From 5c74691959547193efec9e49706342f77910f68c Mon Sep 17 00:00:00 2001 From: Jiri Podivin Date: Tue, 23 Apr 2024 14:23:47 +0200 Subject: [PATCH] Validate fields of OpenstackDataPlaneServiceCert in OpenStackDataPlaneServiceSpec Set default KeyUsages to "key encipherment","digital signature","server auth". Signed-off-by: Jiri Podivin --- ...nstack.org_openstackdataplaneservices.yaml | 4 ++ .../openstackdataplaneservice_types.go | 3 +- .../openstackdataplaneservice_webhook.go | 42 +++++++++++++++++-- ...nstack.org_openstackdataplaneservices.yaml | 4 ++ docs/assemblies/custom_resources.adoc | 2 +- 5 files changed, 49 insertions(+), 6 deletions(-) diff --git a/api/bases/dataplane.openstack.org_openstackdataplaneservices.yaml b/api/bases/dataplane.openstack.org_openstackdataplaneservices.yaml index 7927702e2..9de794f30 100644 --- a/api/bases/dataplane.openstack.org_openstackdataplaneservices.yaml +++ b/api/bases/dataplane.openstack.org_openstackdataplaneservices.yaml @@ -96,6 +96,10 @@ spec: issuer: type: string keyUsages: + default: + - key encipherment + - digital signature + - server auth items: enum: - signing diff --git a/api/v1beta1/openstackdataplaneservice_types.go b/api/v1beta1/openstackdataplaneservice_types.go index 2561b9693..2fe1e097b 100644 --- a/api/v1beta1/openstackdataplaneservice_types.go +++ b/api/v1beta1/openstackdataplaneservice_types.go @@ -44,7 +44,8 @@ type OpenstackDataPlaneServiceCert struct { // KeyUsages to be added to the issued cert // +kubebuilder:validation:Optional - KeyUsages []certmgrv1.KeyUsage `json:"keyUsages,omitempty" yaml:"keyUsages,omitempty"` + // +kubebuilder:default={"key encipherment","digital signature","server auth"} + KeyUsages []certmgrv1.KeyUsage `json:"keyUsages" yaml:"keyUsages"` // EDPMRoleServiceName is the value of the _service_name variable from // the edpm-ansible role where this certificate is used. For example if the diff --git a/api/v1beta1/openstackdataplaneservice_webhook.go b/api/v1beta1/openstackdataplaneservice_webhook.go index db65ccc03..d707e793f 100644 --- a/api/v1beta1/openstackdataplaneservice_webhook.go +++ b/api/v1beta1/openstackdataplaneservice_webhook.go @@ -17,6 +17,9 @@ limitations under the License. package v1beta1 import ( + "fmt" + + "golang.org/x/exp/slices" apierrors "k8s.io/apimachinery/pkg/api/errors" "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/runtime/schema" @@ -78,9 +81,15 @@ func (r *OpenStackDataPlaneService) ValidateCreate() (admission.Warnings, error) } func (r *OpenStackDataPlaneServiceSpec) ValidateCreate() field.ErrorList { - // TODO(user): fill in your validation logic upon object creation. + var errs field.ErrorList - return field.ErrorList{} + if r.TLSCerts != nil { + for _, v := range r.TLSCerts { + errs = append(errs, v.ValidateContents()...) + } + } + + return errs } func (r *OpenStackDataPlaneService) ValidateUpdate(original runtime.Object) (admission.Warnings, error) { @@ -99,9 +108,15 @@ func (r *OpenStackDataPlaneService) ValidateUpdate(original runtime.Object) (adm } func (r *OpenStackDataPlaneServiceSpec) ValidateUpdate() field.ErrorList { - // TODO(user): fill in your validation logic upon object creation. + var errs field.ErrorList - return field.ErrorList{} + if r.TLSCerts != nil { + for _, v := range r.TLSCerts { + errs = append(errs, v.ValidateContents()...) + } + } + + return errs } func (r *OpenStackDataPlaneService) ValidateDelete() (admission.Warnings, error) { @@ -125,3 +140,22 @@ func (r *OpenStackDataPlaneServiceSpec) ValidateDelete() field.ErrorList { return field.ErrorList{} } + +func (r *OpenstackDataPlaneServiceCert) ValidateContents() field.ErrorList { + + var errs field.ErrorList + // "dnsnames" and "ips" are only allowed usages + allowedContents := []string{ + "dnsnames", + "ips", + } + for _, val := range r.Contents { + + if !slices.Contains(allowedContents, val) { + errs = append(errs, field.Invalid(field.NewPath("spec.tlsCert.Contents"), + r.KeyUsages, + fmt.Sprintf("error validating contents of TLSCert, %s, only valid contents are %v ", val, allowedContents))) + } + } + return errs +} diff --git a/config/crd/bases/dataplane.openstack.org_openstackdataplaneservices.yaml b/config/crd/bases/dataplane.openstack.org_openstackdataplaneservices.yaml index 7927702e2..9de794f30 100644 --- a/config/crd/bases/dataplane.openstack.org_openstackdataplaneservices.yaml +++ b/config/crd/bases/dataplane.openstack.org_openstackdataplaneservices.yaml @@ -96,6 +96,10 @@ spec: issuer: type: string keyUsages: + default: + - key encipherment + - digital signature + - server auth items: enum: - signing diff --git a/docs/assemblies/custom_resources.adoc b/docs/assemblies/custom_resources.adoc index 51a0e7565..8f2343971 100644 --- a/docs/assemblies/custom_resources.adoc +++ b/docs/assemblies/custom_resources.adoc @@ -409,7 +409,7 @@ OpenstackDataPlaneServiceCert defines the property of a TLS cert issued for a da | keyUsages | KeyUsages to be added to the issued cert | []certmgrv1.KeyUsage -| false +| true | edpmRoleServiceName | EDPMRoleServiceName is the value of the ++++++_service_name variable from the edpm-ansible role where this certificate is used. For example if the certificate is for edpm_ovn from edpm-ansible, EDPMRoleServiceName must be ovn, which matches the edpm_ovn_service_name variable from the role. If not set, OpenStackDataPlaneService.Spec.EDPMServiceType is used. If OpenStackDataPlaneService.Spec.EDPMServiceType is not set, then OpenStackDataPlaneService.Name is used.++++++