Fix legacy CA-signed certs not reissued on SAN mismatch#4493
Merged
caseydavenport merged 6 commits intotigera:masterfrom Mar 5, 2026
Merged
Conversation
The issuer identity check at the end of getKeyPair used exact match against TigeraOperatorCAIssuerPrefix, but legacy operator CAs use the format "tigera-operator-signer@<timestamp>". This caused valid legacy certs to be misidentified as BYO, skipping SAN revalidation. Fixes the calico-apiserver TLS failure after the namespace migration from calico-apiserver to calico-system in v3.31, where the cert had SANs for the old namespace but was never reissued.
rene-dekker
reviewed
Mar 4, 2026
Use 365-day cert durations instead of 1-hour so tests actually exercise the code paths past the 30-day grace period check. Also use legacyWithClientKeyUsage (with legacySecretName) in the existing "does replace a legacy secret" test so it hits line 504 instead of bailing out early on invalid key usage. Remove the separate validLegacyCASecret test since the existing test now covers the scenario properly.
…legacy-cert-san-check
The test intended to simulate a user-supplied cert but passed nil as the CA, which creates an operator-signed cert via DefaultOperatorCASignerName. With the HasPrefix fix, this cert is now correctly identified as operator-signed and reissued instead of preserved. Use a real non-operator CA (test.MakeTestCA) to properly simulate BYO behavior.
…legacy-cert-san-check
rene-dekker
approved these changes
Mar 5, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes projectcalico/calico#11363
After the calico-apiserver namespace migration from
calico-apiservertocalico-systemin v3.31, long-lived clusters with older operator-signed certshit TLS errors because the cert SANs still referenced the old namespace.
The root cause is in
getKeyPair: the issuer identity check at line 504 usedexact match (
==) againstTigeraOperatorCAIssuerPrefix, but legacy operatorCAs use the format
tigera-operator-signer@<timestamp>. This caused validlegacy certs to be misidentified as BYO (Issuer=nil, so
BYO()returns true),which skips the SAN revalidation in
GetOrCreateKeyPair.The other issuer checks in the same function (lines 460, 489) already use
strings.HasPrefixcorrectly. This just makes the last check consistent.With the fix, old certs enter the
HasPrefixblock, hit the authority key IDmismatch (old CA key != current CA key), and
getKeyPairreturns nil —triggering
GetOrCreateKeyPairto issue a new cert with correct SANs.