diff --git a/cmd/startupapicheck/LICENSES b/cmd/startupapicheck/LICENSES index dd5015014..61356cbb6 100644 --- a/cmd/startupapicheck/LICENSES +++ b/cmd/startupapicheck/LICENSES @@ -1,3 +1,4 @@ +github.com/Azure/go-ntlmssp,https://github.com/Azure/go-ntlmssp/blob/754e69321358/LICENSE,MIT github.com/beorn7/perks/quantile,https://github.com/beorn7/perks/blob/v1.0.1/LICENSE,MIT github.com/blang/semver/v4,https://github.com/blang/semver/blob/v4.0.0/v4/LICENSE,MIT github.com/cert-manager/cert-manager,https://github.com/cert-manager/cert-manager/blob/HEAD/LICENSE,Apache-2.0 @@ -8,7 +9,9 @@ github.com/emicklei/go-restful/v3,https://github.com/emicklei/go-restful/blob/v3 github.com/evanphx/json-patch,https://github.com/evanphx/json-patch/blob/v5.9.0/LICENSE,BSD-3-Clause github.com/evanphx/json-patch/v5,https://github.com/evanphx/json-patch/blob/v5.9.0/v5/LICENSE,BSD-3-Clause github.com/fsnotify/fsnotify,https://github.com/fsnotify/fsnotify/blob/v1.7.0/LICENSE,BSD-3-Clause +github.com/go-asn1-ber/asn1-ber,https://github.com/go-asn1-ber/asn1-ber/blob/v1.5.6/LICENSE,MIT github.com/go-errors/errors,https://github.com/go-errors/errors/blob/v1.5.1/LICENSE.MIT,MIT +github.com/go-ldap/ldap/v3,https://github.com/go-ldap/ldap/blob/v3.4.8/v3/LICENSE,MIT github.com/go-logr/logr,https://github.com/go-logr/logr/blob/v1.4.1/LICENSE,Apache-2.0 github.com/go-logr/zapr,https://github.com/go-logr/zapr/blob/v1.3.0/LICENSE,Apache-2.0 github.com/go-openapi/jsonpointer,https://github.com/go-openapi/jsonpointer/blob/v0.21.0/LICENSE,Apache-2.0 @@ -47,6 +50,7 @@ github.com/xlab/treeprint,https://github.com/xlab/treeprint/blob/v1.2.0/LICENSE, go.starlark.net,https://github.com/google/starlark-go/blob/f457c4c2b267/LICENSE,BSD-3-Clause go.uber.org/multierr,https://github.com/uber-go/multierr/blob/v1.11.0/LICENSE.txt,MIT go.uber.org/zap,https://github.com/uber-go/zap/blob/v1.27.0/LICENSE,MIT +golang.org/x/crypto,https://cs.opensource.google/go/x/crypto/+/v0.23.0:LICENSE,BSD-3-Clause golang.org/x/exp/maps,https://cs.opensource.google/go/x/exp/+/9bf2ced1:LICENSE,BSD-3-Clause golang.org/x/net,https://cs.opensource.google/go/x/net/+/v0.25.0:LICENSE,BSD-3-Clause golang.org/x/oauth2,https://cs.opensource.google/go/x/oauth2/+/v0.20.0:LICENSE,BSD-3-Clause diff --git a/cmd/startupapicheck/go.mod b/cmd/startupapicheck/go.mod index d502997aa..7048588c3 100644 --- a/cmd/startupapicheck/go.mod +++ b/cmd/startupapicheck/go.mod @@ -15,6 +15,9 @@ replace github.com/prometheus/common => github.com/prometheus/common v0.46.0 replace github.com/prometheus/client_golang => github.com/prometheus/client_golang v1.18.0 +// Can be removed once github.com/go-ldap/ldap/v3 releases a version that requires this version. +replace github.com/go-asn1-ber/asn1-ber => github.com/go-asn1-ber/asn1-ber v1.5.6 + replace github.com/cert-manager/cert-manager => ../../ require ( @@ -30,6 +33,7 @@ require ( require ( github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 // indirect + github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 // indirect github.com/beorn7/perks v1.0.1 // indirect github.com/blang/semver/v4 v4.0.0 // indirect github.com/cespare/xxhash/v2 v2.3.0 // indirect @@ -38,7 +42,9 @@ require ( github.com/evanphx/json-patch v5.9.0+incompatible // indirect github.com/evanphx/json-patch/v5 v5.9.0 // indirect github.com/fsnotify/fsnotify v1.7.0 // indirect + github.com/go-asn1-ber/asn1-ber v1.5.6 // indirect github.com/go-errors/errors v1.5.1 // indirect + github.com/go-ldap/ldap/v3 v3.4.8 // indirect github.com/go-logr/logr v1.4.1 // indirect github.com/go-logr/zapr v1.3.0 // indirect github.com/go-openapi/jsonpointer v0.21.0 // indirect @@ -76,6 +82,7 @@ require ( go.starlark.net v0.0.0-20240510163022-f457c4c2b267 // indirect go.uber.org/multierr v1.11.0 // indirect go.uber.org/zap v1.27.0 // indirect + golang.org/x/crypto v0.23.0 // indirect golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842 // indirect golang.org/x/net v0.25.0 // indirect golang.org/x/oauth2 v0.20.0 // indirect diff --git a/cmd/startupapicheck/go.sum b/cmd/startupapicheck/go.sum index e25d1c2b8..30ad5c77e 100644 --- a/cmd/startupapicheck/go.sum +++ b/cmd/startupapicheck/go.sum @@ -1,5 +1,9 @@ github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 h1:L/gRVlceqvL25UVaW/CKtUDjefjrs0SPonmDGUVOYP0= github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E= +github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 h1:mFRzDkZVAjdal+s7s0MwaRv9igoPqLRdzOLzw/8Xvq8= +github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU= +github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa h1:LHTHcTQiSGT7VVbI0o4wBRNQIgn917usHWOd6VAffYI= +github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4= github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw= github.com/blang/semver/v4 v4.0.0 h1:1PFHFE6yCCTv8C1TeyNNarDzntLi7wMI5i/pzqYIsAM= @@ -21,8 +25,12 @@ github.com/evanphx/json-patch/v5 v5.9.0 h1:kcBlZQbplgElYIlo/n1hJbls2z/1awpXxpRi0 github.com/evanphx/json-patch/v5 v5.9.0/go.mod h1:VNkHZ/282BpEyt/tObQO8s5CMPmYYq14uClGH4abBuQ= github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA= github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyTJwOpGvigM= +github.com/go-asn1-ber/asn1-ber v1.5.6 h1:CYsqysemXfEaQbyrLJmdsCRuufHoLa3P/gGWGl5TDrM= +github.com/go-asn1-ber/asn1-ber v1.5.6/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0= github.com/go-errors/errors v1.5.1 h1:ZwEMSLRCapFLflTpT7NKaAc7ukJ8ZPEjzlxt8rPN8bk= github.com/go-errors/errors v1.5.1/go.mod h1:sIVyrIiJhuEF+Pj9Ebtd6P/rEYROXFi3BopGUQ5a5Og= +github.com/go-ldap/ldap/v3 v3.4.8 h1:loKJyspcRezt2Q3ZRMq2p/0v8iOurlmeXDPw6fikSvQ= +github.com/go-ldap/ldap/v3 v3.4.8/go.mod h1:qS3Sjlu76eHfHGpUdWkAXQTw4beih+cHsco2jXlIXrk= github.com/go-logr/logr v1.4.1 h1:pKouT5E8xu9zeFC39JXRDukb6JFQPXM5p5I91188VAQ= github.com/go-logr/logr v1.4.1/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= github.com/go-logr/zapr v1.3.0 h1:XGdV8XW8zdwFiwOA2Dryh1gj2KRQyOOoNmBy4EplIcQ= @@ -58,12 +66,29 @@ github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 h1:El6M4kTTCOh6aBiKaU github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510/go.mod h1:pupxD2MaaD3pAXIBCelhxNneeOaAeabZDe5s4K6zSpQ= github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0= github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/gorilla/securecookie v1.1.1/go.mod h1:ra0sb63/xPlUeL+yeDciTfxMRAA+MP+HVt/4epWDjd4= +github.com/gorilla/sessions v1.2.1/go.mod h1:dk2InVEVJ0sfLlnXv9EAgkf6ecYs/i80K/zI+bUmuGM= github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 h1:+ngKgrYPPJrOjhax5N+uePQ0Fh1Z7PheYoUI/0nzkPA= github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA= +github.com/hashicorp/go-uuid v1.0.2/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro= +github.com/hashicorp/go-uuid v1.0.3 h1:2gKiV6YVmrJ1i2CKKa9obLvRieoRGviZFL26PcT/Co8= +github.com/hashicorp/go-uuid v1.0.3/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro= github.com/imdario/mergo v0.3.16 h1:wwQJbIsHYGMUyLSPrEq1CT16AhnhNJQ51+4fdHUnCl4= github.com/imdario/mergo v0.3.16/go.mod h1:WBLT9ZmE3lPoWsEzCh9LPo3TiwVN+ZKEjmz+hD27ysY= github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8= github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw= +github.com/jcmturner/aescts/v2 v2.0.0 h1:9YKLH6ey7H4eDBXW8khjYslgyqG2xZikXP0EQFKrle8= +github.com/jcmturner/aescts/v2 v2.0.0/go.mod h1:AiaICIRyfYg35RUkr8yESTqvSy7csK90qZ5xfvvsoNs= +github.com/jcmturner/dnsutils/v2 v2.0.0 h1:lltnkeZGL0wILNvrNiVCR6Ro5PGU/SeBvVO/8c/iPbo= +github.com/jcmturner/dnsutils/v2 v2.0.0/go.mod h1:b0TnjGOvI/n42bZa+hmXL+kFJZsFT7G4t3HTlQ184QM= +github.com/jcmturner/gofork v1.7.6 h1:QH0l3hzAU1tfT3rZCnW5zXl+orbkNMMRGJfdJjHVETg= +github.com/jcmturner/gofork v1.7.6/go.mod h1:1622LH6i/EZqLloHfE7IeZ0uEJwMSUyQ/nDd82IeqRo= +github.com/jcmturner/goidentity/v6 v6.0.1 h1:VKnZd2oEIMorCTsFBnJWbExfNN7yZr3EhJAxwOkZg6o= +github.com/jcmturner/goidentity/v6 v6.0.1/go.mod h1:X1YW3bgtvwAXju7V3LCIMpY0Gbxyjn/mY9zx4tFonSg= +github.com/jcmturner/gokrb5/v8 v8.4.4 h1:x1Sv4HaTpepFkXbt2IkL29DXRf8sOfZXo8eRKh687T8= +github.com/jcmturner/gokrb5/v8 v8.4.4/go.mod h1:1btQEpgT6k+unzCwX1KdWMEwPPkkgBtP+F6aCACiMrs= +github.com/jcmturner/rpc/v2 v2.0.3 h1:7FXXj8Ti1IaVFpSAziCZWNzbNuZmnvw/i6CqLNdWfZY= +github.com/jcmturner/rpc/v2 v2.0.3/go.mod h1:VUJYCIDm3PVOEHw8sgt091/20OJjskO/YJki3ELg/Hc= github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY= github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y= github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM= @@ -121,17 +146,23 @@ github.com/spf13/cobra v1.8.0/go.mod h1:WXLWApfZ71AjXPya3WOlMsY9yMs7YeiHhFVlvLyh github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= +github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw= +github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo= github.com/stretchr/objx v0.5.2 h1:xuMeJ0Sdp5ZMRXx/aWO6RZxdr3beISkG5/G/aIRr3pY= github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA= github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4= github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= +github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= +github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= +github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg= github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= github.com/xlab/treeprint v1.2.0 h1:HzHnuAF1plUN2zGlAFHbSQP2qJ0ZAD3XF5XD7OesXRQ= github.com/xlab/treeprint v1.2.0/go.mod h1:gj5Gd3gPdKtR1ikdDK6fnFLdmIS0X30kTTuNd/WEJu0= github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= +github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY= go.starlark.net v0.0.0-20240510163022-f457c4c2b267 h1:nHGP5vKtg2WaXA/AozoZWx/DI9wvwxCeikONJbdKdFo= go.starlark.net v0.0.0-20240510163022-f457c4c2b267/go.mod h1:YKMCv9b1WrfWmeqdV5MAuEHWsu5iC+fe6kYl2sQjdI8= go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto= @@ -143,14 +174,30 @@ go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= +golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= +golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58= +golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU= +golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOMs= +golang.org/x/crypto v0.23.0 h1:dIJU/v2J8Mdglj/8rJ6UUOM3Zc9zLZxVZwwxMooUSAI= +golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8= golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842 h1:vr/HnozRka3pE4EsMEg1lgkXJkTFJCVUX+S/ZT6wYzM= golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842/go.mod h1:XtvwrStGgqGPLc4cjQfWqZHG1YFdYs6swckp8vpsjnc= golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= +golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= +golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20200114155413-6afb5195e5aa/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= +golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= +golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= +golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= +golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= +golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg= +golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44= +golang.org/x/net v0.22.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg= golang.org/x/net v0.25.0 h1:d/OCCoBEUq33pjydKrGQhw7IlUPI2Oylr+8qLx49kac= golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM= golang.org/x/oauth2 v0.20.0 h1:4mQdhULixXKP1rwYBW0vAijoXnkTG0BLCDRzfe1idMo= @@ -158,18 +205,38 @@ golang.org/x/oauth2 v0.20.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbht golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.7.0 h1:YsImfSBoP9QPYL0xyKJPq0gcaJdG3rInoqxTWbfQu9M= golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/sys v0.20.0 h1:Od9JTbYCk261bKm4M/mw7AklTlFYIa0bIp9BgSm1S8Y= golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= +golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= +golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k= +golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo= +golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk= +golang.org/x/term v0.18.0/go.mod h1:ILwASektA3OnRv7amZ1xhE/KTR+u50pbXfZ03+6Nx58= golang.org/x/term v0.20.0 h1:VnkxpohqXaOBYJtBmEppKUG6mXpi+4O6purfc2+sMhw= golang.org/x/term v0.20.0/go.mod h1:8UkIAJTvZgivsXaD6/pH6U9ecQzZ45awqEOzuCvwpFY= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= +golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= +golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= +golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= +golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= golang.org/x/text v0.15.0 h1:h1V/4gjBv8v9cjcR6+AR5+/cIYK5N/WAgiv4xlsEtAk= golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk= @@ -178,6 +245,8 @@ golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGm golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= +golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= +golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU= golang.org/x/tools v0.21.0 h1:qc0xYgIbsSDt9EyWz05J5wfa7LOVW0YTLOXrqdLAWIw= golang.org/x/tools v0.21.0/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= diff --git a/cmd/startupapicheck/pkg/check/api/api.go b/cmd/startupapicheck/pkg/check/api/api.go index 4ca6cef53..378872631 100644 --- a/cmd/startupapicheck/pkg/check/api/api.go +++ b/cmd/startupapicheck/pkg/check/api/api.go @@ -24,7 +24,6 @@ import ( "time" "github.com/spf13/cobra" - "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/util/wait" cmcmdutil "github.com/cert-manager/cert-manager/internal/cmd/util" @@ -54,7 +53,6 @@ func (o *Options) Complete() error { o.APIChecker, err = cmapichecker.New( o.RESTConfig, - runtime.NewScheme(), o.Namespace, ) if err != nil { diff --git a/cmd/webhook/go.mod b/cmd/webhook/go.mod index 64bb16f36..50d50e8ac 100644 --- a/cmd/webhook/go.mod +++ b/cmd/webhook/go.mod @@ -23,7 +23,6 @@ replace github.com/cert-manager/cert-manager => ../../ require ( github.com/cert-manager/cert-manager v0.0.0-00010101000000-000000000000 github.com/spf13/cobra v1.8.0 - k8s.io/apimachinery v0.30.1 k8s.io/component-base v0.30.1 sigs.k8s.io/controller-runtime v0.18.2 ) @@ -101,6 +100,7 @@ require ( gopkg.in/yaml.v3 v3.0.1 // indirect k8s.io/api v0.30.1 // indirect k8s.io/apiextensions-apiserver v0.30.1 // indirect + k8s.io/apimachinery v0.30.1 // indirect k8s.io/apiserver v0.30.1 // indirect k8s.io/client-go v0.30.1 // indirect k8s.io/klog/v2 v2.120.1 // indirect diff --git a/deploy/charts/cert-manager/templates/startupapicheck-rbac.yaml b/deploy/charts/cert-manager/templates/startupapicheck-rbac.yaml index 606e72564..ab8c30fbf 100644 --- a/deploy/charts/cert-manager/templates/startupapicheck-rbac.yaml +++ b/deploy/charts/cert-manager/templates/startupapicheck-rbac.yaml @@ -18,7 +18,7 @@ metadata: {{- end }} rules: - apiGroups: ["cert-manager.io"] - resources: ["certificates"] + resources: ["certificaterequests"] verbs: ["create"] --- apiVersion: rbac.authorization.k8s.io/v1 diff --git a/pkg/util/cmapichecker/cmapichecker.go b/pkg/util/cmapichecker/cmapichecker.go index 83d752315..f94ba14e9 100644 --- a/pkg/util/cmapichecker/cmapichecker.go +++ b/pkg/util/cmapichecker/cmapichecker.go @@ -17,17 +17,22 @@ limitations under the License. package cmapichecker import ( + "bytes" "context" + "encoding/pem" "fmt" + "net/http" "regexp" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime" "k8s.io/client-go/rest" + "k8s.io/utils/ptr" "sigs.k8s.io/controller-runtime/pkg/client" cmapi "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1" cmmeta "github.com/cert-manager/cert-manager/pkg/apis/meta/v1" + "github.com/cert-manager/cert-manager/pkg/util/pki" ) var ( @@ -35,19 +40,26 @@ var ( ErrWebhookServiceFailure = fmt.Errorf("the cert-manager webhook service is not created yet") ErrWebhookDeploymentFailure = fmt.Errorf("the cert-manager webhook deployment is not ready yet") ErrWebhookCertificateFailure = fmt.Errorf("the cert-manager webhook CA bundle is not injected yet") -) + ErrMutationWebhookMissing = fmt.Errorf("the cert-manager mutation webhook did not mutate the dry-run CertificateRequest object") + ErrValidatingWebhookMissing = fmt.Errorf("the cert-manager validating webhook did not validate the dry-run CertificateRequest object") + ErrMutationWebhookIncorrect = fmt.Errorf("the cert-manager validating webhook failed because the dry-run CertificateRequest object was mutated incorrectly") -const ( - crdsMapping1Error = `error finding the scope of the object: failed to get restmapping: failed to find API group "cert-manager.io"` - crdsMapping2Error = `error finding the scope of the object: failed to get restmapping: no matches for kind "Certificate" in group "cert-manager.io"` - crdsNotFoundError = `the server could not find the requested resource (post certificates.cert-manager.io)` + ErrFailedToCheckAPI = fmt.Errorf("failed to check the cert-manager API") ) var ( - regexErrCertManagerCRDsNotFound = regexp.MustCompile(`^(` + regexp.QuoteMeta(crdsMapping1Error) + `|` + regexp.QuoteMeta(crdsMapping2Error) + `|` + regexp.QuoteMeta(crdsNotFoundError) + `)$`) + regexErrCertManagerCRDsNotFound1 = regexp.MustCompile(`the server could not find the requested resource`) + regexErrCertManagerCRDsNotFound2 = regexp.MustCompile(`failed to find API group "cert-manager\.io"`) + regexErrCertManagerCRDsNotFound3 = regexp.MustCompile(`no resources found for group "cert-manager\.io/v1"`) + regexErrCertManagerCRDsNotFound4 = regexp.MustCompile(`no matches for kind "CertificateRequest" in group "cert-manager\.io"`) + regexErrCertManagerCRDsNotFound5 = regexp.MustCompile(`no matches for kind "CertificateRequest" in version "cert-manager\.io/v1"`) regexErrWebhookServiceFailure = regexp.MustCompile(`Post "(.*)": service "(.*)-webhook" not found`) regexErrWebhookDeploymentFailure = regexp.MustCompile(`Post "(.*)": (.*): connect: connection refused`) regexErrWebhookCertificateFailure = regexp.MustCompile(`Post "(.*)": x509: certificate signed by unknown authority`) + regexErrCertmanagerDeniedRequest = regexp.MustCompile(`admission webhook "webhook\.cert-manager\.io" denied the request: (.*)`) + + regexErrForbidden = regexp.MustCompile(`certificaterequests\.cert-manager\.io is forbidden`) + regexErrDenied = regexp.MustCompile(`admission webhook "(.*)" denied the request: (.*)`) ) // Interface is used to check that the cert-manager CRDs have been installed and are usable. @@ -57,23 +69,94 @@ type Interface interface { type cmapiChecker struct { client client.Client + + testValidCR *cmapi.CertificateRequest + testInvalidCR *cmapi.CertificateRequest } // New returns a cert-manager API checker -func New(restcfg *rest.Config, scheme *runtime.Scheme, namespace string) (Interface, error) { +func New(restcfg *rest.Config, namespace string) (Interface, error) { + httpClient, err := rest.HTTPClientFor(restcfg) + if err != nil { + return nil, fmt.Errorf("while creating HTTP client: %w", err) + } + + return NewForConfigAndClient(restcfg, httpClient, namespace) +} + +func NewForConfigAndClient(restcfg *rest.Config, httpClient *http.Client, namespace string) (Interface, error) { + scheme := runtime.NewScheme() if err := cmapi.AddToScheme(scheme); err != nil { return nil, fmt.Errorf("while configuring scheme: %w", err) } cl, err := client.New(restcfg, client.Options{ - Scheme: scheme, + HTTPClient: httpClient, + Scheme: scheme, + DryRun: ptr.To(true), }) if err != nil { return nil, fmt.Errorf("while creating client: %w", err) } + cl = client.NewNamespacedClient(cl, namespace) + + x509CertReq, err := pki.GenerateCSR( + &cmapi.Certificate{ + Spec: cmapi.CertificateSpec{ + DNSNames: []string{"example.com"}, + PrivateKey: &cmapi.CertificatePrivateKey{ + Algorithm: "ECDSA", + Size: 521, + }, + }, + }, + pki.WithEncodeBasicConstraintsInRequest(true), + ) + if err != nil { + return nil, fmt.Errorf("while generating CSR: %w", err) + } + + pk, err := pki.GenerateECPrivateKey(521) + if err != nil { + return nil, fmt.Errorf("while generating private key: %w", err) + } + + csrDER, err := pki.EncodeCSR(x509CertReq, pk) + if err != nil { + return nil, fmt.Errorf("while encoding CSR: %w", err) + } + + csrPEM := bytes.NewBuffer([]byte{}) + err = pem.Encode(csrPEM, &pem.Block{Type: "CERTIFICATE REQUEST", Bytes: csrDER}) + if err != nil { + return nil, fmt.Errorf("while encoding CSR to PEM: %w", err) + } + return &cmapiChecker{ - client: client.NewNamespacedClient(client.NewDryRunClient(cl), namespace), + client: cl, + testValidCR: &cmapi.CertificateRequest{ + ObjectMeta: metav1.ObjectMeta{ + GenerateName: "cmapichecker-valid-", + }, + Spec: cmapi.CertificateRequestSpec{ + Request: csrPEM.Bytes(), + IssuerRef: cmmeta.ObjectReference{ + Name: "cmapichecker", + }, + }, + }, + testInvalidCR: &cmapi.CertificateRequest{ + ObjectMeta: metav1.ObjectMeta{ + GenerateName: "cmapichecker-invalid-", + }, + Spec: cmapi.CertificateRequestSpec{ + Request: []byte("invalid-csr"), + IssuerRef: cmmeta.ObjectReference{ + Name: "cmapichecker", + }, + }, + }, }, nil } @@ -85,22 +168,37 @@ func New(restcfg *rest.Config, scheme *runtime.Scheme, namespace string) (Interf // we have disabled the serving of non-v1 CRD versions, so it is no longer // possible to test the reachability of the conversion webhook. func (o *cmapiChecker) Check(ctx context.Context) error { - cert := &cmapi.Certificate{ - ObjectMeta: metav1.ObjectMeta{ - GenerateName: "cmapichecker-", - }, - Spec: cmapi.CertificateSpec{ - DNSNames: []string{"cmapichecker.example"}, - SecretName: "cmapichecker", - IssuerRef: cmmeta.ObjectReference{ - Name: "cmapichecker", - }, - }, - } + // Test the mutating webhook, which should add the username, UID, and groups + if err := func() error { + certReq := o.testValidCR.DeepCopy() + if err := o.client.Create(ctx, certReq); err != nil { + return err + } - if err := o.client.Create(ctx, cert); err != nil { + if certReq.Spec.Username == "" && + certReq.Spec.UID == "" { + return ErrMutationWebhookMissing + } + + return nil + }(); err != nil { return err } + + // Test the validating webhook, which should reject the request + if err := func() error { + certReq := o.testInvalidCR.DeepCopy() + if err := o.client.Create(ctx, certReq); err == nil { + return ErrValidatingWebhookMissing + } else if !regexErrCertmanagerDeniedRequest.MatchString(err.Error()) { + return err + } + + return nil + }(); err != nil { + return err + } + return nil } @@ -115,11 +213,23 @@ func (o *cmapiChecker) Check(ctx context.Context) error { // - Internal error occurred: failed calling webhook "webhook.cert-manager.io": Post "https://cert-manager-webhook.cert-manager.svc:443/mutate?timeout=10s": dial tcp 10.96.38.90:443: connect: connection refused // ErrWebhookCertificateFailure: // - Internal error occurred: failed calling webhook "webhook.cert-manager.io": Post "https://cert-manager-webhook.cert-manager.svc:443/mutate?timeout=10s": x509: certificate signed by unknown authority (possibly because of "x509: ECDSA verification failure" while trying to verify candidate authority certificate "cert-manager-webhook-ca") +// ErrMutationWebhookIncorrect: +// - admission webhook "webhook.cert-manager.io" denied the request: [spec.username: Forbidden: username identity must be that of the requester, spec.groups: Forbidden: groups identity must be that of the requester] +// ErrFailedToCheckAPI: +// - certificaterequests.cert-manager.io is forbidden: User "test" cannot create resource "certificaterequests" in API group "cert-manager.io" in the namespace "default" +// - admission webhook "validate.kyverno.svc-fail" denied the request: ... func TranslateToSimpleError(err error) error { - s := err.Error() + if err == nil { + return nil + } + s := err.Error() switch { - case regexErrCertManagerCRDsNotFound.MatchString(s): + case regexErrCertManagerCRDsNotFound1.MatchString(s) || + regexErrCertManagerCRDsNotFound2.MatchString(s) || + regexErrCertManagerCRDsNotFound3.MatchString(s) || + regexErrCertManagerCRDsNotFound4.MatchString(s) || + regexErrCertManagerCRDsNotFound5.MatchString(s): return ErrCertManagerCRDsNotFound case regexErrWebhookServiceFailure.MatchString(s): return ErrWebhookServiceFailure @@ -127,6 +237,11 @@ func TranslateToSimpleError(err error) error { return ErrWebhookDeploymentFailure case regexErrWebhookCertificateFailure.MatchString(s): return ErrWebhookCertificateFailure + case regexErrCertmanagerDeniedRequest.MatchString(s): + return ErrMutationWebhookIncorrect + case regexErrForbidden.MatchString(s) || + regexErrDenied.MatchString(s): + return ErrFailedToCheckAPI default: return nil } diff --git a/pkg/util/cmapichecker/cmapichecker_test.go b/pkg/util/cmapichecker/cmapichecker_test.go index 8908eb6d3..d0118fc45 100644 --- a/pkg/util/cmapichecker/cmapichecker_test.go +++ b/pkg/util/cmapichecker/cmapichecker_test.go @@ -18,175 +18,371 @@ package cmapichecker import ( "context" - "errors" + "encoding/json" + "net/http" + "net/http/httptest" "testing" - "k8s.io/apimachinery/pkg/runtime" - "sigs.k8s.io/controller-runtime/pkg/client" - "sigs.k8s.io/controller-runtime/pkg/client/fake" - - cmapi "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/client-go/rest" ) -type fakeErrorClient struct { - client.Client - - createError error -} - -func (cl *fakeErrorClient) Create(ctx context.Context, obj client.Object, opts ...client.CreateOption) error { - if cl.createError != nil { - return cl.createError - } - - return cl.Client.Create(ctx, obj, opts...) -} - -func newFakeCmapiChecker() (*fakeErrorClient, Interface, error) { - scheme := runtime.NewScheme() - if err := cmapi.AddToScheme(scheme); err != nil { - return nil, nil, err - } - cl := fake.NewClientBuilder().WithScheme(scheme).Build() - errorClient := &fakeErrorClient{ - Client: cl, - createError: nil, - } - - return errorClient, &cmapiChecker{ - client: errorClient, - }, nil -} - const ( - errCertManagerCRDsMapping = `error finding the scope of the object: failed to get restmapping: no matches for kind "Certificate" in group "cert-manager.io"` - errCertManagerCRDsNotFound = `the server could not find the requested resource (post certificates.cert-manager.io)` - - errMutatingWebhookServiceFailure = `Internal error occurred: failed calling webhook "webhook.cert-manager.io": Post "https://cert-manager-webhook.cert-manager.svc:443/mutate?timeout=10s": service "cert-manager-webhook" not found` - errMutatingWebhookDeploymentFailure = `Internal error occurred: failed calling webhook "webhook.cert-manager.io": Post "https://cert-manager-webhook.cert-manager.svc:443/mutate?timeout=10s": dial tcp 10.96.38.90:443: connect: connection refused` - errMutatingWebhookCertificateFailure = `Internal error occurred: failed calling webhook "webhook.cert-manager.io": Post "https://cert-manager-webhook.cert-manager.svc:443/mutate?timeout=10s": x509: certificate signed by unknown authority (possibly because of "x509: ECDSA verification failure" while trying to verify candidate authority certificate "cert-manager-webhook-ca"` - - // These /convert error examples test that we can correctly parse errors - // while connecting to the conversion webhook, - // but as of cert-manager 1.6 the conversion webhook will no-longer be used - // because legacy CRD versions will no longer be "served" - // and in 1.7 the conversion webhook may be removed at which point these can - // be removed too. - // TODO: Add tests for errors when connecting to the /validate - // ValidatingWebhook endpoint. - errConversionWebhookServiceFailure = `conversion webhook for cert-manager.io/v1alpha2, Kind=Certificate failed: Post "https://cert-manager-webhook.cert-manager.svc:443/convert?timeout=30s": service "cert-manager-webhook" not found` - errConversionWebhookDeploymentFailure = `conversion webhook for cert-manager.io/v1alpha2, Kind=Certificate failed: Post "https://cert-manager-webhook.cert-manager.svc:443/convert?timeout=30s": dial tcp 10.96.38.90:443: connect: connection refused` - errConversionWebhookCertificateFailure = `conversion webhook for cert-manager.io/v1alpha2, Kind=Certificate failed: Post "https://cert-manager-webhook.cert-manager.svc:443/convert?timeout=30s": x509: certificate signed by unknown authority` + crNoMutation = `{ + "kind":"CertificateRequest", + "apiVersion":"cert-manager.io/v1", + "metadata":{ + "name":"cmapichecker-0001", + "namespace":"test-namespace" + }, + "spec":{ + "issuerRef":{"name":"cmapichecker"}, + "request":"PENTUi1WQUxVRT4=" + } + }` + crAfterMutation = `{ + "kind":"CertificateRequest", + "apiVersion":"cert-manager.io/v1", + "metadata":{ + "name":"cmapichecker-0001", + "namespace":"test-namespace" + }, + "spec":{ + "issuerRef":{"name":"cmapichecker"}, + "request":"PENTUi1WQUxVRT4=", + "username":"test-user", + "uid":"test-uid" + }, + "status":{} + }` ) -func TestCmapiChecker(t *testing.T) { +func TestCheck(t *testing.T) { + type testT struct { + apisResponse func(t *testing.T, r *http.Request) (int, []byte) + discoveryResponse func(t *testing.T, r *http.Request) (int, []byte) + createValidResponse func(t *testing.T, r *http.Request) (int, []byte) + createInvalidResponse func(t *testing.T, r *http.Request) (int, []byte) + + expectedError string + expectedSimpleError string + } + tests := map[string]testT{ - "check API without errors": { - createError: nil, - - expectedSimpleError: "", - expectedVerboseError: "", + "no errors": {}, + "without any cert-manager CRDs installed (missing from /apis)": { + apisResponse: func(t *testing.T, r *http.Request) (int, []byte) { + return http.StatusOK, []byte(`{ + "kind": "APIGroupList", + "apiVersion": "v1", + "groups": [] + }`) + }, + expectedError: `error finding the scope of the object: failed to get restmapping: no matches for kind "CertificateRequest" in group "cert-manager.io"`, + expectedSimpleError: ErrCertManagerCRDsNotFound.Error(), }, - "check API without CRDs installed 1": { - createError: errors.New(errCertManagerCRDsMapping), - - expectedSimpleError: ErrCertManagerCRDsNotFound.Error(), - expectedVerboseError: errCertManagerCRDsMapping, + "without any cert-manager CRDs installed (404)": { + discoveryResponse: func(t *testing.T, r *http.Request) (int, []byte) { + return http.StatusNotFound, nil + }, + expectedError: `error finding the scope of the object: failed to get restmapping: no matches for kind "CertificateRequest" in group "cert-manager.io"`, + expectedSimpleError: ErrCertManagerCRDsNotFound.Error(), }, - "check API without CRDs installed 2": { - createError: errors.New(errCertManagerCRDsNotFound), - - expectedSimpleError: ErrCertManagerCRDsNotFound.Error(), - expectedVerboseError: errCertManagerCRDsNotFound, + "without any cert-manager CRDs installed (empty list)": { + discoveryResponse: func(t *testing.T, r *http.Request) (int, []byte) { + return http.StatusOK, []byte(`{ + "kind":"APIResourceList", + "apiVersion":"v1", + "groupVersion":"cert-manager.io/v1", + "resources":[] + }`) + }, + expectedError: `error finding the scope of the object: failed to get restmapping: no matches for kind "CertificateRequest" in group "cert-manager.io"`, + expectedSimpleError: ErrCertManagerCRDsNotFound.Error(), }, - - "check API with mutating webhook service not ready": { - createError: errors.New(errMutatingWebhookServiceFailure), - - expectedSimpleError: ErrWebhookServiceFailure.Error(), - expectedVerboseError: errMutatingWebhookServiceFailure, + "without certificate request CRD installed": { + discoveryResponse: func(t *testing.T, r *http.Request) (int, []byte) { + return http.StatusOK, []byte(`{ + "kind":"APIResourceList", + "apiVersion":"v1", + "groupVersion":"cert-manager.io/v1", + "resources":[ + { + "name":"test", + "singularName":"", + "namespaced":true, + "kind":"Test", + "verbs":["get","patch","update"] + } + ] + }`) + }, + expectedError: `error finding the scope of the object: failed to get restmapping: no matches for kind "CertificateRequest" in group "cert-manager.io"`, + expectedSimpleError: ErrCertManagerCRDsNotFound.Error(), }, - "check API with conversion webhook service not ready": { - createError: errors.New(errConversionWebhookServiceFailure), - - expectedSimpleError: ErrWebhookServiceFailure.Error(), - expectedVerboseError: errConversionWebhookServiceFailure, + "with missing certificate request endpoint": { + discoveryResponse: func(t *testing.T, r *http.Request) (int, []byte) { + return http.StatusNotFound, nil + }, + expectedError: `error finding the scope of the object: failed to get restmapping: no matches for kind "CertificateRequest" in group "cert-manager.io"`, + expectedSimpleError: ErrCertManagerCRDsNotFound.Error(), }, - - "check API with mutating webhook pod not accepting connections": { - createError: errors.New(errMutatingWebhookDeploymentFailure), - - expectedSimpleError: ErrWebhookDeploymentFailure.Error(), - expectedVerboseError: errMutatingWebhookDeploymentFailure, + "dry-run certificate request was not mutated": { + createValidResponse: func(t *testing.T, r *http.Request) (int, []byte) { + return http.StatusOK, []byte(crNoMutation) + }, + expectedError: ErrMutationWebhookMissing.Error(), }, - "check API with conversion webhook pod not accepting connections": { - createError: errors.New(errConversionWebhookDeploymentFailure), - - expectedSimpleError: ErrWebhookDeploymentFailure.Error(), - expectedVerboseError: errConversionWebhookDeploymentFailure, + "cr was denied by 3rd party webhook": { + createInvalidResponse: func(t *testing.T, r *http.Request) (int, []byte) { + return http.StatusNotAcceptable, []byte(`{ + "kind":"Status", + "apiVersion":"v1", + "metadata":{}, + "status":"Failure", + "message":"admission webhook \"other-webhook.io\" denied the request: [ERROR MESSAGE]", + "reason":"NotAcceptable", + "code":406 + }`) + }, + expectedError: "admission webhook \"other-webhook.io\" denied the request: [ERROR MESSAGE]", + expectedSimpleError: ErrFailedToCheckAPI.Error(), }, - - "check API with webhook certificate not updated in mutation webhook resource definitions": { - createError: errors.New(errMutatingWebhookCertificateFailure), - - expectedSimpleError: ErrWebhookCertificateFailure.Error(), - expectedVerboseError: errMutatingWebhookCertificateFailure, - }, - "check API with webhook certificate not updated in conversion webhook resource definitions": { - createError: errors.New(errConversionWebhookCertificateFailure), - - expectedSimpleError: ErrWebhookCertificateFailure.Error(), - expectedVerboseError: errConversionWebhookCertificateFailure, - }, - "unexpected error": { - createError: errors.New("unexpected error"), - - expectedSimpleError: "", - expectedVerboseError: "unexpected error", + "missing validation error": { + createInvalidResponse: func(t *testing.T, r *http.Request) (int, []byte) { + return http.StatusOK, []byte(crAfterMutation) + }, + expectedError: ErrValidatingWebhookMissing.Error(), }, } - for n, test := range tests { - t.Run(n, func(t *testing.T) { - runTest(t, test) + type testFailure struct { + message string + reason string + code int + simpleError string + } + + for name, test := range map[string]testFailure{ + "no permission": { + message: `certificaterequests.cert-manager.io is forbidden: User "test" cannot create resource "certificaterequests" in API group "cert-manager.io" in the namespace "test-namespace"`, + reason: "Forbidden", + code: http.StatusForbidden, + + simpleError: ErrFailedToCheckAPI.Error(), + }, + + "service not found": { + message: `failed calling webhook "webhook.cert-manager.io": Post "https://cert-manager-webhook.cert-manager.svc:443/mutate?timeout=10s": service "cert-manager-webhook" not found`, + reason: "InternalError", + code: 500, + + simpleError: ErrWebhookServiceFailure.Error(), + }, + "connection refused": { + message: `failed calling webhook "webhook.cert-manager.io": failed to call webhook: Post "https://cert-manager-webhook.cert-manager.svc:443/mutate?timeout=30s": dial tcp 10.96.19.42:443: connect: connection refused`, + reason: "InternalError", + code: 500, + + simpleError: ErrWebhookDeploymentFailure.Error(), + }, + + "certificate signed by unknown authority": { + message: `failed calling webhook "webhook.cert-manager.io": failed to call webhook: Post "https://cert-manager-webhook.cert-manager.svc:443/mutate?timeout=30s": x509: certificate signed by unknown authority`, + reason: "NotAcceptable", + code: 406, + + simpleError: ErrWebhookCertificateFailure.Error(), + }, + "certificate signed by unknown authority (ECDSA verification failure)": { + message: `failed calling webhook "webhook.cert-manager.io": Post "https://cert-manager-webhook.cert-manager.svc:443/mutate?timeout=10s": x509: certificate signed by unknown authority (possibly because of "x509: ECDSA verification failure" while trying to verify candidate authority certificate "cert-manager-webhook-ca"`, + reason: "NotAcceptable", + code: 406, + + simpleError: ErrWebhookCertificateFailure.Error(), + }, + + "validating webhook error (3rd party)": { + message: `admission webhook "other-webhook.io" denied the request: [ERROR MESSAGE]`, + reason: "NotAcceptable", + code: 406, + + simpleError: ErrFailedToCheckAPI.Error(), + }, + "missing mutating webhook": { + message: `admission webhook "webhook.cert-manager.io" denied the request: [spec.username: Forbidden: username identity must be that of the requester, spec.groups: Forbidden: groups identity must be that of the requester]`, + reason: "NotAcceptable", + code: 406, + + simpleError: ErrMutationWebhookIncorrect.Error(), + }, + "validating webhook error": { + message: `admission webhook "webhook.cert-manager.io" denied the request: spec.request: Invalid value: []byte{0x00}: error decoding certificate request PEM block`, + reason: "NotAcceptable", + code: 406, + + simpleError: ErrMutationWebhookIncorrect.Error(), + }, + + "unknown error": { + message: `UNKNOWN ERROR`, + reason: "InternalError", + code: 500, + }, + } { + tests["valid_failure_"+name] = testT{ + createValidResponse: func(t *testing.T, r *http.Request) (int, []byte) { + byteResponse, err := json.Marshal(map[string]interface{}{ + "kind": "Status", + "apiVersion": "v1", + "metadata": map[string]interface{}{}, + "status": "Failure", + "message": test.message, + "reason": test.reason, + "code": test.code, + }) + if err != nil { + t.Error(err) + } + return test.code, byteResponse + }, + expectedError: test.message, + expectedSimpleError: test.simpleError, + } + } + + for name, test := range tests { + t.Run(name, func(t *testing.T) { + // fake https server to simulate the Kubernetes API server responses + mockKubernetesAPI := func(t *testing.T, r *http.Request) (int, []byte) { + switch r.URL.Path { + case "/api": + return http.StatusOK, []byte(`{"kind":"APIVersions","versions":["v1"]}`) + case "/apis": + if test.apisResponse != nil { + return test.apisResponse(t, r) + } + + return http.StatusOK, []byte(`{ + "kind": "APIGroupList", + "apiVersion": "v1", + "groups": [{ + "name": "cert-manager.io", + "versions": [{ + "groupVersion": "cert-manager.io/v1", + "version": "v1" + }], + "preferredVersion": { + "groupVersion": "cert-manager.io/v1", + "version": "v1" + } + }] + }`) + case "/apis/cert-manager.io/v1": + if test.discoveryResponse != nil { + return test.discoveryResponse(t, r) + } + + return http.StatusOK, []byte(`{ + "kind":"APIResourceList", + "apiVersion":"v1", + "groupVersion":"cert-manager.io/v1", + "resources":[ + { + "name":"certificaterequests", + "singularName":"certificaterequest", + "namespaced":true, + "kind":"CertificateRequest", + "verbs":["delete","deletecollection","get","list","patch","create","update","watch"], + "shortNames":["cr","crs"], + "categories":["cert-manager"], + "storageVersionHash":"tuxiikMaACg=" + }, + { + "name":"certificaterequests/status", + "singularName":"", + "namespaced":true, + "kind":"CertificateRequest", + "verbs":["get","patch","update"] + } + ] + }`) + case "/apis/cert-manager.io/v1/namespaces/test-namespace/certificaterequests": + obj := metav1.PartialObjectMetadata{} + if err := json.NewDecoder(r.Body).Decode(&obj); err != nil { + t.Errorf("failed to decode request body: %v", err) + } + + switch obj.GenerateName { + case "cmapichecker-valid-": + if test.createValidResponse != nil { + return test.createValidResponse(t, r) + } + + return http.StatusOK, []byte(crAfterMutation) + case "cmapichecker-invalid-": + if test.createInvalidResponse != nil { + return test.createInvalidResponse(t, r) + } + + return http.StatusNotAcceptable, []byte(`{ + "kind":"Status", + "apiVersion":"v1", + "metadata":{}, + "status":"Failure", + "message":"admission webhook \"webhook.cert-manager.io\" denied the request: [ERROR MESSAGE]", + "reason":"NotAcceptable", + "code":406 + }`) + } + default: + } + + return http.StatusNotFound, nil + } + testServer := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + w.Header().Set("Content-Type", "application/json") + statusCode, content := mockKubernetesAPI(t, r) + w.WriteHeader(statusCode) + if content == nil { + return + } + + if _, err := w.Write(content); err != nil { + t.Errorf("failed to write response: %v", err) + } + })) + t.Cleanup(testServer.Close) + + restConfig := &rest.Config{ + Host: testServer.URL, + } + checker, err := NewForConfigAndClient(restConfig, testServer.Client(), "test-namespace") + if err != nil { + t.Fatalf("failed to create checker: %v", err) + } + + for i := 0; i < 10; i++ { + t.Logf("# check %d", i) + + err = checker.Check(context.Background()) + switch { + case err == nil && test.expectedError == "": + case err == nil && test.expectedError != "": + t.Errorf("expected error %q, got nil", test.expectedError) + case err.Error() != test.expectedError: + t.Errorf("expected error %q, got %q", test.expectedError, err.Error()) + } + + simpleErr := TranslateToSimpleError(err) + switch { + case simpleErr == nil && test.expectedSimpleError == "": + case simpleErr == nil && test.expectedSimpleError != "": + t.Errorf("expected error %q, got nil", test.expectedSimpleError) + case simpleErr.Error() != test.expectedSimpleError: + t.Errorf("expected error %q, got %q", test.expectedSimpleError, simpleErr.Error()) + } + } }) } } - -type testT struct { - createError error - - expectedSimpleError string - expectedVerboseError string -} - -func runTest(t *testing.T, test testT) { - errorClient, checker, err := newFakeCmapiChecker() - if err != nil { - t.Error(err) - } - - errorClient.createError = test.createError - - var simpleError error - err = checker.Check(context.TODO()) - if err != nil { - if err.Error() != test.expectedVerboseError { - t.Errorf("error differs from expected error:\n%s\n vs \n%s", err.Error(), test.expectedVerboseError) - } - - simpleError = TranslateToSimpleError(err) - } else if test.expectedVerboseError != "" { - t.Errorf("expected error did not occure:\n%s", test.expectedVerboseError) - } - - if simpleError != nil { - if simpleError.Error() != test.expectedSimpleError { - t.Errorf("simple error differs from expected error:\n%s\n vs \n%s", simpleError.Error(), test.expectedSimpleError) - } - } else { - if test.expectedSimpleError != "" { - t.Errorf("expected simple error did not occure:\n%s", test.expectedSimpleError) - } - } -}