From 4a7ab7fd75a1d84782dcac85111d57732ef5e2a6 Mon Sep 17 00:00:00 2001
From: aimuz <mr.imuz@gmail.com>
Date: Thu, 3 Nov 2022 16:58:05 +0800
Subject: [PATCH] Verify that the key matches the cert

Signed-off-by: aimuz <mr.imuz@gmail.com>
---
 pkg/apis/core/validation/validation.go |  1 -
 pkg/registry/core/secret/strategy.go   | 19 +++++++++++++++++--
 2 files changed, 17 insertions(+), 3 deletions(-)

diff --git a/pkg/apis/core/validation/validation.go b/pkg/apis/core/validation/validation.go
index d53339863b3..83bc148f610 100644
--- a/pkg/apis/core/validation/validation.go
+++ b/pkg/apis/core/validation/validation.go
@@ -5812,7 +5812,6 @@ func ValidateSecret(secret *core.Secret) field.ErrorList {
 		if _, exists := secret.Data[core.TLSPrivateKeyKey]; !exists {
 			allErrs = append(allErrs, field.Required(dataPath.Key(core.TLSPrivateKeyKey), ""))
 		}
-	// TODO: Verify that the key matches the cert.
 	default:
 		// no-op
 	}
diff --git a/pkg/registry/core/secret/strategy.go b/pkg/registry/core/secret/strategy.go
index 33397044499..717f731423e 100644
--- a/pkg/registry/core/secret/strategy.go
+++ b/pkg/registry/core/secret/strategy.go
@@ -18,6 +18,7 @@ package secret
 
 import (
 	"context"
+	"crypto/tls"
 	"fmt"
 
 	"k8s.io/apimachinery/pkg/fields"
@@ -61,7 +62,9 @@ func (strategy) Validate(ctx context.Context, obj runtime.Object) field.ErrorLis
 }
 
 // WarningsOnCreate returns warnings for the creation of the given object.
-func (strategy) WarningsOnCreate(ctx context.Context, obj runtime.Object) []string { return nil }
+func (strategy) WarningsOnCreate(ctx context.Context, obj runtime.Object) []string {
+	return warningsForSecret(obj.(*api.Secret))
+}
 
 func (strategy) Canonicalize(obj runtime.Object) {
 }
@@ -88,7 +91,7 @@ func (strategy) ValidateUpdate(ctx context.Context, obj, old runtime.Object) fie
 
 // WarningsOnUpdate returns warnings for the given update.
 func (strategy) WarningsOnUpdate(ctx context.Context, obj, old runtime.Object) []string {
-	return nil
+	return warningsForSecret(obj.(*api.Secret))
 }
 
 func dropDisabledFields(secret *api.Secret, oldSecret *api.Secret) {
@@ -130,3 +133,15 @@ func SelectableFields(obj *api.Secret) fields.Set {
 	}
 	return generic.MergeFieldsSets(objectMetaFieldsSet, secretSpecificFieldsSet)
 }
+
+func warningsForSecret(secret *api.Secret) []string {
+	var warnings []string
+	if secret.Type == api.SecretTypeTLS {
+		// Verify that the key matches the cert.
+		_, err := tls.X509KeyPair(secret.Data[api.TLSCertKey], secret.Data[api.TLSPrivateKeyKey])
+		if err != nil {
+			warnings = append(warnings, err.Error())
+		}
+	}
+	return warnings
+}