Merge pull request #113581 from aimuz/verify-tls-secret

Verify that the key matches the cert

pkg/apis/core/validation/validation.go

@@ -5814,7 +5814,6 @@ func ValidateSecret(secret *core.Secret) field.ErrorList {
 		if _, exists := secret.Data[core.TLSPrivateKeyKey]; !exists {
 			allErrs = append(allErrs, field.Required(dataPath.Key(core.TLSPrivateKeyKey), ""))
 		}
-	// TODO: Verify that the key matches the cert.
 	default:
 		// no-op
 	}

pkg/registry/core/secret/strategy.go

@@ -18,6 +18,7 @@ package secret
 
 import (
 	"context"
+	"crypto/tls"
 	"fmt"
 
 	"k8s.io/apimachinery/pkg/fields"
@@ -61,7 +62,9 @@ func (strategy) Validate(ctx context.Context, obj runtime.Object) field.ErrorLis
 }
 
 // WarningsOnCreate returns warnings for the creation of the given object.
-func (strategy) WarningsOnCreate(ctx context.Context, obj runtime.Object) []string { return nil }
+func (strategy) WarningsOnCreate(ctx context.Context, obj runtime.Object) []string {
+	return warningsForSecret(obj.(*api.Secret))
+}
 
 func (strategy) Canonicalize(obj runtime.Object) {
 }
@@ -88,7 +91,7 @@ func (strategy) ValidateUpdate(ctx context.Context, obj, old runtime.Object) fie
 
 // WarningsOnUpdate returns warnings for the given update.
 func (strategy) WarningsOnUpdate(ctx context.Context, obj, old runtime.Object) []string {
-	return nil
+	return warningsForSecret(obj.(*api.Secret))
 }
 
 func dropDisabledFields(secret *api.Secret, oldSecret *api.Secret) {
@@ -130,3 +133,15 @@ func SelectableFields(obj *api.Secret) fields.Set {
 	}
 	return generic.MergeFieldsSets(objectMetaFieldsSet, secretSpecificFieldsSet)
 }
+
+func warningsForSecret(secret *api.Secret) []string {
+	var warnings []string
+	if secret.Type == api.SecretTypeTLS {
+		// Verify that the key matches the cert.
+		_, err := tls.X509KeyPair(secret.Data[api.TLSCertKey], secret.Data[api.TLSPrivateKeyKey])
+		if err != nil {
+			warnings = append(warnings, err.Error())
+		}
+	}
+	return warnings
+}