certgraphanalysis: add more locations for CA locations

CAs can be stored in a variety of keys. This commits adds more common used configmap key names for CAs
openshift · Oct 9, 2024 · cbe9e01 · cbe9e01
1 parent 5964764
commit cbe9e01
Showing 1 changed file with 24 additions and 2 deletions.
diff --git a/pkg/certs/cert-inspection/certgraphanalysis/analyzer.go b/pkg/certs/cert-inspection/certgraphanalysis/analyzer.go
@@ -2,6 +2,7 @@ package certgraphanalysis
 
 import (
 	"fmt"
+	"slices"
 
 	"github.com/openshift/library-go/pkg/certs/cert-inspection/certgraphapi"
 	certificatesv1 "k8s.io/api/certificates/v1"
@@ -13,6 +14,16 @@ import (
 	"k8s.io/client-go/util/cert"
 )
 
+var caBundleKeys = []string{
+	"ca-bundle.crt",
+	"client-ca-file",
+	"client-ca.crt",
+	"metrics-ca-bundle.crt",
+	"requestheader-client-ca-file",
+	"image-registry.openshift-image-registry.svc..5000",
+	"image-registry.openshift-image-registry.svc.cluster.local..5000",
+}
+
 func InspectSecret(obj *corev1.Secret) ([]*certgraphapi.CertKeyPair, error) {
 	tlsCrt, isTLS := obj.Data["tls.crt"]
 	if !isTLS || len(tlsCrt) == 0 {
@@ -60,8 +71,19 @@ func InspectConfigMap(obj *corev1.ConfigMap) (*certgraphapi.CertificateAuthority
 		return details, nil
 	}
 
-	caBundle, ok := obj.Data["ca-bundle.crt"]
-	if !ok || len(caBundle) == 0 {
+	var caBundle string
+	for key := range obj.Data {
+		if !slices.Contains(caBundleKeys, key) {
+			continue
+		}
+		value, ok := obj.Data[key]
+		if ok && len(value) > 0 {
+			caBundle = value
+			break
+		}
+	}
+
+	if len(caBundle) == 0 {
 		return nil, nil
 	}