fixup! fixup! fixup! runtime/secrets: add package for consolidated secret handling

cappyzawa · cappyzawa · commit 94fce87753bb · 2025-06-25T01:16:36.000+09:00
improve TLS validation error messages

Signed-off-by: cappyzawa &lt;cappyzawa@gmail.com&gt;
diff --git a/runtime/secrets/error.go b/runtime/secrets/error.go
@@ -19,6 +19,8 @@ package secrets
 import (
 	"errors"
 	"fmt"
+
+	corev1 "k8s.io/api/core/v1"
 )
 
 var (
@@ -38,3 +40,54 @@ func (e *KeyNotFoundError) Error() string {
 func (e *KeyNotFoundError) Is(target error) bool {
 	return errors.Is(target, ErrKeyNotFound)
 }
+
+// TLSValidationError represents TLS certificate validation errors.
+type TLSValidationError struct {
+	Type TLSValidationErrorType
+}
+
+// TLSValidationErrorType defines the type of TLS validation error.
+type TLSValidationErrorType int
+
+const (
+	// ErrMissingPrivateKey indicates that a certificate exists but the private key is missing.
+	ErrMissingPrivateKey TLSValidationErrorType = iota
+	// ErrMissingCertificate indicates that a private key exists but the certificate is missing.
+	ErrMissingCertificate
+	// ErrNoCertificatePairOrCA indicates that neither a certificate pair nor a CA certificate is present.
+	ErrNoCertificatePairOrCA
+)
+
+func (e *TLSValidationError) Error() string {
+	switch e.Type {
+	case ErrMissingPrivateKey:
+		return "found certificate but missing private key"
+	case ErrMissingCertificate:
+		return "found private key but missing certificate"
+	case ErrNoCertificatePairOrCA:
+		return "no CA certificate or client certificate pair found"
+	default:
+		return "TLS validation error"
+	}
+}
+
+// enhanceSecretValidationError enhances TLS validation errors with secret reference information.
+func enhanceSecretValidationError(err error, secret *corev1.Secret) error {
+	var tlsErr *TLSValidationError
+	if !errors.As(err, &tlsErr) {
+		return err
+	}
+
+	secretRef := fmt.Sprintf("'%s/%s'", secret.Namespace, secret.Name)
+
+	switch tlsErr.Type {
+	case ErrMissingPrivateKey:
+		return fmt.Errorf("secret %s contains '%s' but missing '%s'", secretRef, TLSCertKey, TLSKeyKey)
+	case ErrMissingCertificate:
+		return fmt.Errorf("secret %s contains '%s' but missing '%s'", secretRef, TLSKeyKey, TLSCertKey)
+	case ErrNoCertificatePairOrCA:
+		return fmt.Errorf("secret %s must contain either '%s' or both '%s' and '%s'", secretRef, CACertKey, TLSCertKey, TLSKeyKey)
+	default:
+		return err
+	}
+}
diff --git a/runtime/secrets/reader.go b/runtime/secrets/reader.go
@@ -47,7 +47,7 @@ func TLSConfigFromSecret(ctx context.Context, c client.Client, name, namespace s
 
 	certData, err := getTLSCertificateData(secret, options.supportDeprecatedFields)
 	if err != nil {
-		return nil, err
+		return nil, enhanceSecretValidationError(err, secret)
 	}
 
 	return buildTLSConfig(certData)
diff --git a/runtime/secrets/reader_test.go b/runtime/secrets/reader_test.go
@@ -228,7 +228,7 @@ func TestTLSConfigFromSecret(t *testing.T) {
 					secrets.TLSKeyFileKey:  tlsKey,
 				},
 			},
-			errMsg: "no CA certificate or client certificate pair found",
+			errMsg: "secret 'default/tls-secret' must contain either 'ca.crt' or both 'tls.crt' and 'tls.key'",
 		},
 		{
 			name: "invalid certificate data",
@@ -282,7 +282,7 @@ func TestTLSConfigFromSecret(t *testing.T) {
 					secrets.TLSCertKey: tlsCert,
 				},
 			},
-			errMsg: "found certificate but missing private key",
+			errMsg: "secret 'default/tls-secret' contains 'tls.crt' but missing 'tls.key'",
 		},
 		{
 			name: "key without certificate",
@@ -295,7 +295,7 @@ func TestTLSConfigFromSecret(t *testing.T) {
 					secrets.TLSKeyKey: tlsKey,
 				},
 			},
-			errMsg: "found private key but missing certificate",
+			errMsg: "secret 'default/tls-secret' contains 'tls.key' but missing 'tls.crt'",
 		},
 		{
 			name: "no certificates at all",
@@ -306,7 +306,7 @@ func TestTLSConfigFromSecret(t *testing.T) {
 				},
 				Data: map[string][]byte{},
 			},
-			errMsg: "no CA certificate or client certificate pair found",
+			errMsg: "secret 'default/tls-secret' must contain either 'ca.crt' or both 'tls.crt' and 'tls.key'",
 		},
 	}
 
diff --git a/runtime/secrets/secrets.go b/runtime/secrets/secrets.go
@@ -82,13 +82,13 @@ func (t *tlsCertificateData) validate() error {
 
 	if hasCert != hasKey {
 		if hasCert {
-			return fmt.Errorf("found certificate but missing private key")
+			return &TLSValidationError{Type: ErrMissingPrivateKey}
 		}
-		return fmt.Errorf("found private key but missing certificate")
+		return &TLSValidationError{Type: ErrMissingCertificate}
 	}
 
 	if !hasCert && !hasCA {
-		return fmt.Errorf("no CA certificate or client certificate pair found")
+		return &TLSValidationError{Type: ErrNoCertificatePairOrCA}
 	}
 
 	return nil

Original file line number	Diff line number	Diff line change
`@@ -47,7 +47,7 @@ func TLSConfigFromSecret(ctx context.Context, c client.Client, name, namespace s`
`47`	`47`
`48`	`48`	`certData, err := getTLSCertificateData(secret, options.supportDeprecatedFields)`
`49`	`49`	`if err != nil {`
`50`		`- return nil, err`
	`50`	`+ return nil, enhanceSecretValidationError(err, secret)`
`51`	`51`	`}`
`52`	`52`
`53`	`53`	`return buildTLSConfig(certData)`
Original file line number	Diff line number	Diff line change
`@@ -82,13 +82,13 @@ func (t *tlsCertificateData) validate() error {`
`82`	`82`
`83`	`83`	`if hasCert != hasKey {`
`84`	`84`	`if hasCert {`
`85`		`- return fmt.Errorf("found certificate but missing private key")`
	`85`	`+ return &TLSValidationError{Type: ErrMissingPrivateKey}`
`86`	`86`	`}`
`87`		`- return fmt.Errorf("found private key but missing certificate")`
	`87`	`+ return &TLSValidationError{Type: ErrMissingCertificate}`
`88`	`88`	`}`
`89`	`89`
`90`	`90`	`if !hasCert && !hasCA {`
`91`		`- return fmt.Errorf("no CA certificate or client certificate pair found")`
	`91`	`+ return &TLSValidationError{Type: ErrNoCertificatePairOrCA}`
`92`	`92`	`}`
`93`	`93`
`94`	`94`	`return nil`