"),
+		certificate.WithCATrue(),
+	)
+	ca2, _ := certificate.MustGenerateCertPEMFormat(
+		certificate.WithCommonName("test-ca-2"),
+		certificate.WithCATrue(),
+	)
+
+	return &corev1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      testutils.RandomName(testTranslationFailuresObjectsPrefix),
+			Namespace: ns,
+			Labels: map[string]string{
+				"konghq.com/ca-cert": "true",
+			},
+			Annotations: map[string]string{
+				annotations.IngressClassKey: consts.IngressClass,
+			},
+		},
+		StringData: map[string]string{
+			"id":   id,
+			"cert": string(ca1) + string(ca2),
+		},
+	}
+}
+
 func pluginUsingInvalidCACert(ns string) *configurationv1.KongPlugin {
 	return &configurationv1.KongPlugin{
 		ObjectMeta: metav1.ObjectMeta{
