diff --git a/deploy/crds/crd-certificates.yaml b/deploy/crds/crd-certificates.yaml index 11615cd1b..22c3501f5 100644 --- a/deploy/crds/crd-certificates.yaml +++ b/deploy/crds/crd-certificates.yaml @@ -226,18 +226,18 @@ spec: type: array items: type: string - otherNameSANs: - description: Any String-like OID type using oid:x.x.x.x type and StringValue value can be used for `otherName`. `otherName` is an escape hatch for SAN that allows any type but we restrict to string like, cf RFC 5280 p 37 You should ensure that the OID is valid for the string type as we do not validate this. + otherNames: + description: '`otherNames` is an escape hatch for SAN that allows any type. We currently restrict the support to string like otherNames, cf RFC 5280 p 37 Any UTF8 String valued otherName can be passed with by setting the keys oid: x.x.x.x and UTF8Value: somevalue for `otherName`. Most commonly this would be UPN set with oid: 1.3.6.1.4.1.311.20.2.3 You should ensure that any OID passed is valid for the UTF8String type as we do not explicitly validate this.' type: array items: type: object properties: - oid: - description: OID is the object identifier for the otherName SAN. The object identifier must be expressed as a dotted string, for example, "1.2.840.113549.1.9.1". - type: string - utf8Value: + UTF8Value: description: Utf8Value is the string value of the otherName SAN. The string value represents a UTF-8 encoded asn1 value. type: string + oid: + description: OID is the object identifier for the otherName SAN. The object identifier must be expressed as a dotted string, for example, "1.2.840.113556.1.4.221". + type: string privateKey: description: Private key options. These include the key algorithm and size, the used encoding and the rotation policy. type: object diff --git a/internal/apis/certmanager/types_certificate.go b/internal/apis/certmanager/types_certificate.go index 8bdf426d3..974519d87 100644 --- a/internal/apis/certmanager/types_certificate.go +++ b/internal/apis/certmanager/types_certificate.go @@ -167,10 +167,12 @@ type CertificateSpec struct { // Requested email subject alternative names. EmailAddresses []string - // You should ensure that the OID is valid for the string type as we do not validate this. - // otherName is most commonly as a user identifier called the UPN (User Principal Name) in LDAP - // technically any oid can be used in `otherName` as it is a kind of escape hatch for SANs - OtherNameSANs []OtherNameSAN + // `otherNames` is an escape hatch for SAN that allows any type. We currently restrict the support to string like otherNames, cf RFC 5280 p 37 + // Any UTF8 String valued otherName can be passed with by setting the keys oid: x.x.x.x and UTF8Value: somevalue for `otherName`. + // Most commonly this would be UPN set with oid: 1.3.6.1.4.1.311.20.2.3 + // You should ensure that any OID passed is valid for the UTF8String type as we do not explicitly validate this. + // +optional + OtherNames []OtherName `json:"otherNames,omitempty"` // Name of the Secret resource that will be automatically created and // managed by this Certificate resource. It will be populated with a @@ -252,15 +254,15 @@ type CertificateSpec struct { NameConstraints *NameConstraints } -type OtherNameSAN struct { +type OtherName struct { // OID is the object identifier for the otherName SAN. // The object identifier must be expressed as a dotted string, for - // example, "1.2.840.113549.1.9.1". - OID string + // example, "1.2.840.113556.1.4.221". + OID string `json:"oid,omitempty"` // Utf8Value is the string value of the otherName SAN. // The string value represents a UTF-8 encoded asn1 value. - Utf8Value string + UTF8Value string `json:"UTF8Value,omitempty"` } // CertificatePrivateKey contains configuration options for private keys diff --git a/internal/apis/certmanager/v1/zz_generated.conversion.go b/internal/apis/certmanager/v1/zz_generated.conversion.go index 9c126ae65..5b3491a72 100644 --- a/internal/apis/certmanager/v1/zz_generated.conversion.go +++ b/internal/apis/certmanager/v1/zz_generated.conversion.go @@ -304,13 +304,13 @@ func RegisterConversions(s *runtime.Scheme) error { }); err != nil { return err } - if err := s.AddGeneratedConversionFunc((*v1.OtherNameSAN)(nil), (*certmanager.OtherNameSAN)(nil), func(a, b interface{}, scope conversion.Scope) error { - return Convert_v1_OtherNameSAN_To_certmanager_OtherNameSAN(a.(*v1.OtherNameSAN), b.(*certmanager.OtherNameSAN), scope) + if err := s.AddGeneratedConversionFunc((*v1.OtherName)(nil), (*certmanager.OtherName)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_v1_OtherName_To_certmanager_OtherName(a.(*v1.OtherName), b.(*certmanager.OtherName), scope) }); err != nil { return err } - if err := s.AddGeneratedConversionFunc((*certmanager.OtherNameSAN)(nil), (*v1.OtherNameSAN)(nil), func(a, b interface{}, scope conversion.Scope) error { - return Convert_certmanager_OtherNameSAN_To_v1_OtherNameSAN(a.(*certmanager.OtherNameSAN), b.(*v1.OtherNameSAN), scope) + if err := s.AddGeneratedConversionFunc((*certmanager.OtherName)(nil), (*v1.OtherName)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_certmanager_OtherName_To_v1_OtherName(a.(*certmanager.OtherName), b.(*v1.OtherName), scope) }); err != nil { return err } @@ -856,7 +856,7 @@ func autoConvert_v1_CertificateSpec_To_certmanager_CertificateSpec(in *v1.Certif out.DNSNames = *(*[]string)(unsafe.Pointer(&in.DNSNames)) out.IPAddresses = *(*[]string)(unsafe.Pointer(&in.IPAddresses)) out.URIs = *(*[]string)(unsafe.Pointer(&in.URIs)) - out.OtherNameSANs = *(*[]certmanager.OtherNameSAN)(unsafe.Pointer(&in.OtherNameSANs)) + out.OtherNames = *(*[]certmanager.OtherName)(unsafe.Pointer(&in.OtherNames)) out.EmailAddresses = *(*[]string)(unsafe.Pointer(&in.EmailAddresses)) out.SecretName = in.SecretName out.SecretTemplate = (*certmanager.CertificateSecretTemplate)(unsafe.Pointer(in.SecretTemplate)) @@ -897,7 +897,7 @@ func autoConvert_certmanager_CertificateSpec_To_v1_CertificateSpec(in *certmanag out.IPAddresses = *(*[]string)(unsafe.Pointer(&in.IPAddresses)) out.URIs = *(*[]string)(unsafe.Pointer(&in.URIs)) out.EmailAddresses = *(*[]string)(unsafe.Pointer(&in.EmailAddresses)) - out.OtherNameSANs = *(*[]v1.OtherNameSAN)(unsafe.Pointer(&in.OtherNameSANs)) + out.OtherNames = *(*[]v1.OtherName)(unsafe.Pointer(&in.OtherNames)) out.SecretName = in.SecretName out.SecretTemplate = (*v1.CertificateSecretTemplate)(unsafe.Pointer(in.SecretTemplate)) if in.Keystores != nil { @@ -1337,26 +1337,26 @@ func Convert_certmanager_NameConstraints_To_v1_NameConstraints(in *certmanager.N return autoConvert_certmanager_NameConstraints_To_v1_NameConstraints(in, out, s) } -func autoConvert_v1_OtherNameSAN_To_certmanager_OtherNameSAN(in *v1.OtherNameSAN, out *certmanager.OtherNameSAN, s conversion.Scope) error { +func autoConvert_v1_OtherName_To_certmanager_OtherName(in *v1.OtherName, out *certmanager.OtherName, s conversion.Scope) error { out.OID = in.OID - out.Utf8Value = in.Utf8Value + out.UTF8Value = in.UTF8Value return nil } -// Convert_v1_OtherNameSAN_To_certmanager_OtherNameSAN is an autogenerated conversion function. -func Convert_v1_OtherNameSAN_To_certmanager_OtherNameSAN(in *v1.OtherNameSAN, out *certmanager.OtherNameSAN, s conversion.Scope) error { - return autoConvert_v1_OtherNameSAN_To_certmanager_OtherNameSAN(in, out, s) +// Convert_v1_OtherName_To_certmanager_OtherName is an autogenerated conversion function. +func Convert_v1_OtherName_To_certmanager_OtherName(in *v1.OtherName, out *certmanager.OtherName, s conversion.Scope) error { + return autoConvert_v1_OtherName_To_certmanager_OtherName(in, out, s) } -func autoConvert_certmanager_OtherNameSAN_To_v1_OtherNameSAN(in *certmanager.OtherNameSAN, out *v1.OtherNameSAN, s conversion.Scope) error { +func autoConvert_certmanager_OtherName_To_v1_OtherName(in *certmanager.OtherName, out *v1.OtherName, s conversion.Scope) error { out.OID = in.OID - out.Utf8Value = in.Utf8Value + out.UTF8Value = in.UTF8Value return nil } -// Convert_certmanager_OtherNameSAN_To_v1_OtherNameSAN is an autogenerated conversion function. -func Convert_certmanager_OtherNameSAN_To_v1_OtherNameSAN(in *certmanager.OtherNameSAN, out *v1.OtherNameSAN, s conversion.Scope) error { - return autoConvert_certmanager_OtherNameSAN_To_v1_OtherNameSAN(in, out, s) +// Convert_certmanager_OtherName_To_v1_OtherName is an autogenerated conversion function. +func Convert_certmanager_OtherName_To_v1_OtherName(in *certmanager.OtherName, out *v1.OtherName, s conversion.Scope) error { + return autoConvert_certmanager_OtherName_To_v1_OtherName(in, out, s) } func autoConvert_v1_PKCS12Keystore_To_certmanager_PKCS12Keystore(in *v1.PKCS12Keystore, out *certmanager.PKCS12Keystore, s conversion.Scope) error { diff --git a/internal/apis/certmanager/v1alpha2/types_certificate.go b/internal/apis/certmanager/v1alpha2/types_certificate.go index f1ce39db0..f8ef0b76b 100644 --- a/internal/apis/certmanager/v1alpha2/types_certificate.go +++ b/internal/apis/certmanager/v1alpha2/types_certificate.go @@ -135,11 +135,12 @@ type CertificateSpec struct { // +optional EmailSANs []string `json:"emailSANs,omitempty"` - // Any String-like OID type using oid:x.x.x.x type and StringValue value can be used for `otherName`. - // `otherName` is an escape hatch for SAN that allows any type but we restrict to string like, cf RFC 5280 p 37 - // You should ensure that the OID is valid for the string type as we do not validate this. + // `otherNames` is an escape hatch for SAN that allows any type. We currently restrict the support to string like otherNames, cf RFC 5280 p 37 + // Any UTF8 String valued otherName can be passed with by setting the keys oid: x.x.x.x and UTF8Value: somevalue for `otherName`. + // Most commonly this would be UPN set with oid: 1.3.6.1.4.1.311.20.2.3 + // You should ensure that any OID passed is valid for the UTF8String type as we do not explicitly validate this. // +optional - OtherNameSANs []OtherNameSAN `json:"otherNameSANs,omitempty"` + OtherNames []OtherName `json:"otherNames,omitempty"` // SecretName is the name of the secret resource that will be automatically // created and managed by this Certificate resource. @@ -240,15 +241,15 @@ type CertificateSpec struct { NameConstraints *NameConstraints `json:"nameConstraints,omitempty"` } -type OtherNameSAN struct { +type OtherName struct { // OID is the object identifier for the otherName SAN. // The object identifier must be expressed as a dotted string, for - // example, "1.2.840.113549.1.9.1". + // example, "1.2.840.113556.1.4.221". OID string `json:"oid,omitempty"` // Utf8Value is the string value of the otherName SAN. // The string value represents a UTF-8 encoded asn1 value. - Utf8Value string `json:"utf8Value,omitempty"` + UTF8Value string `json:"UTF8Value,omitempty"` } // CertificatePrivateKey contains configuration options for private keys diff --git a/internal/apis/certmanager/v1alpha2/zz_generated.conversion.go b/internal/apis/certmanager/v1alpha2/zz_generated.conversion.go index 9cd25c767..74c82875f 100644 --- a/internal/apis/certmanager/v1alpha2/zz_generated.conversion.go +++ b/internal/apis/certmanager/v1alpha2/zz_generated.conversion.go @@ -277,13 +277,13 @@ func RegisterConversions(s *runtime.Scheme) error { }); err != nil { return err } - if err := s.AddGeneratedConversionFunc((*OtherNameSAN)(nil), (*certmanager.OtherNameSAN)(nil), func(a, b interface{}, scope conversion.Scope) error { - return Convert_v1alpha2_OtherNameSAN_To_certmanager_OtherNameSAN(a.(*OtherNameSAN), b.(*certmanager.OtherNameSAN), scope) + if err := s.AddGeneratedConversionFunc((*OtherName)(nil), (*certmanager.OtherName)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_v1alpha2_OtherName_To_certmanager_OtherName(a.(*OtherName), b.(*certmanager.OtherName), scope) }); err != nil { return err } - if err := s.AddGeneratedConversionFunc((*certmanager.OtherNameSAN)(nil), (*OtherNameSAN)(nil), func(a, b interface{}, scope conversion.Scope) error { - return Convert_certmanager_OtherNameSAN_To_v1alpha2_OtherNameSAN(a.(*certmanager.OtherNameSAN), b.(*OtherNameSAN), scope) + if err := s.AddGeneratedConversionFunc((*certmanager.OtherName)(nil), (*OtherName)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_certmanager_OtherName_To_v1alpha2_OtherName(a.(*certmanager.OtherName), b.(*OtherName), scope) }); err != nil { return err } @@ -846,7 +846,7 @@ func autoConvert_v1alpha2_CertificateSpec_To_certmanager_CertificateSpec(in *Cer out.IPAddresses = *(*[]string)(unsafe.Pointer(&in.IPAddresses)) // WARNING: in.URISANs requires manual conversion: does not exist in peer-type // WARNING: in.EmailSANs requires manual conversion: does not exist in peer-type - out.OtherNameSANs = *(*[]certmanager.OtherNameSAN)(unsafe.Pointer(&in.OtherNameSANs)) + out.OtherNames = *(*[]certmanager.OtherName)(unsafe.Pointer(&in.OtherNames)) out.SecretName = in.SecretName out.SecretTemplate = (*certmanager.CertificateSecretTemplate)(unsafe.Pointer(in.SecretTemplate)) if in.Keystores != nil { @@ -900,7 +900,7 @@ func autoConvert_certmanager_CertificateSpec_To_v1alpha2_CertificateSpec(in *cer out.IPAddresses = *(*[]string)(unsafe.Pointer(&in.IPAddresses)) // WARNING: in.URIs requires manual conversion: does not exist in peer-type // WARNING: in.EmailAddresses requires manual conversion: does not exist in peer-type - out.OtherNameSANs = *(*[]OtherNameSAN)(unsafe.Pointer(&in.OtherNameSANs)) + out.OtherNames = *(*[]OtherName)(unsafe.Pointer(&in.OtherNames)) out.SecretName = in.SecretName out.SecretTemplate = (*CertificateSecretTemplate)(unsafe.Pointer(in.SecretTemplate)) if in.Keystores != nil { @@ -1343,26 +1343,26 @@ func Convert_certmanager_NameConstraints_To_v1alpha2_NameConstraints(in *certman return autoConvert_certmanager_NameConstraints_To_v1alpha2_NameConstraints(in, out, s) } -func autoConvert_v1alpha2_OtherNameSAN_To_certmanager_OtherNameSAN(in *OtherNameSAN, out *certmanager.OtherNameSAN, s conversion.Scope) error { +func autoConvert_v1alpha2_OtherName_To_certmanager_OtherName(in *OtherName, out *certmanager.OtherName, s conversion.Scope) error { out.OID = in.OID - out.Utf8Value = in.Utf8Value + out.UTF8Value = in.UTF8Value return nil } -// Convert_v1alpha2_OtherNameSAN_To_certmanager_OtherNameSAN is an autogenerated conversion function. -func Convert_v1alpha2_OtherNameSAN_To_certmanager_OtherNameSAN(in *OtherNameSAN, out *certmanager.OtherNameSAN, s conversion.Scope) error { - return autoConvert_v1alpha2_OtherNameSAN_To_certmanager_OtherNameSAN(in, out, s) +// Convert_v1alpha2_OtherName_To_certmanager_OtherName is an autogenerated conversion function. +func Convert_v1alpha2_OtherName_To_certmanager_OtherName(in *OtherName, out *certmanager.OtherName, s conversion.Scope) error { + return autoConvert_v1alpha2_OtherName_To_certmanager_OtherName(in, out, s) } -func autoConvert_certmanager_OtherNameSAN_To_v1alpha2_OtherNameSAN(in *certmanager.OtherNameSAN, out *OtherNameSAN, s conversion.Scope) error { +func autoConvert_certmanager_OtherName_To_v1alpha2_OtherName(in *certmanager.OtherName, out *OtherName, s conversion.Scope) error { out.OID = in.OID - out.Utf8Value = in.Utf8Value + out.UTF8Value = in.UTF8Value return nil } -// Convert_certmanager_OtherNameSAN_To_v1alpha2_OtherNameSAN is an autogenerated conversion function. -func Convert_certmanager_OtherNameSAN_To_v1alpha2_OtherNameSAN(in *certmanager.OtherNameSAN, out *OtherNameSAN, s conversion.Scope) error { - return autoConvert_certmanager_OtherNameSAN_To_v1alpha2_OtherNameSAN(in, out, s) +// Convert_certmanager_OtherName_To_v1alpha2_OtherName is an autogenerated conversion function. +func Convert_certmanager_OtherName_To_v1alpha2_OtherName(in *certmanager.OtherName, out *OtherName, s conversion.Scope) error { + return autoConvert_certmanager_OtherName_To_v1alpha2_OtherName(in, out, s) } func autoConvert_v1alpha2_PKCS12Keystore_To_certmanager_PKCS12Keystore(in *PKCS12Keystore, out *certmanager.PKCS12Keystore, s conversion.Scope) error { diff --git a/internal/apis/certmanager/v1alpha2/zz_generated.deepcopy.go b/internal/apis/certmanager/v1alpha2/zz_generated.deepcopy.go index a1f07feb2..a83a25bf3 100644 --- a/internal/apis/certmanager/v1alpha2/zz_generated.deepcopy.go +++ b/internal/apis/certmanager/v1alpha2/zz_generated.deepcopy.go @@ -441,9 +441,9 @@ func (in *CertificateSpec) DeepCopyInto(out *CertificateSpec) { *out = make([]string, len(*in)) copy(*out, *in) } - if in.OtherNameSANs != nil { - in, out := &in.OtherNameSANs, &out.OtherNameSANs - *out = make([]OtherNameSAN, len(*in)) + if in.OtherNames != nil { + in, out := &in.OtherNames, &out.OtherNames + *out = make([]OtherName, len(*in)) copy(*out, *in) } if in.SecretTemplate != nil { @@ -862,17 +862,17 @@ func (in *NameConstraints) DeepCopy() *NameConstraints { } // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *OtherNameSAN) DeepCopyInto(out *OtherNameSAN) { +func (in *OtherName) DeepCopyInto(out *OtherName) { *out = *in return } -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OtherNameSAN. -func (in *OtherNameSAN) DeepCopy() *OtherNameSAN { +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OtherName. +func (in *OtherName) DeepCopy() *OtherName { if in == nil { return nil } - out := new(OtherNameSAN) + out := new(OtherName) in.DeepCopyInto(out) return out } diff --git a/internal/apis/certmanager/v1alpha3/types_certificate.go b/internal/apis/certmanager/v1alpha3/types_certificate.go index b00667cc7..42b5b1e33 100644 --- a/internal/apis/certmanager/v1alpha3/types_certificate.go +++ b/internal/apis/certmanager/v1alpha3/types_certificate.go @@ -133,11 +133,12 @@ type CertificateSpec struct { // +optional EmailSANs []string `json:"emailSANs,omitempty"` - // Any String-like OID type using oid:x.x.x.x type and StringValue value can be used for `otherName`. - // `otherName` is an escape hatch for SAN that allows any type but we restrict to string like, cf RFC 5280 p 37 - // You should ensure that the OID is valid for the string type as we do not validate this. + // `otherNames` is an escape hatch for SAN that allows any type. We currently restrict the support to string like otherNames, cf RFC 5280 p 37 + // Any UTF8 String valued otherName can be passed with by setting the keys oid: x.x.x.x and UTF8Value: somevalue for `otherName`. + // Most commonly this would be UPN set with oid: 1.3.6.1.4.1.311.20.2.3 + // You should ensure that any OID passed is valid for the UTF8String type as we do not explicitly validate this. // +optional - OtherNameSANs []OtherNameSAN `json:"otherNameSANs,omitempty"` + OtherNames []OtherName `json:"otherNames,omitempty"` // SecretName is the name of the secret resource that will be automatically // created and managed by this Certificate resource. @@ -238,15 +239,15 @@ type CertificateSpec struct { NameConstraints *NameConstraints `json:"nameConstraints,omitempty"` } -type OtherNameSAN struct { +type OtherName struct { // OID is the object identifier for the otherName SAN. // The object identifier must be expressed as a dotted string, for - // example, "1.2.840.113549.1.9.1". + // example, "1.2.840.113556.1.4.221". OID string `json:"oid,omitempty"` // Utf8Value is the string value of the otherName SAN. // The string value represents a UTF-8 encoded asn1 value. - Utf8Value string `json:"utf8Value,omitempty"` + UTF8Value string `json:"UTF8Value,omitempty"` } // CertificatePrivateKey contains configuration options for private keys diff --git a/internal/apis/certmanager/v1alpha3/zz_generated.conversion.go b/internal/apis/certmanager/v1alpha3/zz_generated.conversion.go index f2c61fed1..2d32c0728 100644 --- a/internal/apis/certmanager/v1alpha3/zz_generated.conversion.go +++ b/internal/apis/certmanager/v1alpha3/zz_generated.conversion.go @@ -277,13 +277,13 @@ func RegisterConversions(s *runtime.Scheme) error { }); err != nil { return err } - if err := s.AddGeneratedConversionFunc((*OtherNameSAN)(nil), (*certmanager.OtherNameSAN)(nil), func(a, b interface{}, scope conversion.Scope) error { - return Convert_v1alpha3_OtherNameSAN_To_certmanager_OtherNameSAN(a.(*OtherNameSAN), b.(*certmanager.OtherNameSAN), scope) + if err := s.AddGeneratedConversionFunc((*OtherName)(nil), (*certmanager.OtherName)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_v1alpha3_OtherName_To_certmanager_OtherName(a.(*OtherName), b.(*certmanager.OtherName), scope) }); err != nil { return err } - if err := s.AddGeneratedConversionFunc((*certmanager.OtherNameSAN)(nil), (*OtherNameSAN)(nil), func(a, b interface{}, scope conversion.Scope) error { - return Convert_certmanager_OtherNameSAN_To_v1alpha3_OtherNameSAN(a.(*certmanager.OtherNameSAN), b.(*OtherNameSAN), scope) + if err := s.AddGeneratedConversionFunc((*certmanager.OtherName)(nil), (*OtherName)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_certmanager_OtherName_To_v1alpha3_OtherName(a.(*certmanager.OtherName), b.(*OtherName), scope) }); err != nil { return err } @@ -845,7 +845,7 @@ func autoConvert_v1alpha3_CertificateSpec_To_certmanager_CertificateSpec(in *Cer out.IPAddresses = *(*[]string)(unsafe.Pointer(&in.IPAddresses)) // WARNING: in.URISANs requires manual conversion: does not exist in peer-type // WARNING: in.EmailSANs requires manual conversion: does not exist in peer-type - out.OtherNameSANs = *(*[]certmanager.OtherNameSAN)(unsafe.Pointer(&in.OtherNameSANs)) + out.OtherNames = *(*[]certmanager.OtherName)(unsafe.Pointer(&in.OtherNames)) out.SecretName = in.SecretName out.SecretTemplate = (*certmanager.CertificateSecretTemplate)(unsafe.Pointer(in.SecretTemplate)) if in.Keystores != nil { @@ -899,7 +899,7 @@ func autoConvert_certmanager_CertificateSpec_To_v1alpha3_CertificateSpec(in *cer out.IPAddresses = *(*[]string)(unsafe.Pointer(&in.IPAddresses)) // WARNING: in.URIs requires manual conversion: does not exist in peer-type // WARNING: in.EmailAddresses requires manual conversion: does not exist in peer-type - out.OtherNameSANs = *(*[]OtherNameSAN)(unsafe.Pointer(&in.OtherNameSANs)) + out.OtherNames = *(*[]OtherName)(unsafe.Pointer(&in.OtherNames)) out.SecretName = in.SecretName out.SecretTemplate = (*CertificateSecretTemplate)(unsafe.Pointer(in.SecretTemplate)) if in.Keystores != nil { @@ -1342,26 +1342,26 @@ func Convert_certmanager_NameConstraints_To_v1alpha3_NameConstraints(in *certman return autoConvert_certmanager_NameConstraints_To_v1alpha3_NameConstraints(in, out, s) } -func autoConvert_v1alpha3_OtherNameSAN_To_certmanager_OtherNameSAN(in *OtherNameSAN, out *certmanager.OtherNameSAN, s conversion.Scope) error { +func autoConvert_v1alpha3_OtherName_To_certmanager_OtherName(in *OtherName, out *certmanager.OtherName, s conversion.Scope) error { out.OID = in.OID - out.Utf8Value = in.Utf8Value + out.UTF8Value = in.UTF8Value return nil } -// Convert_v1alpha3_OtherNameSAN_To_certmanager_OtherNameSAN is an autogenerated conversion function. -func Convert_v1alpha3_OtherNameSAN_To_certmanager_OtherNameSAN(in *OtherNameSAN, out *certmanager.OtherNameSAN, s conversion.Scope) error { - return autoConvert_v1alpha3_OtherNameSAN_To_certmanager_OtherNameSAN(in, out, s) +// Convert_v1alpha3_OtherName_To_certmanager_OtherName is an autogenerated conversion function. +func Convert_v1alpha3_OtherName_To_certmanager_OtherName(in *OtherName, out *certmanager.OtherName, s conversion.Scope) error { + return autoConvert_v1alpha3_OtherName_To_certmanager_OtherName(in, out, s) } -func autoConvert_certmanager_OtherNameSAN_To_v1alpha3_OtherNameSAN(in *certmanager.OtherNameSAN, out *OtherNameSAN, s conversion.Scope) error { +func autoConvert_certmanager_OtherName_To_v1alpha3_OtherName(in *certmanager.OtherName, out *OtherName, s conversion.Scope) error { out.OID = in.OID - out.Utf8Value = in.Utf8Value + out.UTF8Value = in.UTF8Value return nil } -// Convert_certmanager_OtherNameSAN_To_v1alpha3_OtherNameSAN is an autogenerated conversion function. -func Convert_certmanager_OtherNameSAN_To_v1alpha3_OtherNameSAN(in *certmanager.OtherNameSAN, out *OtherNameSAN, s conversion.Scope) error { - return autoConvert_certmanager_OtherNameSAN_To_v1alpha3_OtherNameSAN(in, out, s) +// Convert_certmanager_OtherName_To_v1alpha3_OtherName is an autogenerated conversion function. +func Convert_certmanager_OtherName_To_v1alpha3_OtherName(in *certmanager.OtherName, out *OtherName, s conversion.Scope) error { + return autoConvert_certmanager_OtherName_To_v1alpha3_OtherName(in, out, s) } func autoConvert_v1alpha3_PKCS12Keystore_To_certmanager_PKCS12Keystore(in *PKCS12Keystore, out *certmanager.PKCS12Keystore, s conversion.Scope) error { diff --git a/internal/apis/certmanager/v1alpha3/zz_generated.deepcopy.go b/internal/apis/certmanager/v1alpha3/zz_generated.deepcopy.go index edf82ad66..7a521518d 100644 --- a/internal/apis/certmanager/v1alpha3/zz_generated.deepcopy.go +++ b/internal/apis/certmanager/v1alpha3/zz_generated.deepcopy.go @@ -436,9 +436,9 @@ func (in *CertificateSpec) DeepCopyInto(out *CertificateSpec) { *out = make([]string, len(*in)) copy(*out, *in) } - if in.OtherNameSANs != nil { - in, out := &in.OtherNameSANs, &out.OtherNameSANs - *out = make([]OtherNameSAN, len(*in)) + if in.OtherNames != nil { + in, out := &in.OtherNames, &out.OtherNames + *out = make([]OtherName, len(*in)) copy(*out, *in) } if in.SecretTemplate != nil { @@ -857,17 +857,17 @@ func (in *NameConstraints) DeepCopy() *NameConstraints { } // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *OtherNameSAN) DeepCopyInto(out *OtherNameSAN) { +func (in *OtherName) DeepCopyInto(out *OtherName) { *out = *in return } -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OtherNameSAN. -func (in *OtherNameSAN) DeepCopy() *OtherNameSAN { +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OtherName. +func (in *OtherName) DeepCopy() *OtherName { if in == nil { return nil } - out := new(OtherNameSAN) + out := new(OtherName) in.DeepCopyInto(out) return out } diff --git a/internal/apis/certmanager/v1beta1/types_certificate.go b/internal/apis/certmanager/v1beta1/types_certificate.go index cd9d56337..f7a2b4f82 100644 --- a/internal/apis/certmanager/v1beta1/types_certificate.go +++ b/internal/apis/certmanager/v1beta1/types_certificate.go @@ -134,11 +134,12 @@ type CertificateSpec struct { // +optional EmailSANs []string `json:"emailSANs,omitempty"` - // Any String-like OID type using oid:x.x.x.x type and StringValue value can be used for `otherName`. - // `otherName` is an escape hatch for SAN that allows any type but we restrict to string like, cf RFC 5280 p 37 - // You should ensure that the OID is valid for the string type as we do not validate this. + // `otherNames` is an escape hatch for SAN that allows any type. We currently restrict the support to string like otherNames, cf RFC 5280 p 37 + // Any UTF8 String valued otherName can be passed with by setting the keys oid: x.x.x.x and UTF8Value: somevalue for `otherName`. + // Most commonly this would be UPN set with oid: 1.3.6.1.4.1.311.20.2.3 + // You should ensure that any OID passed is valid for the UTF8String type as we do not explicitly validate this. // +optional - OtherNameSANs []OtherNameSAN `json:"otherNameSANs,omitempty"` + OtherNames []OtherName `json:"otherNames,omitempty"` // SecretName is the name of the secret resource that will be automatically // created and managed by this Certificate resource. @@ -215,15 +216,15 @@ type CertificateSpec struct { NameConstraints *NameConstraints `json:"nameConstraints,omitempty"` } -type OtherNameSAN struct { +type OtherName struct { // OID is the object identifier for the otherName SAN. // The object identifier must be expressed as a dotted string, for - // example, "1.2.840.113549.1.9.1". + // example, "1.2.840.113556.1.4.221". OID string `json:"oid,omitempty"` // Utf8Value is the string value of the otherName SAN. // The string value represents a UTF-8 encoded asn1 value. - Utf8Value string `json:"utf8Value,omitempty"` + UTF8Value string `json:"UTF8Value,omitempty"` } // CertificatePrivateKey contains configuration options for private keys diff --git a/internal/apis/certmanager/v1beta1/zz_generated.conversion.go b/internal/apis/certmanager/v1beta1/zz_generated.conversion.go index fd7b0ef19..4bd3b4488 100644 --- a/internal/apis/certmanager/v1beta1/zz_generated.conversion.go +++ b/internal/apis/certmanager/v1beta1/zz_generated.conversion.go @@ -292,13 +292,13 @@ func RegisterConversions(s *runtime.Scheme) error { }); err != nil { return err } - if err := s.AddGeneratedConversionFunc((*OtherNameSAN)(nil), (*certmanager.OtherNameSAN)(nil), func(a, b interface{}, scope conversion.Scope) error { - return Convert_v1beta1_OtherNameSAN_To_certmanager_OtherNameSAN(a.(*OtherNameSAN), b.(*certmanager.OtherNameSAN), scope) + if err := s.AddGeneratedConversionFunc((*OtherName)(nil), (*certmanager.OtherName)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_v1beta1_OtherName_To_certmanager_OtherName(a.(*OtherName), b.(*certmanager.OtherName), scope) }); err != nil { return err } - if err := s.AddGeneratedConversionFunc((*certmanager.OtherNameSAN)(nil), (*OtherNameSAN)(nil), func(a, b interface{}, scope conversion.Scope) error { - return Convert_certmanager_OtherNameSAN_To_v1beta1_OtherNameSAN(a.(*certmanager.OtherNameSAN), b.(*OtherNameSAN), scope) + if err := s.AddGeneratedConversionFunc((*certmanager.OtherName)(nil), (*OtherName)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_certmanager_OtherName_To_v1beta1_OtherName(a.(*certmanager.OtherName), b.(*OtherName), scope) }); err != nil { return err } @@ -855,7 +855,7 @@ func autoConvert_v1beta1_CertificateSpec_To_certmanager_CertificateSpec(in *Cert out.IPAddresses = *(*[]string)(unsafe.Pointer(&in.IPAddresses)) // WARNING: in.URISANs requires manual conversion: does not exist in peer-type // WARNING: in.EmailSANs requires manual conversion: does not exist in peer-type - out.OtherNameSANs = *(*[]certmanager.OtherNameSAN)(unsafe.Pointer(&in.OtherNameSANs)) + out.OtherNames = *(*[]certmanager.OtherName)(unsafe.Pointer(&in.OtherNames)) out.SecretName = in.SecretName out.SecretTemplate = (*certmanager.CertificateSecretTemplate)(unsafe.Pointer(in.SecretTemplate)) if in.Keystores != nil { @@ -890,7 +890,7 @@ func autoConvert_certmanager_CertificateSpec_To_v1beta1_CertificateSpec(in *cert out.IPAddresses = *(*[]string)(unsafe.Pointer(&in.IPAddresses)) // WARNING: in.URIs requires manual conversion: does not exist in peer-type // WARNING: in.EmailAddresses requires manual conversion: does not exist in peer-type - out.OtherNameSANs = *(*[]OtherNameSAN)(unsafe.Pointer(&in.OtherNameSANs)) + out.OtherNames = *(*[]OtherName)(unsafe.Pointer(&in.OtherNames)) out.SecretName = in.SecretName out.SecretTemplate = (*CertificateSecretTemplate)(unsafe.Pointer(in.SecretTemplate)) if in.Keystores != nil { @@ -1325,26 +1325,26 @@ func Convert_certmanager_NameConstraints_To_v1beta1_NameConstraints(in *certmana return autoConvert_certmanager_NameConstraints_To_v1beta1_NameConstraints(in, out, s) } -func autoConvert_v1beta1_OtherNameSAN_To_certmanager_OtherNameSAN(in *OtherNameSAN, out *certmanager.OtherNameSAN, s conversion.Scope) error { +func autoConvert_v1beta1_OtherName_To_certmanager_OtherName(in *OtherName, out *certmanager.OtherName, s conversion.Scope) error { out.OID = in.OID - out.Utf8Value = in.Utf8Value + out.UTF8Value = in.UTF8Value return nil } -// Convert_v1beta1_OtherNameSAN_To_certmanager_OtherNameSAN is an autogenerated conversion function. -func Convert_v1beta1_OtherNameSAN_To_certmanager_OtherNameSAN(in *OtherNameSAN, out *certmanager.OtherNameSAN, s conversion.Scope) error { - return autoConvert_v1beta1_OtherNameSAN_To_certmanager_OtherNameSAN(in, out, s) +// Convert_v1beta1_OtherName_To_certmanager_OtherName is an autogenerated conversion function. +func Convert_v1beta1_OtherName_To_certmanager_OtherName(in *OtherName, out *certmanager.OtherName, s conversion.Scope) error { + return autoConvert_v1beta1_OtherName_To_certmanager_OtherName(in, out, s) } -func autoConvert_certmanager_OtherNameSAN_To_v1beta1_OtherNameSAN(in *certmanager.OtherNameSAN, out *OtherNameSAN, s conversion.Scope) error { +func autoConvert_certmanager_OtherName_To_v1beta1_OtherName(in *certmanager.OtherName, out *OtherName, s conversion.Scope) error { out.OID = in.OID - out.Utf8Value = in.Utf8Value + out.UTF8Value = in.UTF8Value return nil } -// Convert_certmanager_OtherNameSAN_To_v1beta1_OtherNameSAN is an autogenerated conversion function. -func Convert_certmanager_OtherNameSAN_To_v1beta1_OtherNameSAN(in *certmanager.OtherNameSAN, out *OtherNameSAN, s conversion.Scope) error { - return autoConvert_certmanager_OtherNameSAN_To_v1beta1_OtherNameSAN(in, out, s) +// Convert_certmanager_OtherName_To_v1beta1_OtherName is an autogenerated conversion function. +func Convert_certmanager_OtherName_To_v1beta1_OtherName(in *certmanager.OtherName, out *OtherName, s conversion.Scope) error { + return autoConvert_certmanager_OtherName_To_v1beta1_OtherName(in, out, s) } func autoConvert_v1beta1_PKCS12Keystore_To_certmanager_PKCS12Keystore(in *PKCS12Keystore, out *certmanager.PKCS12Keystore, s conversion.Scope) error { diff --git a/internal/apis/certmanager/v1beta1/zz_generated.deepcopy.go b/internal/apis/certmanager/v1beta1/zz_generated.deepcopy.go index 3ede23b5a..b6a791021 100644 --- a/internal/apis/certmanager/v1beta1/zz_generated.deepcopy.go +++ b/internal/apis/certmanager/v1beta1/zz_generated.deepcopy.go @@ -436,9 +436,9 @@ func (in *CertificateSpec) DeepCopyInto(out *CertificateSpec) { *out = make([]string, len(*in)) copy(*out, *in) } - if in.OtherNameSANs != nil { - in, out := &in.OtherNameSANs, &out.OtherNameSANs - *out = make([]OtherNameSAN, len(*in)) + if in.OtherNames != nil { + in, out := &in.OtherNames, &out.OtherNames + *out = make([]OtherName, len(*in)) copy(*out, *in) } if in.SecretTemplate != nil { @@ -857,17 +857,17 @@ func (in *NameConstraints) DeepCopy() *NameConstraints { } // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *OtherNameSAN) DeepCopyInto(out *OtherNameSAN) { +func (in *OtherName) DeepCopyInto(out *OtherName) { *out = *in return } -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OtherNameSAN. -func (in *OtherNameSAN) DeepCopy() *OtherNameSAN { +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OtherName. +func (in *OtherName) DeepCopy() *OtherName { if in == nil { return nil } - out := new(OtherNameSAN) + out := new(OtherName) in.DeepCopyInto(out) return out } diff --git a/internal/apis/certmanager/validation/certificate.go b/internal/apis/certmanager/validation/certificate.go index dafce4123..dc1fcb853 100644 --- a/internal/apis/certmanager/validation/certificate.go +++ b/internal/apis/certmanager/validation/certificate.go @@ -106,8 +106,8 @@ func ValidateCertificateSpec(crt *internalcmapi.CertificateSpec, fldPath *field. len(crt.URIs) == 0 && len(crt.EmailAddresses) == 0 && len(crt.IPAddresses) == 0 && - len(crt.OtherNameSANs) == 0 { - el = append(el, field.Invalid(fldPath, "", "at least one of commonName, dnsNames, uriSANs, ipAddresses, emailSANs or otherNameSANs must be set")) + len(crt.OtherNames) == 0 { + el = append(el, field.Invalid(fldPath, "", "at least one of commonName, dnsNames, uriSANs, ipAddresses, emailSANs or otherNames must be set")) } // if a common name has been specified, ensure it is no longer than 64 chars @@ -123,17 +123,17 @@ func ValidateCertificateSpec(crt *internalcmapi.CertificateSpec, fldPath *field. el = append(el, validateEmailAddresses(crt, fldPath)...) } - if len(crt.OtherNameSANs) > 0 { - if !utilfeature.DefaultFeatureGate.Enabled(feature.OtherNameSANs) { - el = append(el, field.Forbidden(fldPath.Child("OtherNameSANs"), "Feature gate OtherNameSANs must be enabled on both webhook and controller to use the alpha `otherNameSANs` field")) + if len(crt.OtherNames) > 0 { + if !utilfeature.DefaultFeatureGate.Enabled(feature.OtherNames) { + el = append(el, field.Forbidden(fldPath.Child("OtherNames"), "Feature gate OtherNames must be enabled on both webhook and controller to use the alpha `otherNames` field")) } - for i, otherName := range crt.OtherNameSANs { + for i, otherName := range crt.OtherNames { if otherName.OID == "" { - el = append(el, field.Required(fldPath.Child("otherNameSANs").Index(i).Child("oid"), "must be specified")) + el = append(el, field.Required(fldPath.Child("otherNames").Index(i).Child("oid"), "must be specified")) } - if otherName.Utf8Value == "" { - el = append(el, field.Required(fldPath.Child("otherNameSANs").Index(i).Child("utf8Value"), "must be specified")) + if otherName.UTF8Value == "" { + el = append(el, field.Required(fldPath.Child("otherNames").Index(i).Child("utf8Value"), "must be specified")) } } } diff --git a/internal/apis/certmanager/validation/certificate_test.go b/internal/apis/certmanager/validation/certificate_test.go index 82cbf7075..3224ffd55 100644 --- a/internal/apis/certmanager/validation/certificate_test.go +++ b/internal/apis/certmanager/validation/certificate_test.go @@ -165,7 +165,7 @@ func TestValidateCertificate(t *testing.T) { }, a: someAdmissionRequest, errs: []*field.Error{ - field.Invalid(fldPath, "", "at least one of commonName, dnsNames, uriSANs, ipAddresses, emailSANs or otherNameSANs must be set"), + field.Invalid(fldPath, "", "at least one of commonName, dnsNames, uriSANs, ipAddresses, emailSANs or otherNames must be set"), }, }, "certificate with no issuerRef": { @@ -1046,7 +1046,7 @@ func Test_validateLiteralSubject(t *testing.T) { }, a: someAdmissionRequest, errs: []*field.Error{ - field.Invalid(fldPath, "", "at least one of commonName, dnsNames, uriSANs, ipAddresses, emailSANs or otherNameSANs must be set"), + field.Invalid(fldPath, "", "at least one of commonName, dnsNames, uriSANs, ipAddresses, emailSANs or otherNames must be set"), }, }, "invalid with a `literalSubject` and any `Subject` other than serialNumber": { diff --git a/internal/apis/certmanager/zz_generated.deepcopy.go b/internal/apis/certmanager/zz_generated.deepcopy.go index 30c2aebe3..f4427e740 100644 --- a/internal/apis/certmanager/zz_generated.deepcopy.go +++ b/internal/apis/certmanager/zz_generated.deepcopy.go @@ -436,9 +436,9 @@ func (in *CertificateSpec) DeepCopyInto(out *CertificateSpec) { *out = make([]string, len(*in)) copy(*out, *in) } - if in.OtherNameSANs != nil { - in, out := &in.OtherNameSANs, &out.OtherNameSANs - *out = make([]OtherNameSAN, len(*in)) + if in.OtherNames != nil { + in, out := &in.OtherNames, &out.OtherNames + *out = make([]OtherName, len(*in)) copy(*out, *in) } if in.SecretTemplate != nil { @@ -857,17 +857,17 @@ func (in *NameConstraints) DeepCopy() *NameConstraints { } // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *OtherNameSAN) DeepCopyInto(out *OtherNameSAN) { +func (in *OtherName) DeepCopyInto(out *OtherName) { *out = *in return } -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OtherNameSAN. -func (in *OtherNameSAN) DeepCopy() *OtherNameSAN { +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OtherName. +func (in *OtherName) DeepCopy() *OtherName { if in == nil { return nil } - out := new(OtherNameSAN) + out := new(OtherName) in.DeepCopyInto(out) return out } diff --git a/internal/controller/feature/features.go b/internal/controller/feature/features.go index b4f49c8bb..c339893ba 100644 --- a/internal/controller/feature/features.go +++ b/internal/controller/feature/features.go @@ -130,10 +130,10 @@ const ( // Owner: @SpectralHiss // Alpha: v1.14 // - // OtherNameSANs adds support for OtherName Subject Alternative Name values in + // OtherNames adds support for OtherName Subject Alternative Name values in // Certificate resources. // Github Issue: https://github.com/cert-manager/cert-manager/issues/6393 - OtherNameSANs featuregate.Feature = "OtherNameSANs" + OtherNames featuregate.Feature = "OtherNames" ) func init() { @@ -156,5 +156,5 @@ var defaultCertManagerFeatureGates = map[featuregate.Feature]featuregate.Feature LiteralCertificateSubject: {Default: false, PreRelease: featuregate.Alpha}, UseCertificateRequestBasicConstraints: {Default: false, PreRelease: featuregate.Alpha}, UseCertificateRequestNameConstraints: {Default: false, PreRelease: featuregate.Alpha}, - OtherNameSANs: {Default: false, PreRelease: featuregate.Alpha}, + OtherNames: {Default: false, PreRelease: featuregate.Alpha}, } diff --git a/internal/webhook/feature/features.go b/internal/webhook/feature/features.go index e73e7cd87..be36a4780 100644 --- a/internal/webhook/feature/features.go +++ b/internal/webhook/feature/features.go @@ -73,10 +73,10 @@ const ( // Owner: @SpectralHiss // Alpha: v1.14 // - // OtherNameSANs adds support for OtherName Subject Alternative Name values in + // OtherNames adds support for OtherName Subject Alternative Name values in // Certificate resources. // Github Issue: https://github.com/cert-manager/cert-manager/issues/6393 - OtherNameSANs featuregate.Feature = "OtherNameSANs" + OtherNames featuregate.Feature = "OtherNames" ) func init() { @@ -96,5 +96,5 @@ var webhookFeatureGates = map[featuregate.Feature]featuregate.FeatureSpec{ AdditionalCertificateOutputFormats: {Default: false, PreRelease: featuregate.Alpha}, LiteralCertificateSubject: {Default: false, PreRelease: featuregate.Alpha}, UseCertificateRequestNameConstraints: {Default: false, PreRelease: featuregate.Alpha}, - OtherNameSANs: {Default: false, PreRelease: featuregate.Alpha}, + OtherNames: {Default: false, PreRelease: featuregate.Alpha}, } diff --git a/make/e2e-setup.mk b/make/e2e-setup.mk index 197cbdf7a..3f715b607 100644 --- a/make/e2e-setup.mk +++ b/make/e2e-setup.mk @@ -221,7 +221,7 @@ $(call local-image-tar,vaultretagged): $(call image-tar,vault) tar cf $@ -C /tmp/vault . @rm -rf /tmp/vault -FEATURE_GATES ?= AdditionalCertificateOutputFormats=true,ExperimentalCertificateSigningRequestControllers=true,ExperimentalGatewayAPISupport=true,ServerSideApply=true,LiteralCertificateSubject=true,UseCertificateRequestBasicConstraints=true,UseCertificateRequestNameConstraints=true,OtherNameSANs=true +FEATURE_GATES ?= AdditionalCertificateOutputFormats=true,ExperimentalCertificateSigningRequestControllers=true,ExperimentalGatewayAPISupport=true,ServerSideApply=true,LiteralCertificateSubject=true,UseCertificateRequestBasicConstraints=true,UseCertificateRequestNameConstraints=true,OtherNames=true ## Set this environment variable to a non empty string to cause cert-manager to ## be installed using best-practice configuration settings, and to install @@ -262,8 +262,8 @@ comma = , # Helm's "--set" interprets commas, which means we want to escape commas # for "--set featureGates". That's why we have "\$(comma)". -feature_gates_controller := $(subst $(space),\$(comma),$(filter AllAlpha=% AllBeta=% AdditionalCertificateOutputFormats=% ValidateCAA=% ExperimentalCertificateSigningRequestControllers=% ExperimentalGatewayAPISupport=% ServerSideApply=% LiteralCertificateSubject=% UseCertificateRequestBasicConstraints=% UseCertificateRequestNameConstraints=% SecretsFilteredCaching=% OtherNameSANs=%, $(subst $(comma),$(space),$(FEATURE_GATES)))) -feature_gates_webhook := $(subst $(space),\$(comma),$(filter AllAlpha=% AllBeta=% AdditionalCertificateOutputFormats=% LiteralCertificateSubject=% UseCertificateRequestNameConstraints=% OtherNameSANs=%, $(subst $(comma),$(space),$(FEATURE_GATES)))) +feature_gates_controller := $(subst $(space),\$(comma),$(filter AllAlpha=% AllBeta=% AdditionalCertificateOutputFormats=% ValidateCAA=% ExperimentalCertificateSigningRequestControllers=% ExperimentalGatewayAPISupport=% ServerSideApply=% LiteralCertificateSubject=% UseCertificateRequestBasicConstraints=% UseCertificateRequestNameConstraints=% SecretsFilteredCaching=% OtherNames=%, $(subst $(comma),$(space),$(FEATURE_GATES)))) +feature_gates_webhook := $(subst $(space),\$(comma),$(filter AllAlpha=% AllBeta=% AdditionalCertificateOutputFormats=% LiteralCertificateSubject=% UseCertificateRequestNameConstraints=% OtherNames=%, $(subst $(comma),$(space),$(FEATURE_GATES)))) feature_gates_cainjector := $(subst $(space),\$(comma),$(filter AllAlpha=% AllBeta=% ServerSideApply=%, $(subst $(comma),$(space),$(FEATURE_GATES)))) # Install cert-manager with E2E specific images and deployment settings. diff --git a/pkg/apis/certmanager/v1/types_certificate.go b/pkg/apis/certmanager/v1/types_certificate.go index 6fdf14ae6..3d73bf9e8 100644 --- a/pkg/apis/certmanager/v1/types_certificate.go +++ b/pkg/apis/certmanager/v1/types_certificate.go @@ -182,11 +182,12 @@ type CertificateSpec struct { // +optional URIs []string `json:"uris,omitempty"` - // Any String-like OID type using oid:x.x.x.x type and StringValue value can be used for `otherName`. - // `otherName` is an escape hatch for SAN that allows any type but we restrict to string like, cf RFC 5280 p 37 - // You should ensure that the OID is valid for the string type as we do not validate this. + // `otherNames` is an escape hatch for SAN that allows any type. We currently restrict the support to string like otherNames, cf RFC 5280 p 37 + // Any UTF8 String valued otherName can be passed with by setting the keys oid: x.x.x.x and UTF8Value: somevalue for `otherName`. + // Most commonly this would be UPN set with oid: 1.3.6.1.4.1.311.20.2.3 + // You should ensure that any OID passed is valid for the UTF8String type as we do not explicitly validate this. // +optional - OtherNameSANs []OtherNameSAN `json:"otherNameSANs,omitempty"` + OtherNames []OtherName `json:"otherNames,omitempty"` // Requested email subject alternative names. // +optional @@ -280,15 +281,15 @@ type CertificateSpec struct { NameConstraints *NameConstraints `json:"nameConstraints,omitempty"` } -type OtherNameSAN struct { +type OtherName struct { // OID is the object identifier for the otherName SAN. // The object identifier must be expressed as a dotted string, for - // example, "1.2.840.113549.1.9.1". + // example, "1.2.840.113556.1.4.221". OID string `json:"oid,omitempty"` // Utf8Value is the string value of the otherName SAN. // The string value represents a UTF-8 encoded asn1 value. - Utf8Value string `json:"utf8Value,omitempty"` + UTF8Value string `json:"UTF8Value,omitempty"` } // CertificatePrivateKey contains configuration options for private keys diff --git a/pkg/apis/certmanager/v1/zz_generated.deepcopy.go b/pkg/apis/certmanager/v1/zz_generated.deepcopy.go index 556f29ddd..e5cdbccb5 100644 --- a/pkg/apis/certmanager/v1/zz_generated.deepcopy.go +++ b/pkg/apis/certmanager/v1/zz_generated.deepcopy.go @@ -431,9 +431,9 @@ func (in *CertificateSpec) DeepCopyInto(out *CertificateSpec) { *out = make([]string, len(*in)) copy(*out, *in) } - if in.OtherNameSANs != nil { - in, out := &in.OtherNameSANs, &out.OtherNameSANs - *out = make([]OtherNameSAN, len(*in)) + if in.OtherNames != nil { + in, out := &in.OtherNames, &out.OtherNames + *out = make([]OtherName, len(*in)) copy(*out, *in) } if in.EmailAddresses != nil { @@ -857,17 +857,17 @@ func (in *NameConstraints) DeepCopy() *NameConstraints { } // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *OtherNameSAN) DeepCopyInto(out *OtherNameSAN) { +func (in *OtherName) DeepCopyInto(out *OtherName) { *out = *in return } -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OtherNameSAN. -func (in *OtherNameSAN) DeepCopy() *OtherNameSAN { +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OtherName. +func (in *OtherName) DeepCopy() *OtherName { if in == nil { return nil } - out := new(OtherNameSAN) + out := new(OtherName) in.DeepCopyInto(out) return out } diff --git a/pkg/controller/certificates/requestmanager/requestmanager_controller.go b/pkg/controller/certificates/requestmanager/requestmanager_controller.go index adf79102c..7d59f9fc5 100644 --- a/pkg/controller/certificates/requestmanager/requestmanager_controller.go +++ b/pkg/controller/certificates/requestmanager/requestmanager_controller.go @@ -355,7 +355,7 @@ func (c *controller) createNewCertificateRequest(ctx context.Context, crt *cmapi pki.WithUseLiteralSubject(utilfeature.DefaultMutableFeatureGate.Enabled(feature.LiteralCertificateSubject)), pki.WithEncodeBasicConstraintsInRequest(utilfeature.DefaultMutableFeatureGate.Enabled(feature.UseCertificateRequestBasicConstraints)), pki.WithEncodeNameConstraintsInRequest(utilfeature.DefaultMutableFeatureGate.Enabled(feature.UseCertificateRequestNameConstraints)), - pki.WithEncodeOtherNameSANs(utilfeature.DefaultMutableFeatureGate.Enabled(feature.OtherNameSANs)), + pki.WithEncodeOtherNames(utilfeature.DefaultMutableFeatureGate.Enabled(feature.OtherNames)), ) if err != nil { log.Error(err, "Failed to generate CSR - will not retry") diff --git a/pkg/util/pki/csr.go b/pkg/util/pki/csr.go index ab6646015..764d8a782 100644 --- a/pkg/util/pki/csr.go +++ b/pkg/util/pki/csr.go @@ -188,7 +188,7 @@ func BuildCertManagerKeyUsages(ku x509.KeyUsage, eku []x509.ExtKeyUsage) []v1.Ke type generateCSROptions struct { EncodeBasicConstraintsInRequest bool EncodeNameConstraintsInRequest bool - EncodeOtherNameSANs bool + EncodeOtherNames bool UseLiteralSubject bool } @@ -209,9 +209,9 @@ func WithEncodeNameConstraintsInRequest(encode bool) GenerateCSROption { } } -func WithEncodeOtherNameSANs(encodeOtherNameSANs bool) GenerateCSROption { +func WithEncodeOtherNames(encodeOtherNames bool) GenerateCSROption { return func(o *generateCSROptions) { - o.EncodeOtherNameSANs = encodeOtherNameSANs + o.EncodeOtherNames = encodeOtherNames } } @@ -229,7 +229,7 @@ func GenerateCSR(crt *v1.Certificate, optFuncs ...GenerateCSROption) (*x509.Cert opts := &generateCSROptions{ EncodeBasicConstraintsInRequest: false, EncodeNameConstraintsInRequest: false, - EncodeOtherNameSANs: false, + EncodeOtherNames: false, UseLiteralSubject: false, } for _, opt := range optFuncs { @@ -277,15 +277,15 @@ func GenerateCSR(crt *v1.Certificate, optFuncs ...GenerateCSROption) (*x509.Cert IPAddresses: ipAddresses, } - if opts.EncodeOtherNameSANs { - for _, otherName := range crt.Spec.OtherNameSANs { + if opts.EncodeOtherNames { + for _, otherName := range crt.Spec.OtherNames { oid, err := ParseObjectIdentifier(otherName.OID) if err != nil { return nil, err } value, err := MarshalUniversalValue(UniversalValue{ - Utf8String: otherName.Utf8Value, + Utf8String: otherName.UTF8Value, }) if err != nil { return nil, err diff --git a/pkg/util/pki/csr_test.go b/pkg/util/pki/csr_test.go index 6ff1b3e06..c7d6d72a0 100644 --- a/pkg/util/pki/csr_test.go +++ b/pkg/util/pki/csr_test.go @@ -409,7 +409,7 @@ func TestGenerateCSR(t *testing.T) { literalCertificateSubjectFeatureEnabled bool basicConstraintsFeatureEnabled bool nameConstraintsFeatureEnabled bool - encodeOtherNameSANsFeatureEnabled bool + encodeOtherNamesFeatureEnabled bool }{ { name: "Generate CSR from certificate with only DNS", @@ -538,10 +538,10 @@ func TestGenerateCSR(t *testing.T) { }, { name: "Generate CSR from certificate with a single otherNameSAN set to an oid (UPN)", // only a shallow validation is expected - crt: &cmapi.Certificate{Spec: cmapi.CertificateSpec{OtherNameSANs: []cmapi.OtherNameSAN{ + crt: &cmapi.Certificate{Spec: cmapi.CertificateSpec{OtherNames: []cmapi.OtherName{ { OID: "1.3.6.1.4.1.311.20.2.3", - Utf8Value: "user@example.org", + UTF8Value: "user@example.org", }, }}}, want: &x509.CertificateRequest{ @@ -562,20 +562,20 @@ func TestGenerateCSR(t *testing.T) { }, RawSubject: subjectGenerator(t, pkix.Name{}), }, - encodeOtherNameSANsFeatureEnabled: true, + encodeOtherNamesFeatureEnabled: true, }, { name: "Generate CSR from certificate with multiple valid otherName oids and emailSANs set", crt: &cmapi.Certificate{Spec: cmapi.CertificateSpec{ EmailAddresses: []string{"user@example.org", "alt-email@example.org"}, - OtherNameSANs: []cmapi.OtherNameSAN{ + OtherNames: []cmapi.OtherName{ { OID: "1.3.6.1.4.1.311.20.2.3", - Utf8Value: "user@example.org", + UTF8Value: "user@example.org", }, { OID: "1.2.840.113556.1.4.221", - Utf8Value: "user@example.org", + UTF8Value: "user@example.org", }, }}}, want: &x509.CertificateRequest{ @@ -601,14 +601,14 @@ func TestGenerateCSR(t *testing.T) { }, RawSubject: subjectGenerator(t, pkix.Name{}), }, - encodeOtherNameSANsFeatureEnabled: true, + encodeOtherNamesFeatureEnabled: true, }, { name: "Generate CSR from certificate with malformed otherName oid type", - crt: &cmapi.Certificate{Spec: cmapi.CertificateSpec{OtherNameSANs: []cmapi.OtherNameSAN{ + crt: &cmapi.Certificate{Spec: cmapi.CertificateSpec{OtherNames: []cmapi.OtherName{ { OID: "NOTANOID@garbage", - Utf8Value: "user@example.org", + UTF8Value: "user@example.org", }, }}}, wantErr: true, @@ -815,7 +815,7 @@ func TestGenerateCSR(t *testing.T) { tt.crt, WithEncodeBasicConstraintsInRequest(tt.basicConstraintsFeatureEnabled), WithEncodeNameConstraintsInRequest(tt.nameConstraintsFeatureEnabled), - WithEncodeOtherNameSANs(tt.encodeOtherNameSANsFeatureEnabled), + WithEncodeOtherNames(tt.encodeOtherNamesFeatureEnabled), WithUseLiteralSubject(tt.literalCertificateSubjectFeatureEnabled), ) if (err != nil) != tt.wantErr { diff --git a/test/e2e/suite/certificates/othernamesan.go b/test/e2e/suite/certificates/othernamesan.go index 7ac09f2dc..2ba9a8a0f 100644 --- a/test/e2e/suite/certificates/othernamesan.go +++ b/test/e2e/suite/certificates/othernamesan.go @@ -59,7 +59,7 @@ var _ = framework.CertManagerDescribe("othername san processing", func() { } f := framework.NewDefaultFramework("certificate-othername-san-processing") - createCertificate := func(f *framework.Framework, OtherNameSANs []cmapi.OtherNameSAN) (*cmapi.Certificate, error) { + createCertificate := func(f *framework.Framework, OtherNames []cmapi.OtherNameSAN) (*cmapi.Certificate, error) { crt := &cmapi.Certificate{ ObjectMeta: metav1.ObjectMeta{ GenerateName: testName + "-", @@ -71,11 +71,11 @@ var _ = framework.CertManagerDescribe("othername san processing", func() { IssuerRef: cmmeta.ObjectReference{ Name: issuerName, Kind: "Issuer", Group: "cert-manager.io", }, - OtherNameSANs: OtherNameSANs, + OtherNames: OtherNames, EmailAddresses: emailAddresses, }, } - By("creating Certificate with OtherNameSANs") + By("creating Certificate with OtherNames") return f.CertManagerClientSet.CertmanagerV1().Certificates(f.Namespace.Name).Create(context.Background(), crt, metav1.CreateOptions{}) }