From 725af9456d3c5c3f82b1fc6719ce16f3972c6ca6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Wilson=20J=C3=BAnior?= Date: Fri, 6 Sep 2024 10:35:59 -0300 Subject: [PATCH] Add issuer option to be strict on certificate names --- internal/pkg/rpaas/certificates.go | 8 ++++++++ internal/pkg/rpaas/certificates_test.go | 15 +++++++++++++++ internal/pkg/rpaas/k8s.go | 1 + 3 files changed, 24 insertions(+) diff --git a/internal/pkg/rpaas/certificates.go b/internal/pkg/rpaas/certificates.go index e7976f6b..3f0e4f87 100644 --- a/internal/pkg/rpaas/certificates.go +++ b/internal/pkg/rpaas/certificates.go @@ -87,6 +87,14 @@ func (m *k8sRpaasManager) UpdateCertManagerRequest(ctx context.Context, instance } } + if issuerAnnotations[strictNamesAnnotation] == "true" && len(in.DNSNames) > 0 { + expectedName := strings.TrimPrefix(in.DNSNames[0], "*.") + + if expectedName != in.Name { + return &ValidationError{Msg: fmt.Sprintf("the name of this certificate must be: %q", expectedName)} + } + } + if issuerAnnotations[allowWildcardAnnotation] == "false" { for _, dnsName := range in.DNSNames { if strings.HasPrefix(dnsName, "*") { diff --git a/internal/pkg/rpaas/certificates_test.go b/internal/pkg/rpaas/certificates_test.go index cb31ba97..932d7bae 100644 --- a/internal/pkg/rpaas/certificates_test.go +++ b/internal/pkg/rpaas/certificates_test.go @@ -138,6 +138,7 @@ func Test_k8sRpaasManager_UpdateCertManagerRequest(t *testing.T) { maxDNSNamesAnnotation: "1", maxIPsAnnotation: "0", allowWildcardAnnotation: "false", + strictNamesAnnotation: "true", }, }, }, @@ -274,6 +275,7 @@ func Test_k8sRpaasManager_UpdateCertManagerRequest(t *testing.T) { "with forbidden use of wildcards": { instanceName: "my-instance-1", certManager: clientTypes.CertManager{ + Name: "example.org", DNSNames: []string{"*.example.org"}, }, cfg: config.RpaasConfig{ @@ -283,6 +285,19 @@ func Test_k8sRpaasManager_UpdateCertManagerRequest(t *testing.T) { expectedError: "wildcard DNS names are not allowed on this issuer", }, + "with strict names": { + instanceName: "my-instance-1", + certManager: clientTypes.CertManager{ + Name: "cert-1", + DNSNames: []string{"my-instance-1.example.com"}, + }, + cfg: config.RpaasConfig{ + EnableCertManager: true, + DefaultCertManagerIssuer: "issuer-2", + }, + expectedError: "the name of this certificate must be: \"my-instance-1.example.com\"", + }, + "using wrong certificate issuer from configs": { instanceName: "my-instance-1", certManager: clientTypes.CertManager{ diff --git a/internal/pkg/rpaas/k8s.go b/internal/pkg/rpaas/k8s.go index 43e8140f..5dcc4552 100644 --- a/internal/pkg/rpaas/k8s.go +++ b/internal/pkg/rpaas/k8s.go @@ -73,6 +73,7 @@ const ( externalDNSHostnameLabel = "external-dns.alpha.kubernetes.io/hostname" allowedDNSZonesAnnotation = "rpaas.extensions.tsuru.io/allowed-dns-zones" maxDNSNamesAnnotation = "rpaas.extensions.tsuru.io/cert-manager-max-dns-names" + strictNamesAnnotation = "rpaas.extensions.tsuru.io/cert-manager-strict-names" maxIPsAnnotation = "rpaas.extensions.tsuru.io/cert-manager-max-ips" allowWildcardAnnotation = "rpaas.extensions.tsuru.io/cert-manager-allow-wildcard"