Skip to content

[release-v1.42] Auto pick #4936: Goldmane: trust Cloud Linseed signer for flow uploads (#4913)#4982

Open
Brian-McM wants to merge 1 commit into
tigera:release-v1.42from
Brian-McM:auto-pick-of-#4936-upstream-release-v1.42
Open

[release-v1.42] Auto pick #4936: Goldmane: trust Cloud Linseed signer for flow uploads (#4913)#4982
Brian-McM wants to merge 1 commit into
tigera:release-v1.42from
Brian-McM:auto-pick-of-#4936-upstream-release-v1.42

Conversation

@Brian-McM

Copy link
Copy Markdown
Contributor

Cherry pick of #4936 on release-v1.42.

#4936: Goldmane: trust Cloud Linseed signer for flow uploads (#4913)

Original PR Body below

Description

Fixes #4913.

On Calico OSS clusters connected to Calico Cloud via ManagementClusterConnection, Goldmane's flow emitter could not verify Guardian and failed with:

tls: failed to verify certificate: x509: certificate signed by unknown authority
(... candidate authority certificate "tigera-operator-signer")

Root cause

The Goldmane controller builds its trusted CA bundle (goldmane-ca-bundle) from render.VoltronLinseedPublicCert. PR #4153 renamed that constant from tigera-voltron-linseed-certs-publiccalico-voltron-linseed-certs-public, but the management cluster (Calico Cloud) still delivers its operator-signer to managed clusters under the legacy tigera- name.

Because the names no longer matched, GetCertificate returned nil for a not-found secret and AddCertificates(nil) silently skipped it, leaving the bundle with only the local signer (the reported "1 cert" symptom). Goldmane reuses that bundle as CA_CERT_PATH for the HTTP flow emitter, so uploads to Guardian's Cloud-signed leaf failed TLS verification.

Fix

  • Trust whichever of the current (calico-voltron-linseed-certs-public) and legacy (tigera-voltron-linseed-certs-public) Linseed public cert secrets is present.
  • Degrade (ResourceNotReady) when connected to a management cluster but neither secret exists, instead of silently shipping an incomplete bundle — so this class of misconfiguration surfaces early. (Also added the missing return after a bundle-creation error, and a watch on the legacy secret name.)

Tests

  • New goldmane controller test suite (ginkgo v2) covering: trusts the legacy secret, trusts the current secret, degrades when connected but neither is present, and does not require the cert on standalone clusters.
  • Migrated the whisker controller tests to ginkgo v2 (they were on stale v1 imports and did not compile).

🤖 Generated with Claude Code

Release Note

Fix Goldmane flow uploads to Guardian on Calico Cloud-managed clusters by trusting the management cluster Linseed signer under both its current and legacy secret names.

On Calico OSS clusters connected to Calico Cloud via ManagementClusterConnection,
Goldmane's flow emitter could not verify Guardian and failed with "certificate
signed by unknown authority".

The Goldmane controller builds its trusted CA bundle from render.VoltronLinseedPublicCert.
PR tigera#4153 renamed that constant from tigera-voltron-linseed-certs-public to
calico-voltron-linseed-certs-public, but the management cluster (Calico Cloud) still
delivers the operator-signer to managed clusters under the legacy tigera- name. The
name mismatch caused GetCertificate to return nil, which AddCertificates silently
skipped, leaving the bundle with only the local signer.

Trust whichever of the current/legacy Linseed public cert secrets is present, and
degrade (ResourceNotReady) when connected to a management cluster but neither exists,
so this class of misconfiguration surfaces early instead of failing silently.

Also migrate the whisker controller tests to ginkgo v2.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@Brian-McM Brian-McM force-pushed the auto-pick-of-#4936-upstream-release-v1.42 branch from c5a26b6 to be63dd1 Compare July 3, 2026 15:10
@danudey danudey modified the milestones: v1.42.4, v1.42.5 Jul 3, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants