diff --git a/deploy/crds/crd-certificates.yaml b/deploy/crds/crd-certificates.yaml index a2571e049..0495a5c9a 100644 --- a/deploy/crds/crd-certificates.yaml +++ b/deploy/crds/crd-certificates.yaml @@ -172,7 +172,7 @@ spec: description: "Requested X.509 certificate subject, represented using the LDAP \"String Representation of a Distinguished Name\" [1]. Important: the LDAP string format also specifies the order of the attributes in the subject, this is important when issuing certs for LDAP authentication. Example: `CN=foo,DC=corp,DC=example,DC=com` More info [1]: https://datatracker.ietf.org/doc/html/rfc4514 More info: https://github.com/cert-manager/cert-manager/issues/3203 More info: https://github.com/cert-manager/cert-manager/issues/4424 \n Cannot be set if the `subject` or `commonName` field is set. This is an Alpha Feature and is only enabled with the `--feature-gates=LiteralCertificateSubject=true` option set on both the controller and webhook components." type: string nameConstraints: - description: 'x.509 certificate NameConstraint extension which MUST NOT be used in a non-CA certificate. More Info: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10' + description: "x.509 certificate NameConstraint extension which MUST NOT be used in a non-CA certificate. More Info: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10 \n This is an Alpha Feature and is only enabled with the `--feature-gates=useCertificateRequestNameConstraints=true` option set on both the controller and webhook components." type: object properties: critical: diff --git a/internal/apis/certmanager/types_certificate.go b/internal/apis/certmanager/types_certificate.go index 7ed25baa5..8f364711b 100644 --- a/internal/apis/certmanager/types_certificate.go +++ b/internal/apis/certmanager/types_certificate.go @@ -240,6 +240,9 @@ type CertificateSpec struct { // x.509 certificate NameConstraint extension which MUST NOT be used in a non-CA certificate. // More Info: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10 // + // This is an Alpha Feature and is only enabled with the + // `--feature-gates=useCertificateRequestNameConstraints=true` option set on both + // the controller and webhook components. // +optional NameConstraints *NameConstraints } diff --git a/internal/apis/certmanager/v1alpha2/types_certificate.go b/internal/apis/certmanager/v1alpha2/types_certificate.go index 957bd8e0e..56dbd4b57 100644 --- a/internal/apis/certmanager/v1alpha2/types_certificate.go +++ b/internal/apis/certmanager/v1alpha2/types_certificate.go @@ -227,6 +227,10 @@ type CertificateSpec struct { // x.509 certificate NameConstraint extension which MUST NOT be used in a non-CA certificate. // More Info: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10 // + // This is an Alpha Feature and is only enabled with the + // `--feature-gates=useCertificateRequestNameConstraints=true` option set on both + // the controller and webhook components. + // +optional // +optional NameConstraints *NameConstraints `json:"nameConstraints,omitempty"` } diff --git a/internal/apis/certmanager/v1alpha3/types_certificate.go b/internal/apis/certmanager/v1alpha3/types_certificate.go index 3e0c001e9..87427621b 100644 --- a/internal/apis/certmanager/v1alpha3/types_certificate.go +++ b/internal/apis/certmanager/v1alpha3/types_certificate.go @@ -225,6 +225,10 @@ type CertificateSpec struct { // x.509 certificate NameConstraint extension which MUST NOT be used in a non-CA certificate. // More Info: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10 // + // This is an Alpha Feature and is only enabled with the + // `--feature-gates=useCertificateRequestNameConstraints=true` option set on both + // the controller and webhook components. + // +optional // +optional NameConstraints *NameConstraints `json:"nameConstraints,omitempty"` } diff --git a/internal/apis/certmanager/v1beta1/types_certificate.go b/internal/apis/certmanager/v1beta1/types_certificate.go index bd5fe06fa..79761d51b 100644 --- a/internal/apis/certmanager/v1beta1/types_certificate.go +++ b/internal/apis/certmanager/v1beta1/types_certificate.go @@ -202,6 +202,10 @@ type CertificateSpec struct { // x.509 certificate NameConstraint extension which MUST NOT be used in a non-CA certificate. // More Info: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10 // + // This is an Alpha Feature and is only enabled with the + // `--feature-gates=useCertificateRequestNameConstraints=true` option set on both + // the controller and webhook components. + // +optional // +optional NameConstraints *NameConstraints `json:"nameConstraints,omitempty"` } diff --git a/pkg/apis/certmanager/v1/types_certificate.go b/pkg/apis/certmanager/v1/types_certificate.go index f722949f9..435a2d067 100644 --- a/pkg/apis/certmanager/v1/types_certificate.go +++ b/pkg/apis/certmanager/v1/types_certificate.go @@ -267,6 +267,10 @@ type CertificateSpec struct { // x.509 certificate NameConstraint extension which MUST NOT be used in a non-CA certificate. // More Info: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10 // + // This is an Alpha Feature and is only enabled with the + // `--feature-gates=useCertificateRequestNameConstraints=true` option set on both + // the controller and webhook components. + // +optional // +optional NameConstraints *NameConstraints `json:"nameConstraints,omitempty"` } diff --git a/pkg/util/pki/certificatetemplate.go b/pkg/util/pki/certificatetemplate.go index c69a85f9d..d8d23440e 100644 --- a/pkg/util/pki/certificatetemplate.go +++ b/pkg/util/pki/certificatetemplate.go @@ -202,8 +202,8 @@ func CertificateTemplateFromCSR(csr *x509.CertificateRequest, validatorMutators template.PermittedDNSDomainsCritical = nameConstraints.PermittedDNSDomainsCritical template.PermittedDNSDomains = nameConstraints.PermittedDNSDomains template.ExcludedDNSDomains = nameConstraints.ExcludedDNSDomains - template.PermittedIPRanges = ConvertIPNeSliceToIPNetPointerSlice(nameConstraints.PermittedIPRanges) - template.ExcludedIPRanges = ConvertIPNeSliceToIPNetPointerSlice(nameConstraints.ExcludedIPRanges) + template.PermittedIPRanges = convertIPNetSliceToIPNetPointerSlice(nameConstraints.PermittedIPRanges) + template.ExcludedIPRanges = convertIPNetSliceToIPNetPointerSlice(nameConstraints.ExcludedIPRanges) template.PermittedEmailAddresses = nameConstraints.PermittedEmailAddresses template.ExcludedEmailAddresses = nameConstraints.ExcludedEmailAddresses template.PermittedURIDomains = nameConstraints.PermittedURIDomains diff --git a/pkg/util/pki/csr_test.go b/pkg/util/pki/csr_test.go index b0a4b2565..60ac36535 100644 --- a/pkg/util/pki/csr_test.go +++ b/pkg/util/pki/csr_test.go @@ -690,7 +690,7 @@ func TestSignCSRTemplate(t *testing.T) { require.NoError(t, err) var permittedIPRanges []*net.IPNet if nameConstraints != nil { - permittedIPRanges = ConvertIPNeSliceToIPNetPointerSlice(nameConstraints.PermittedIPRanges) + permittedIPRanges = convertIPNetSliceToIPNetPointerSlice(nameConstraints.PermittedIPRanges) } tmpl := &x509.Certificate{ Version: 3, diff --git a/pkg/util/pki/nameconstraints.go b/pkg/util/pki/nameconstraints.go index 17eef847a..63575429b 100644 --- a/pkg/util/pki/nameconstraints.go +++ b/pkg/util/pki/nameconstraints.go @@ -104,8 +104,8 @@ func UnmarshalNameConstraints(value []byte) (NameConstraints, error) { return constraints, nil } -// ConvertIPNeSliceToIPNetPointerSlice converts []net.IPNet to []*net.IPNet. -func ConvertIPNeSliceToIPNetPointerSlice(ipNetPointerSlice []net.IPNet) []*net.IPNet { +// convertIPNetSliceToIPNetPointerSlice converts []net.IPNet to []*net.IPNet. +func convertIPNetSliceToIPNetPointerSlice(ipNetPointerSlice []net.IPNet) []*net.IPNet { if ipNetPointerSlice == nil { return nil }