Skip to content

Commit

Permalink
Add some business validation on issuers
Browse files Browse the repository at this point in the history
  • Loading branch information
wpjunior committed Aug 16, 2024
1 parent 327efe7 commit 300c285
Show file tree
Hide file tree
Showing 3 changed files with 72 additions and 0 deletions.
23 changes: 23 additions & 0 deletions internal/pkg/rpaas/certificates.go
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ package rpaas
import (
"context"
"fmt"
"strconv"
"strings"

cmv1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
Expand Down Expand Up @@ -71,6 +72,28 @@ func (m *k8sRpaasManager) UpdateCertManagerRequest(ctx context.Context, instance
return err
}

if issuerAnnotations[maxDNSNamesAnnotation] != "" {
maxDNSName, _ := strconv.Atoi(issuerAnnotations[maxDNSNamesAnnotation])
if len(in.DNSNames) > maxDNSName {
return &ValidationError{Msg: fmt.Sprintf("maximum number of DNS names exceeded (maximum allowed: %d)", maxDNSName)}
}
}

if issuerAnnotations[maxIPsAnnotation] != "" {
maxIPs, _ := strconv.Atoi(issuerAnnotations[maxIPsAnnotation])
if len(in.IPAddresses) > maxIPs {
return &ValidationError{Msg: fmt.Sprintf("maximum number of IP Addresses exceeded (maximum allowed: %d)", maxIPs)}
}
}

if issuerAnnotations[allowWildcardAnnotation] == "false" {
for _, dnsName := range in.DNSNames {
if strings.HasPrefix(dnsName, "*") {
return &ValidationError{Msg: "wildcard DNS names are not allowed on this issuer"}
}
}
}

newRequest := v1alpha1.CertManager{
Name: in.Name,
Issuer: issuer,
Expand Down
46 changes: 46 additions & 0 deletions internal/pkg/rpaas/certificates_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -131,6 +131,16 @@ func Test_k8sRpaasManager_UpdateCertManagerRequest(t *testing.T) {
},
},
},
&cmv1.ClusterIssuer{
ObjectMeta: metav1.ObjectMeta{
Name: "issuer-2",
Annotations: map[string]string{
maxDNSNamesAnnotation: "1",
maxIPsAnnotation: "0",
allowWildcardAnnotation: "false",
},
},
},
&cmv1.ClusterIssuer{
ObjectMeta: metav1.ObjectMeta{
Name: "default-issuer",
Expand Down Expand Up @@ -237,6 +247,42 @@ func Test_k8sRpaasManager_UpdateCertManagerRequest(t *testing.T) {
expectedError: "there is some DNS name with forbidden suffix (invalid ones: wrong.io, wrong.com - allowed DNS suffixes: example.com, example.org)",
},

"with exceeded number of DNS names": {
instanceName: "my-instance-1",
certManager: clientTypes.CertManager{
DNSNames: []string{"my-instance-1.example.com", "my-instance-1.example.org"},
},
cfg: config.RpaasConfig{
EnableCertManager: true,
DefaultCertManagerIssuer: "issuer-2",
},
expectedError: "maximum number of DNS names exceeded (maximum allowed: 1)",
},

"with exceeded number of IP Addresses": {
instanceName: "my-instance-1",
certManager: clientTypes.CertManager{
IPAddresses: []string{"10.1.1.1"},
},
cfg: config.RpaasConfig{
EnableCertManager: true,
DefaultCertManagerIssuer: "issuer-2",
},
expectedError: "maximum number of IP Addresses exceeded (maximum allowed: 0)",
},

"with forbidden use of wildcards": {
instanceName: "my-instance-1",
certManager: clientTypes.CertManager{
DNSNames: []string{"*.example.org"},
},
cfg: config.RpaasConfig{
EnableCertManager: true,
DefaultCertManagerIssuer: "issuer-2",
},
expectedError: "wildcard DNS names are not allowed on this issuer",
},

"using wrong certificate issuer from configs": {
instanceName: "my-instance-1",
certManager: clientTypes.CertManager{
Expand Down
3 changes: 3 additions & 0 deletions internal/pkg/rpaas/k8s.go
Original file line number Diff line number Diff line change
Expand Up @@ -72,6 +72,9 @@ const (

externalDNSHostnameLabel = "external-dns.alpha.kubernetes.io/hostname"
allowedDNSZonesAnnotation = "rpaas.extensions.tsuru.io/allowed-dns-zones"
maxDNSNamesAnnotation = "rpaas.extensions.tsuru.io/cert-manager-max-dns-names"
maxIPsAnnotation = "rpaas.extensions.tsuru.io/cert-manager-max-ips"
allowWildcardAnnotation = "rpaas.extensions.tsuru.io/cert-manager-allow-wildcard"

nginxContainerName = "nginx"
)
Expand Down

0 comments on commit 300c285

Please sign in to comment.