Add issuer option to be strict on certificate names

tsuru · Sep 6, 2024 · 62545b3 · 62545b3
1 parent e525cbd
commit 62545b3
Show file tree

Hide file tree

Showing 3 changed files with 24 additions and 0 deletions.
diff --git a/internal/pkg/rpaas/certificates.go b/internal/pkg/rpaas/certificates.go
@@ -87,6 +87,14 @@ func (m *k8sRpaasManager) UpdateCertManagerRequest(ctx context.Context, instance
 		}
 	}
 
+	if issuerAnnotations[strictNamesAnnotation] == "true" && len(in.DNSNames) > 0 {
+		expectedName := strings.TrimPrefix(in.DNSNames[0], "*.")
+
+		if expectedName != in.Name {
+			return &ValidationError{Msg: fmt.Sprintf("the name of this certificate must be: %q", expectedName)}
+		}
+	}
+
 	if issuerAnnotations[allowWildcardAnnotation] == "false" {
 		for _, dnsName := range in.DNSNames {
 			if strings.HasPrefix(dnsName, "*") {

diff --git a/internal/pkg/rpaas/certificates_test.go b/internal/pkg/rpaas/certificates_test.go
@@ -138,6 +138,7 @@ func Test_k8sRpaasManager_UpdateCertManagerRequest(t *testing.T) {
 					maxDNSNamesAnnotation:   "1",
 					maxIPsAnnotation:        "0",
 					allowWildcardAnnotation: "false",
+					strictNamesAnnotation:   "true",
 				},
 			},
 		},
@@ -274,6 +275,7 @@ func Test_k8sRpaasManager_UpdateCertManagerRequest(t *testing.T) {
 		"with forbidden use of wildcards": {
 			instanceName: "my-instance-1",
 			certManager: clientTypes.CertManager{
+				Name:     "example.org",
 				DNSNames: []string{"*.example.org"},
 			},
 			cfg: config.RpaasConfig{
@@ -283,6 +285,19 @@ func Test_k8sRpaasManager_UpdateCertManagerRequest(t *testing.T) {
 			expectedError: "wildcard DNS names are not allowed on this issuer",
 		},
 
+		"with strict names": {
+			instanceName: "my-instance-1",
+			certManager: clientTypes.CertManager{
+				Name:     "cert-1",
+				DNSNames: []string{"my-instance-1.example.com"},
+			},
+			cfg: config.RpaasConfig{
+				EnableCertManager:        true,
+				DefaultCertManagerIssuer: "issuer-2",
+			},
+			expectedError: "the name of this certificate must be: \"my-instance-1.example.com\"",
+		},
+
 		"using wrong certificate issuer from configs": {
 			instanceName: "my-instance-1",
 			certManager: clientTypes.CertManager{

diff --git a/internal/pkg/rpaas/k8s.go b/internal/pkg/rpaas/k8s.go
@@ -73,6 +73,7 @@ const (
 	externalDNSHostnameLabel  = "external-dns.alpha.kubernetes.io/hostname"
 	allowedDNSZonesAnnotation = "rpaas.extensions.tsuru.io/allowed-dns-zones"
 	maxDNSNamesAnnotation     = "rpaas.extensions.tsuru.io/cert-manager-max-dns-names"
+	strictNamesAnnotation     = "rpaas.extensions.tsuru.io/cert-manager-strict-names"
 	maxIPsAnnotation          = "rpaas.extensions.tsuru.io/cert-manager-max-ips"
 	allowWildcardAnnotation   = "rpaas.extensions.tsuru.io/cert-manager-allow-wildcard"