Skip to content
This repository has been archived by the owner on Jun 25, 2024. It is now read-only.

Commit

Permalink
Validate fields of OpenstackDataPlaneServiceCert in OpenStackDataPlan…
Browse files Browse the repository at this point in the history
…eServiceSpec

Set default KeyUsages to "key encipherment","digital signature","server auth".

Signed-off-by: Jiri Podivin <[email protected]>
  • Loading branch information
jpodivin committed Jun 10, 2024
1 parent 319ec0e commit 5c74691
Show file tree
Hide file tree
Showing 5 changed files with 49 additions and 6 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -96,6 +96,10 @@ spec:
issuer:
type: string
keyUsages:
default:
- key encipherment
- digital signature
- server auth
items:
enum:
- signing
Expand Down
3 changes: 2 additions & 1 deletion api/v1beta1/openstackdataplaneservice_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -44,7 +44,8 @@ type OpenstackDataPlaneServiceCert struct {

// KeyUsages to be added to the issued cert
// +kubebuilder:validation:Optional
KeyUsages []certmgrv1.KeyUsage `json:"keyUsages,omitempty" yaml:"keyUsages,omitempty"`
// +kubebuilder:default={"key encipherment","digital signature","server auth"}
KeyUsages []certmgrv1.KeyUsage `json:"keyUsages" yaml:"keyUsages"`

// EDPMRoleServiceName is the value of the <role>_service_name variable from
// the edpm-ansible role where this certificate is used. For example if the
Expand Down
42 changes: 38 additions & 4 deletions api/v1beta1/openstackdataplaneservice_webhook.go
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,9 @@ limitations under the License.
package v1beta1

import (
"fmt"

"golang.org/x/exp/slices"
apierrors "k8s.io/apimachinery/pkg/api/errors"
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/apimachinery/pkg/runtime/schema"
Expand Down Expand Up @@ -78,9 +81,15 @@ func (r *OpenStackDataPlaneService) ValidateCreate() (admission.Warnings, error)
}

func (r *OpenStackDataPlaneServiceSpec) ValidateCreate() field.ErrorList {
// TODO(user): fill in your validation logic upon object creation.
var errs field.ErrorList

return field.ErrorList{}
if r.TLSCerts != nil {
for _, v := range r.TLSCerts {
errs = append(errs, v.ValidateContents()...)
}
}

return errs
}

func (r *OpenStackDataPlaneService) ValidateUpdate(original runtime.Object) (admission.Warnings, error) {
Expand All @@ -99,9 +108,15 @@ func (r *OpenStackDataPlaneService) ValidateUpdate(original runtime.Object) (adm
}

func (r *OpenStackDataPlaneServiceSpec) ValidateUpdate() field.ErrorList {
// TODO(user): fill in your validation logic upon object creation.
var errs field.ErrorList

return field.ErrorList{}
if r.TLSCerts != nil {
for _, v := range r.TLSCerts {
errs = append(errs, v.ValidateContents()...)
}
}

return errs
}

func (r *OpenStackDataPlaneService) ValidateDelete() (admission.Warnings, error) {
Expand All @@ -125,3 +140,22 @@ func (r *OpenStackDataPlaneServiceSpec) ValidateDelete() field.ErrorList {

return field.ErrorList{}
}

func (r *OpenstackDataPlaneServiceCert) ValidateContents() field.ErrorList {

var errs field.ErrorList
// "dnsnames" and "ips" are only allowed usages
allowedContents := []string{
"dnsnames",
"ips",
}
for _, val := range r.Contents {

if !slices.Contains(allowedContents, val) {
errs = append(errs, field.Invalid(field.NewPath("spec.tlsCert.Contents"),
r.KeyUsages,
fmt.Sprintf("error validating contents of TLSCert, %s, only valid contents are %v ", val, allowedContents)))
}
}
return errs
}
Original file line number Diff line number Diff line change
Expand Up @@ -96,6 +96,10 @@ spec:
issuer:
type: string
keyUsages:
default:
- key encipherment
- digital signature
- server auth
items:
enum:
- signing
Expand Down
2 changes: 1 addition & 1 deletion docs/assemblies/custom_resources.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -409,7 +409,7 @@ OpenstackDataPlaneServiceCert defines the property of a TLS cert issued for a da
| keyUsages
| KeyUsages to be added to the issued cert
| []certmgrv1.KeyUsage
| false
| true
| edpmRoleServiceName
| EDPMRoleServiceName is the value of the +++<role>+++_service_name variable from the edpm-ansible role where this certificate is used. For example if the certificate is for edpm_ovn from edpm-ansible, EDPMRoleServiceName must be ovn, which matches the edpm_ovn_service_name variable from the role. If not set, OpenStackDataPlaneService.Spec.EDPMServiceType is used. If OpenStackDataPlaneService.Spec.EDPMServiceType is not set, then OpenStackDataPlaneService.Name is used.+++</role>+++
Expand Down

0 comments on commit 5c74691

Please sign in to comment.