Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

allow TLS secrets to be of type Opaque #4799

Merged
merged 2 commits into from
Oct 24, 2022
Merged

allow TLS secrets to be of type Opaque #4799

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
ee82b17
allow TLS secrets to be of type Opaque
skriss Oct 12, 2022
e008ac5
changelog
skriss Oct 17, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions changelogs/unreleased/4799-skriss-small.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Allow TLS certificate secrets to be of type `Opaque` as long as they have valid `tls.crt` and `tls.key` entries.
20 changes: 5 additions & 15 deletions internal/dag/secret.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,15 +32,12 @@ const (
CRLKey = "crl.pem"
)

// validTLSSecret returns an error if the Secret is not of type TLS or
// validTLSSecret returns an error if the Secret is not of type TLS or Opaque or
// if it doesn't contain valid certificate and private key material in
// the tls.crt and tls.key keys.
func validTLSSecret(secret *v1.Secret) error {
// Must be of type TLS (TODO can we relax this? https://github.com/projectcontour/contour/issues/3180)
// Must have isValid tls.crt and tls.key data

if secret.Type != v1.SecretTypeTLS {
return fmt.Errorf("secret type is not %q", v1.SecretTypeTLS)
if secret.Type != v1.SecretTypeTLS && secret.Type != v1.SecretTypeOpaque {
return fmt.Errorf("secret type is not %q or %q", v1.SecretTypeTLS, v1.SecretTypeOpaque)
}

data, ok := secret.Data[v1.TLSCertKey]
Expand All @@ -64,12 +61,9 @@ func validTLSSecret(secret *v1.Secret) error {
return nil
}

// validCASecret returns an error if the Secret is not of type Opaque or TLS or
// validCASecret returns an error if the Secret is not of type TLS or Opaque or
// if it doesn't contain a valid CA bundle in the ca.crt key.
func validCASecret(secret *v1.Secret) error {
// Must be of type Opaque or TLS
// Must have valid ca.crt data

if secret.Type != v1.SecretTypeTLS && secret.Type != v1.SecretTypeOpaque {
return fmt.Errorf("secret type is not %q or %q", v1.SecretTypeTLS, v1.SecretTypeOpaque)
}
Expand All @@ -85,13 +79,9 @@ func validCASecret(secret *v1.Secret) error {
return nil
}

// validCRLSecret returns an error if the Secret is not of type Opaque or TLS or
// validCRLSecret returns an error if the Secret is not of type TLS or Opaque or
// if it doesn't contain a valid CRL in the crl.pem key.
func validCRLSecret(secret *v1.Secret) error {

// Must be of type Opaque or TLS
// Must have isValid crl.pem data

if secret.Type != v1.SecretTypeTLS && secret.Type != v1.SecretTypeOpaque {
return fmt.Errorf("secret type is not %q or %q", v1.SecretTypeTLS, v1.SecretTypeOpaque)
}
Expand Down
22 changes: 11 additions & 11 deletions internal/dag/secret_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -244,7 +244,7 @@ func TestValidSecrets(t *testing.T) {
CACertificateKey: []byte(fixture.CA_CERT),
},
},
tlsSecretError: errors.New(`secret type is not "kubernetes.io/tls"`),
tlsSecretError: errors.New(`missing TLS certificate`),
caSecretError: nil,
crlSecretError: errors.New(`empty "crl.pem" key`),
},
Expand All @@ -255,7 +255,7 @@ func TestValidSecrets(t *testing.T) {
CACertificateKey: []byte(fixture.CERTIFICATE_WITH_TEXT),
},
},
tlsSecretError: errors.New(`secret type is not "kubernetes.io/tls"`),
tlsSecretError: errors.New(`missing TLS certificate`),
caSecretError: nil,
crlSecretError: errors.New(`empty "crl.pem" key`),
},
Expand All @@ -266,7 +266,7 @@ func TestValidSecrets(t *testing.T) {
CACertificateKey: []byte(fixture.CA_CERT_NO_CN),
},
},
tlsSecretError: errors.New(`secret type is not "kubernetes.io/tls"`),
tlsSecretError: errors.New(`missing TLS certificate`),
caSecretError: nil,
crlSecretError: errors.New(`empty "crl.pem" key`),
},
Expand All @@ -275,7 +275,7 @@ func TestValidSecrets(t *testing.T) {
Type: v1.SecretTypeOpaque,
Data: caBundleData(fixture.CERTIFICATE, fixture.CERTIFICATE, fixture.CERTIFICATE, fixture.CERTIFICATE),
},
tlsSecretError: errors.New(`secret type is not "kubernetes.io/tls"`),
tlsSecretError: errors.New(`missing TLS certificate`),
caSecretError: nil,
crlSecretError: errors.New(`empty "crl.pem" key`),
},
Expand All @@ -284,7 +284,7 @@ func TestValidSecrets(t *testing.T) {
Type: v1.SecretTypeOpaque,
Data: caBundleData(),
},
tlsSecretError: errors.New(`secret type is not "kubernetes.io/tls"`),
tlsSecretError: errors.New(`missing TLS certificate`),
caSecretError: errors.New(`invalid CA certificate bundle: failed to locate certificate`),
crlSecretError: errors.New(`empty "crl.pem" key`),
},
Expand All @@ -295,7 +295,7 @@ func TestValidSecrets(t *testing.T) {
CACertificateKey: []byte(""),
},
},
tlsSecretError: errors.New(`secret type is not "kubernetes.io/tls"`),
tlsSecretError: errors.New(`missing TLS certificate`),
caSecretError: errors.New(`empty "ca.crt" key`),
crlSecretError: errors.New(`empty "crl.pem" key`),
},
Expand All @@ -306,7 +306,7 @@ func TestValidSecrets(t *testing.T) {
"some-other-key": []byte("value"),
},
},
tlsSecretError: errors.New(`secret type is not "kubernetes.io/tls"`),
tlsSecretError: errors.New(`missing TLS certificate`),
caSecretError: errors.New(`empty "ca.crt" key`),
crlSecretError: errors.New(`empty "crl.pem" key`),
},
Expand All @@ -319,7 +319,7 @@ func TestValidSecrets(t *testing.T) {
CACertificateKey: []byte(fixture.CA_CERT),
},
},
tlsSecretError: errors.New(`secret type is not "kubernetes.io/tls"`),
tlsSecretError: nil,
caSecretError: nil,
crlSecretError: errors.New(`empty "crl.pem" key`),
},
Expand All @@ -330,7 +330,7 @@ func TestValidSecrets(t *testing.T) {
CRLKey: []byte(fixture.CRL),
},
},
tlsSecretError: errors.New(`secret type is not "kubernetes.io/tls"`),
tlsSecretError: errors.New(`missing TLS certificate`),
caSecretError: errors.New(`empty "ca.crt" key`),
crlSecretError: nil,
},
Expand All @@ -341,7 +341,7 @@ func TestValidSecrets(t *testing.T) {
CRLKey: []byte(""),
},
},
tlsSecretError: errors.New(`secret type is not "kubernetes.io/tls"`),
tlsSecretError: errors.New(`missing TLS certificate`),
caSecretError: errors.New(`empty "ca.crt" key`),
crlSecretError: errors.New(`empty "crl.pem" key`),
},
Expand All @@ -355,7 +355,7 @@ func TestValidSecrets(t *testing.T) {
CRLKey: []byte(fixture.CRL),
},
},
tlsSecretError: errors.New(`secret type is not "kubernetes.io/tls"`),
tlsSecretError: errors.New(`secret type is not "kubernetes.io/tls" or "Opaque"`),
caSecretError: errors.New(`secret type is not "kubernetes.io/tls" or "Opaque"`),
crlSecretError: errors.New(`secret type is not "kubernetes.io/tls" or "Opaque"`),
},
Expand Down