fix: additional review comments

Signed-off-by: tanujd11 <dwiveditanuj41@gmail.com>
2023-12-07 01:38:54 +05:30 · 2023-12-07 01:38:54 +05:30 · 28ca4312b3
commit 28ca4312b3
parent 8d362439a8
9 changed files with 25 additions and 6 deletions
--- a/deploy/crds/crd-certificates.yaml
+++ b/deploy/crds/crd-certificates.yaml
@ -172,7 +172,7 @@ spec:
                  description: "Requested X.509 certificate subject, represented using the LDAP \"String Representation of a Distinguished Name\" [1]. Important: the LDAP string format also specifies the order of the attributes in the subject, this is important when issuing certs for LDAP authentication. Example: `CN=foo,DC=corp,DC=example,DC=com` More info [1]: https://datatracker.ietf.org/doc/html/rfc4514 More info: https://github.com/cert-manager/cert-manager/issues/3203 More info: https://github.com/cert-manager/cert-manager/issues/4424 \n Cannot be set if the `subject` or `commonName` field is set. This is an Alpha Feature and is only enabled with the `--feature-gates=LiteralCertificateSubject=true` option set on both the controller and webhook components."
                  type: string
                nameConstraints:
-                  description: 'x.509 certificate NameConstraint extension which MUST NOT be used in a non-CA certificate. More Info: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10'
+                  description: "x.509 certificate NameConstraint extension which MUST NOT be used in a non-CA certificate. More Info: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10 \n This is an Alpha Feature and is only enabled with the `--feature-gates=useCertificateRequestNameConstraints=true` option set on both the controller and webhook components."
                  type: object
                  properties:
                    critical:
--- a/internal/apis/certmanager/types_certificate.go
+++ b/internal/apis/certmanager/types_certificate.go
@ -240,6 +240,9 @@ type CertificateSpec struct {
 	// x.509 certificate NameConstraint extension which MUST NOT be used in a non-CA certificate.
 	// More Info: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10
 	//
+	// This is an Alpha Feature and is only enabled with the
+	// `--feature-gates=useCertificateRequestNameConstraints=true` option set on both
+	// the controller and webhook components.
 	// +optional
 	NameConstraints *NameConstraints
 }
--- a/internal/apis/certmanager/v1alpha2/types_certificate.go
+++ b/internal/apis/certmanager/v1alpha2/types_certificate.go
@ -227,6 +227,10 @@ type CertificateSpec struct {
 	// x.509 certificate NameConstraint extension which MUST NOT be used in a non-CA certificate.
 	// More Info: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10
 	//
+	// This is an Alpha Feature and is only enabled with the
+	// `--feature-gates=useCertificateRequestNameConstraints=true` option set on both
+	// the controller and webhook components.
+	// +optional
 	// +optional
 	NameConstraints *NameConstraints `json:"nameConstraints,omitempty"`
 }
--- a/internal/apis/certmanager/v1alpha3/types_certificate.go
+++ b/internal/apis/certmanager/v1alpha3/types_certificate.go
@ -225,6 +225,10 @@ type CertificateSpec struct {
 	// x.509 certificate NameConstraint extension which MUST NOT be used in a non-CA certificate.
 	// More Info: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10
 	//
+	// This is an Alpha Feature and is only enabled with the
+	// `--feature-gates=useCertificateRequestNameConstraints=true` option set on both
+	// the controller and webhook components.
+	// +optional
 	// +optional
 	NameConstraints *NameConstraints `json:"nameConstraints,omitempty"`
 }
--- a/internal/apis/certmanager/v1beta1/types_certificate.go
+++ b/internal/apis/certmanager/v1beta1/types_certificate.go
@ -202,6 +202,10 @@ type CertificateSpec struct {
 	// x.509 certificate NameConstraint extension which MUST NOT be used in a non-CA certificate.
 	// More Info: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10
 	//
+	// This is an Alpha Feature and is only enabled with the
+	// `--feature-gates=useCertificateRequestNameConstraints=true` option set on both
+	// the controller and webhook components.
+	// +optional
 	// +optional
 	NameConstraints *NameConstraints `json:"nameConstraints,omitempty"`
 }
--- a/pkg/apis/certmanager/v1/types_certificate.go
+++ b/pkg/apis/certmanager/v1/types_certificate.go
@ -267,6 +267,10 @@ type CertificateSpec struct {
 	// x.509 certificate NameConstraint extension which MUST NOT be used in a non-CA certificate.
 	// More Info: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10
 	//
+	// This is an Alpha Feature and is only enabled with the
+	// `--feature-gates=useCertificateRequestNameConstraints=true` option set on both
+	// the controller and webhook components.
+	// +optional
 	// +optional
 	NameConstraints *NameConstraints `json:"nameConstraints,omitempty"`
 }
--- a/pkg/util/pki/certificatetemplate.go
+++ b/pkg/util/pki/certificatetemplate.go
@ -202,8 +202,8 @@ func CertificateTemplateFromCSR(csr *x509.CertificateRequest, validatorMutators
 			template.PermittedDNSDomainsCritical = nameConstraints.PermittedDNSDomainsCritical
 			template.PermittedDNSDomains = nameConstraints.PermittedDNSDomains
 			template.ExcludedDNSDomains = nameConstraints.ExcludedDNSDomains
-			template.PermittedIPRanges = ConvertIPNeSliceToIPNetPointerSlice(nameConstraints.PermittedIPRanges)
-			template.ExcludedIPRanges = ConvertIPNeSliceToIPNetPointerSlice(nameConstraints.ExcludedIPRanges)
+			template.PermittedIPRanges = convertIPNetSliceToIPNetPointerSlice(nameConstraints.PermittedIPRanges)
+			template.ExcludedIPRanges = convertIPNetSliceToIPNetPointerSlice(nameConstraints.ExcludedIPRanges)
 			template.PermittedEmailAddresses = nameConstraints.PermittedEmailAddresses
 			template.ExcludedEmailAddresses = nameConstraints.ExcludedEmailAddresses
 			template.PermittedURIDomains = nameConstraints.PermittedURIDomains
--- a/pkg/util/pki/csr_test.go
+++ b/pkg/util/pki/csr_test.go
@ -690,7 +690,7 @@ func TestSignCSRTemplate(t *testing.T) {
 		require.NoError(t, err)
 		var permittedIPRanges []*net.IPNet
 		if nameConstraints != nil {
-			permittedIPRanges = ConvertIPNeSliceToIPNetPointerSlice(nameConstraints.PermittedIPRanges)
+			permittedIPRanges = convertIPNetSliceToIPNetPointerSlice(nameConstraints.PermittedIPRanges)
 		}
 		tmpl := &x509.Certificate{
 			Version:               3,
--- a/pkg/util/pki/nameconstraints.go
+++ b/pkg/util/pki/nameconstraints.go
@ -104,8 +104,8 @@ func UnmarshalNameConstraints(value []byte) (NameConstraints, error) {
 	return constraints, nil
 }

-// ConvertIPNeSliceToIPNetPointerSlice converts []net.IPNet to []*net.IPNet.
-func ConvertIPNeSliceToIPNetPointerSlice(ipNetPointerSlice []net.IPNet) []*net.IPNet {
+// convertIPNetSliceToIPNetPointerSlice converts []net.IPNet to []*net.IPNet.
+func convertIPNetSliceToIPNetPointerSlice(ipNetPointerSlice []net.IPNet) []*net.IPNet {
 	if ipNetPointerSlice == nil {
 		return nil
 	}