weiguoqiang/cert-manager
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity

Merge pull request #5972 from vinzent/bugfix/issue-5755

Browse Source 
Check JKS/PKCS12 truststore in Secrets only if issuer provides the CA
This commit is contained in:
jetstack-bot 2023-05-04 11:04:37 +01:00 committed by GitHub
commit 09e71c37d4
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 17 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
deploy/crds/crd-certificates.yaml
View File

@ -134,7 +134,7 @@ spec:
- passwordSecretRef
properties:
create:
description: Create enables JKS keystore creation for the Certificate. If true, a file named `keystore.jks` will be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef`. The keystore file will be updated immediately. A file named `truststore.jks` will also be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef` containing the issuing Certificate Authority
description: Create enables JKS keystore creation for the Certificate. If true, a file named `keystore.jks` will be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef`. The keystore file will be updated immediately. If the issuer provided a CA certificate, a file named `truststore.jks` will also be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef` containing the issuing Certificate Authority
type: boolean
passwordSecretRef:
description: PasswordSecretRef is a reference to a key in a Secret resource containing the password used to encrypt the JKS keystore.
@ -156,7 +156,7 @@ spec:
- passwordSecretRef
properties:
create:
description: Create enables PKCS12 keystore creation for the Certificate. If true, a file named `keystore.p12` will be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef`. The keystore file will be updated immediately. A file named `truststore.p12` will also be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef` containing the issuing Certificate Authority
description: Create enables PKCS12 keystore creation for the Certificate. If true, a file named `keystore.p12` will be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef`. The keystore file will be updated immediately. If the issuer provided a CA certificate, a file named `truststore.p12` will also be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef` containing the issuing Certificate Authority
type: boolean
passwordSecretRef:
description: PasswordSecretRef is a reference to a key in a Secret resource containing the password used to encrypt the PKCS12 keystore.

11
internal/controller/certificates/policies/checks.go
View File

@ -33,6 +33,7 @@ import (
"sigs.k8s.io/structured-merge-diff/v4/fieldpath"
"sigs.k8s.io/structured-merge-diff/v4/value"
cmmeta "github.com/cert-manager/cert-manager/internal/apis/meta"
internalcertificates "github.com/cert-manager/cert-manager/internal/controller/certificates"
cmapi "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
"github.com/cert-manager/cert-manager/pkg/util/pki"
@ -100,6 +101,8 @@ func SecretPrivateKeyMatchesSpec(input Input) (string, string, bool) {
// If the private key rotation is set to "Never", the key store related values are re-encoded
// as per the certificate specification
func SecretKeystoreFormatMatchesSpec(input Input) (string, string, bool) {
_, issuerProvidesCA := input.Secret.Data[cmmeta.TLSCAKey]
if input.Certificate.Spec.Keystores == nil {
if len(input.Secret.Data[cmapi.PKCS12SecretKey]) != 0 ||
len(input.Secret.Data[cmapi.PKCS12TruststoreKey]) != 0 ||
@ -113,8 +116,8 @@ func SecretKeystoreFormatMatchesSpec(input Input) (string, string, bool) {
if input.Certificate.Spec.Keystores.JKS != nil {
if input.Certificate.Spec.Keystores.JKS.Create {
if len(input.Secret.Data[cmapi.JKSSecretKey]) == 0 ||
len(input.Secret.Data[cmapi.JKSTruststoreKey]) == 0 {
return SecretMismatch, "JKS Keystore keys does not contain data", true
(len(input.Secret.Data[cmapi.JKSTruststoreKey]) == 0 && issuerProvidesCA) {
return SecretMismatch, "JKS Keystore key does not contain data", true
}
} else {
if len(input.Secret.Data[cmapi.JKSSecretKey]) != 0 ||
@ -132,8 +135,8 @@ func SecretKeystoreFormatMatchesSpec(input Input) (string, string, bool) {
if input.Certificate.Spec.Keystores.PKCS12 != nil {
if input.Certificate.Spec.Keystores.PKCS12.Create {
if len(input.Secret.Data[cmapi.PKCS12SecretKey]) == 0 ||
len(input.Secret.Data[cmapi.PKCS12TruststoreKey]) == 0 {
return SecretMismatch, "PKCS12 Keystore keys does not contain data", true
(len(input.Secret.Data[cmapi.PKCS12TruststoreKey]) == 0 && issuerProvidesCA) {
return SecretMismatch, "PKCS12 Keystore key does not contain data", true
}
} else {
if len(input.Secret.Data[cmapi.PKCS12SecretKey]) != 0 ||

14
pkg/apis/certmanager/v1/types_certificate.go
View File

@ -357,9 +357,10 @@ type JKSKeystore struct {
// Secret resource, encrypted using the password stored in
// `passwordSecretRef`.
// The keystore file will be updated immediately.
// A file named `truststore.jks` will also be created in the target
// Secret resource, encrypted using the password stored in
// `passwordSecretRef` containing the issuing Certificate Authority
// If the issuer provided a CA certificate, a file named `truststore.jks`
// will also be created in the target Secret resource, encrypted using the
// password stored in `passwordSecretRef`
// containing the issuing Certificate Authority
Create bool `json:"create"`
// PasswordSecretRef is a reference to a key in a Secret resource
@ -375,9 +376,10 @@ type PKCS12Keystore struct {
// Secret resource, encrypted using the password stored in
// `passwordSecretRef`.
// The keystore file will be updated immediately.
// A file named `truststore.p12` will also be created in the target
// Secret resource, encrypted using the password stored in
// `passwordSecretRef` containing the issuing Certificate Authority
// If the issuer provided a CA certificate, a file named `truststore.p12` will
// also be created in the target Secret resource, encrypted using the
// password stored in `passwordSecretRef` containing the issuing Certificate
// Authority
Create bool `json:"create"`
// PasswordSecretRef is a reference to a key in a Secret resource