Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add attribute support for certificate subject #228

Merged
merged 7 commits into from
May 14, 2024
Merged

Add attribute support for certificate subject #228

merged 7 commits into from
May 14, 2024

Conversation

nzbr
Copy link
Contributor

@nzbr nzbr commented Mar 27, 2024
edited
Loading

Fixes #128

This PR is a continuation of the work in #129

I have changed the code of the RequestForMetadata function to use the CSV parser instead of strings.Split as requested in the original PR.

Would it make sense to replace the splitList function with SplitWithEscapeCSV as well? I wasn't sure if that's wanted because that code is not from #129 but was already in there before, so I left it untouched for now.
And what else needs to be done in order to get this merged?

I successfully tested it with the following manifest:

apiVersion: "cert-manager.io/v1"
kind: "Issuer"
metadata:
  name: "self-signed-issuer"
spec:
  selfSigned: { }
---
apiVersion: "cert-manager.io/v1"
kind: "Certificate"
metadata:
  name: "self-signed-root-cert"
spec:
  secretName: "self-signed-root-cert"
  isCA: true
  commonName: "CA Cert"
  issuerRef:
    name: "self-signed-issuer"
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: ca-issuer
spec:
  ca:
    secretName: "self-signed-root-cert"
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: csi-test
spec:
  selector:
    matchLabels:
      app: csi-test
  template:
    metadata:
      labels:
        app: csi-test
    spec:
      containers:
        - name: csi-test
          image: "docker.io/library/alpine:latest"
          command:
            - "/bin/sh"
            - "-c"
            - "apk add openssl && openssl x509 -noout -text -in /cert/tls.crt && sleep infinity"
          volumeMounts:
            - mountPath: "/cert"
              name: cert
      volumes:
        - name: "cert"
          csi:
              driver: "csi.cert-manager.io"
              readOnly: true
              volumeAttributes:
                csi.cert-manager.io/issuer-name: "ca-issuer"
                csi.cert-manager.io/common-name: "test-cert"
                csi.cert-manager.io/organizations: "organization"
                csi.cert-manager.io/organizationalunits: "organizationalunit"
                csi.cert-manager.io/countries: "country"
                csi.cert-manager.io/provinces: "province"
                csi.cert-manager.io/localities: "locality"
                csi.cert-manager.io/streetaddresses: "streetaddress"
                csi.cert-manager.io/postalcodes: "postalcode"

resulting in the following output:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            ab:ca:22:02:06:92:c3:27:47:aa:d2:5b:55:b2:f5:01
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN = CA Cert
        Validity
            Not Before: Mar 27 16:34:50 2024 GMT
            Not After : Jun 25 16:34:50 2024 GMT
        Subject: C = country, ST = province, L = locality, street = streetaddress, postalCode = postalcode, O = organization, OU = organizationalunit, CN = test-cert
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:c7:d0:55:35:99:bc:11:39:eb:b7:11:0d:56:65:
                    02:53:b3:c6:a0:5c:6c:6b:0d:f8:b8:c2:77:99:55:
                    88:d0:b8:ca:ad:0c:83:38:fe:f6:79:df:b8:ba:d6:
                    e3:1c:a4:b1:35:65:29:ec:0b:72:94:6e:27:97:47:
                    62:6f:10:06:32:e7:e1:42:d4:cf:c1:3e:bc:69:a5:
                    12:58:7e:85:ea:61:39:86:eb:aa:1a:2d:08:f8:22:
                    02:e2:cf:91:e8:04:cf:62:10:54:9d:b3:25:02:49:
                    5f:3c:57:45:03:2f:85:c5:d0:85:32:e9:74:c3:57:
                    f6:41:37:93:c3:9e:a7:40:3b:de:42:83:ed:e3:b6:
                    d0:f4:20:c2:d3:9e:e4:cc:5c:db:65:45:c3:42:d2:
                    59:b3:28:3e:42:4e:05:20:28:3d:d0:40:b9:59:50:
                    90:5d:1f:66:d3:f5:d4:50:79:b6:01:46:50:4f:b0:
                    18:36:dc:8e:23:ff:a1:98:20:fe:9a:21:55:dd:fb:
                    4b:7a:ed:ef:80:3b:59:47:2c:31:93:ff:78:57:f1:
                    4a:a1:86:9d:38:01:cf:cc:01:dd:88:2f:86:ce:4f:
                    21:6c:a0:2f:29:47:41:ed:b2:4a:d8:d2:3f:27:49:
                    54:6d:4d:7c:ab:ed:67:6e:ba:00:b3:7c:a5:15:09:
                    07:95
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Authority Key Identifier: 
                41:B9:47:09:7C:34:AD:30:16:33:C3:08:2A:9A:BD:BF:6C:AB:10:DA
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        03:07:49:e6:6e:2e:87:5d:82:df:d4:10:f2:4d:62:33:0d:df:
        17:59:ce:ff:99:bc:40:02:8a:46:e2:71:1c:f9:0b:7a:eb:fb:
        9e:6a:df:01:e7:52:0b:82:0c:c9:a8:93:c7:a1:b2:fe:ee:a2:
        1b:80:4e:b8:a5:ac:d5:45:cb:8e:12:0a:ab:bd:76:70:3b:00:
        aa:f9:58:ed:a8:17:76:5b:64:74:a1:33:3b:d9:5d:a5:12:2f:
        c7:92:d5:90:b3:38:29:98:0e:e1:bc:6c:f8:ce:f1:2b:13:86:
        e6:1b:8c:00:9f:1f:32:62:9b:fc:a4:83:e6:21:69:56:ab:0e:
        b1:fa:ec:15:48:9d:8d:12:48:d1:8f:22:9f:ee:f8:7b:b7:e3:
        52:67:be:f8:5d:70:a3:f2:7a:ad:00:e0:14:aa:08:90:34:69:
        17:9d:4d:ee:57:06:7d:ec:12:f0:6f:32:04:60:dc:0a:ed:27:
        2b:02:98:de:0a:1e:19:d0:0d:42:8d:e7:6f:6a:3b:00:fd:16:
        91:d2:2b:76:e7:f0:51:af:ac:83:b3:a5:0b:b1:3e:fa:3d:20:
        e2:e3:4e:df:8a:7a:d8:da:8d:f8:3f:2f:e6:95:7b:c9:a3:64:
        56:26:a6:c1:95:94:de:c6:c2:c3:75:dd:be:76:66:56:50:e5:
        40:51:98:0d

@jetstack-bot jetstack-bot added the dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. label Mar 27, 2024
@jetstack-bot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign sgtcodfish for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@jetstack-bot
Copy link
Contributor

Hi @nzbr. Thanks for your PR.

I'm waiting for a cert-manager member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@jetstack-bot jetstack-bot added needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. labels Mar 27, 2024
@jetstack-bot jetstack-bot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Apr 2, 2024
@SgtCoDFish
Copy link
Member

/ok-to-test

@cert-manager-prow cert-manager-prow bot added ok-to-test and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels May 9, 2024
SgtCoDFish
SgtCoDFish approved these changes May 9, 2024
View reviewed changes
Copy link
Member

@SgtCoDFish SgtCoDFish left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

First of all: thank you for picking this up. And thanks obviously too for the initial work to @cornfeedhobo !

Second of all: Sorry it took so long for us to pick this up!

I just spotted this by chance. This looks awesome, and I think we should get this merged so it's not hanging in limbo. It looks like there are a couple of CI issues - if you could fix those, I'd be happy to merge.

Would it make sense to replace the splitList function with SplitWithEscapeCSV as well?

It would, but I'm gonna say we shouldn't do that in this PR. I actually spotted the issues with splitList earlier today by pure coincidence when I raised #254 - we should fix that, but it's pretty low impact because the only affected field is URIs as far as I can think and I just can't imagine the bugs there being hit that often.

I've raised #256 to track that - but that should be its own PR for sure!

@cert-manager-prow cert-manager-prow bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label May 9, 2024
@SgtCoDFish
Copy link
Member

Also I think #254 will merge before this and create a merge conflict - sorry about that, but it should be an easy fix!

@cert-manager-prow cert-manager-prow bot added dco-signoff: no Indicates that at least one commit in this pull request is missing the DCO sign-off message. and removed dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. labels May 10, 2024
@cert-manager-prow cert-manager-prow bot added dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. and removed dco-signoff: no Indicates that at least one commit in this pull request is missing the DCO sign-off message. labels May 10, 2024
@nzbr
Copy link
Contributor Author

nzbr commented May 10, 2024

/retest

SgtCoDFish
SgtCoDFish approved these changes May 14, 2024
View reviewed changes
Copy link
Member

@SgtCoDFish SgtCoDFish left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm
/approve

I think this is an improvement and I really appreciate you doing this! I think this could use a few more tests - ideally one for each subject key - but I don't think we need to block this any more. Thanks for your patience!

@cert-manager-prow cert-manager-prow bot added the lgtm Indicates that a PR is ready to be merged. label May 14, 2024
@cert-manager-prow
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: SgtCoDFish

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@cert-manager-prow cert-manager-prow bot merged commit c1dbae3 into cert-manager:main May 14, 2024
4 of 5 checks passed
@nzbr nzbr deleted the 128-subject branch May 14, 2024 18:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@SgtCoDFish SgtCoDFish SgtCoDFish approved these changes

Assignees
No one assigned
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. lgtm Indicates that a PR is ready to be merged. ok-to-test size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Support all subject attributes
4 participants
@nzbr @jetstack-bot @SgtCoDFish @cornfeedhobo