weiguoqiang/cert-manager
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity

Merge pull request #6300 from inteon/feature_gates_insecure_csr

Browse Source 
Rename DontAllowInsecureCSRUsageDefinition feature flag and make it a Beta flag
This commit is contained in:
jetstack-bot 2023-08-25 15:43:10 +02:00 committed by GitHub
commit 63cf4e0b1c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 17 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
internal/apis/certmanager/validation/certificaterequest.go
View File

@ -109,12 +109,12 @@ func validateCertificateRequestSpecRequest(crSpec *cmapi.CertificateRequestSpec,
return el return el
} }
// If DontAllowInsecureCSRUsageDefinition is disabled and usages is empty, // If DisallowInsecureCSRUsageDefinition is disabled and usages is empty,
// then we should allow the request to be created without requiring that the // then we should allow the request to be created without requiring that the
// CSR usages match the default usages, instead we only validate that the // CSR usages match the default usages, instead we only validate that the
// BasicConstraints are valid. // BasicConstraints are valid.
// TODO: simplify this logic when we remove the feature gate // TODO: simplify this logic when we remove the feature gate
if !utilfeature.DefaultMutableFeatureGate.Enabled(feature.DontAllowInsecureCSRUsageDefinition) && len(crSpec.Usages) == 0 { if !utilfeature.DefaultMutableFeatureGate.Enabled(feature.DisallowInsecureCSRUsageDefinition) && len(crSpec.Usages) == 0 {
_, err = pki.CertificateTemplateFromCSRPEM( _, err = pki.CertificateTemplateFromCSRPEM(
crSpec.Request, crSpec.Request,
pki.CertificateTemplateValidateAndOverrideBasicConstraints(crSpec.IsCA, nil), pki.CertificateTemplateValidateAndOverrideBasicConstraints(crSpec.IsCA, nil),

8
internal/controller/feature/features.go
View File

@ -110,12 +110,12 @@ const (
SecretsFilteredCaching featuregate.Feature = "SecretsFilteredCaching" SecretsFilteredCaching featuregate.Feature = "SecretsFilteredCaching"
// Owner: @inteon // Owner: @inteon
// GA: v1.13 // Beta: v1.13
// //
// DontAllowInsecureCSRUsageDefinition will prevent the webhook from allowing // DisallowInsecureCSRUsageDefinition will prevent the webhook from allowing
// CertificateRequest's usages to be only defined in the CSR, while leaving // CertificateRequest's usages to be only defined in the CSR, while leaving
// the usages field empty. // the usages field empty.
DontAllowInsecureCSRUsageDefinition featuregate.Feature = "DontAllowInsecureCSRUsageDefinition" DisallowInsecureCSRUsageDefinition featuregate.Feature = "DisallowInsecureCSRUsageDefinition"
) )
func init() { func init() {
@ -126,7 +126,7 @@ func init() {
// To add a new feature, define a key for it above and add it here. The features will be // To add a new feature, define a key for it above and add it here. The features will be
// available on the cert-manager controller binary. // available on the cert-manager controller binary.
var defaultCertManagerFeatureGates = map[featuregate.Feature]featuregate.FeatureSpec{ var defaultCertManagerFeatureGates = map[featuregate.Feature]featuregate.FeatureSpec{
DontAllowInsecureCSRUsageDefinition: {Default: true, PreRelease: featuregate.GA}, DisallowInsecureCSRUsageDefinition: {Default: true, PreRelease: featuregate.Beta},
ValidateCAA: {Default: false, PreRelease: featuregate.Alpha}, ValidateCAA: {Default: false, PreRelease: featuregate.Alpha},
ExperimentalCertificateSigningRequestControllers: {Default: false, PreRelease: featuregate.Alpha}, ExperimentalCertificateSigningRequestControllers: {Default: false, PreRelease: featuregate.Alpha},

8
internal/webhook/feature/features.go
View File

@ -55,12 +55,12 @@ const (
LiteralCertificateSubject featuregate.Feature = "LiteralCertificateSubject" LiteralCertificateSubject featuregate.Feature = "LiteralCertificateSubject"
// Owner: @inteon // Owner: @inteon
// GA: v1.13 // Beta: v1.13
// //
// DontAllowInsecureCSRUsageDefinition will prevent the webhook from allowing // DisallowInsecureCSRUsageDefinition will prevent the webhook from allowing
// CertificateRequest's usages to be only defined in the CSR, while leaving // CertificateRequest's usages to be only defined in the CSR, while leaving
// the usages field empty. // the usages field empty.
DontAllowInsecureCSRUsageDefinition featuregate.Feature = "DontAllowInsecureCSRUsageDefinition" DisallowInsecureCSRUsageDefinition featuregate.Feature = "DisallowInsecureCSRUsageDefinition"
) )
func init() { func init() {
@ -75,7 +75,7 @@ func init() {
// //
// Where utilfeature is github.com/cert-manager/cert-manager/pkg/util/feature. // Where utilfeature is github.com/cert-manager/cert-manager/pkg/util/feature.
var webhookFeatureGates = map[featuregate.Feature]featuregate.FeatureSpec{ var webhookFeatureGates = map[featuregate.Feature]featuregate.FeatureSpec{
DontAllowInsecureCSRUsageDefinition: {Default: true, PreRelease: featuregate.GA}, DisallowInsecureCSRUsageDefinition: {Default: true, PreRelease: featuregate.Beta},
AdditionalCertificateOutputFormats: {Default: false, PreRelease: featuregate.Alpha}, AdditionalCertificateOutputFormats: {Default: false, PreRelease: featuregate.Alpha},
LiteralCertificateSubject: {Default: false, PreRelease: featuregate.Alpha}, LiteralCertificateSubject: {Default: false, PreRelease: featuregate.Alpha},

2
pkg/controller/certificaterequests/ca/ca.go
View File

@ -72,7 +72,7 @@ func NewCA(ctx *controllerpkg.Context) certificaterequests.Issuer {
secretsLister: ctx.KubeSharedInformerFactory.Secrets().Lister(), secretsLister: ctx.KubeSharedInformerFactory.Secrets().Lister(),
reporter: crutil.NewReporter(ctx.Clock, ctx.Recorder), reporter: crutil.NewReporter(ctx.Clock, ctx.Recorder),
templateGenerator: func(cr *cmapi.CertificateRequest) (*x509.Certificate, error) { templateGenerator: func(cr *cmapi.CertificateRequest) (*x509.Certificate, error) {
if !utilfeature.DefaultMutableFeatureGate.Enabled(feature.DontAllowInsecureCSRUsageDefinition) { if !utilfeature.DefaultMutableFeatureGate.Enabled(feature.DisallowInsecureCSRUsageDefinition) {
return pki.DeprecatedCertificateTemplateFromCertificateRequestAndAllowInsecureCSRUsageDefinition(cr) return pki.DeprecatedCertificateTemplateFromCertificateRequestAndAllowInsecureCSRUsageDefinition(cr)
} }

2
pkg/controller/certificaterequests/selfsigned/selfsigned.go
View File

@ -150,7 +150,7 @@ func (s *SelfSigned) Sign(ctx context.Context, cr *cmapi.CertificateRequest, iss
} }
var template *x509.Certificate var template *x509.Certificate
if !utilfeature.DefaultMutableFeatureGate.Enabled(feature.DontAllowInsecureCSRUsageDefinition) { if !utilfeature.DefaultMutableFeatureGate.Enabled(feature.DisallowInsecureCSRUsageDefinition) {
template, err = pki.DeprecatedCertificateTemplateFromCertificateRequestAndAllowInsecureCSRUsageDefinition(cr) template, err = pki.DeprecatedCertificateTemplateFromCertificateRequestAndAllowInsecureCSRUsageDefinition(cr)
} else { } else {
template, err = pki.CertificateTemplateFromCertificateRequest(cr) template, err = pki.CertificateTemplateFromCertificateRequest(cr)

10
test/integration/validation/certificaterequest_test.go
View File

@ -177,7 +177,7 @@ func TestValidationCertificateRequests(t *testing.T) {
defer cancel() defer cancel()
// The default is true, but we set it here to make sure it was not changed by other tests // The default is true, but we set it here to make sure it was not changed by other tests
utilfeature.DefaultMutableFeatureGate.Set("DontAllowInsecureCSRUsageDefinition=true") utilfeature.DefaultMutableFeatureGate.Set("DisallowInsecureCSRUsageDefinition=true")
config, stop := framework.RunControlPlane(t, ctx) config, stop := framework.RunControlPlane(t, ctx)
defer stop() defer stop()
@ -203,10 +203,10 @@ func TestValidationCertificateRequests(t *testing.T) {
} }
} }
// TestValidationCertificateRequests_DontAllowInsecureCSRUsageDefinition_false makes sure that the // TestValidationCertificateRequests_DisallowInsecureCSRUsageDefinition_false makes sure that the
// validation webhook keeps working as before when the DontAllowInsecureCSRUsageDefinition feature // validation webhook keeps working as before when the DisallowInsecureCSRUsageDefinition feature
// gate is disabled. // gate is disabled.
func TestValidationCertificateRequests_DontAllowInsecureCSRUsageDefinition_false(t *testing.T) { func TestValidationCertificateRequests_DisallowInsecureCSRUsageDefinition_false(t *testing.T) {
tests := map[string]struct { tests := map[string]struct {
input runtime.Object input runtime.Object
errorSuffix string // is a suffix as the API server sends the whole value back in the error errorSuffix string // is a suffix as the API server sends the whole value back in the error
@ -338,7 +338,7 @@ func TestValidationCertificateRequests_DontAllowInsecureCSRUsageDefinition_false
ctx, cancel := context.WithTimeout(context.Background(), time.Second*40) ctx, cancel := context.WithTimeout(context.Background(), time.Second*40)
defer cancel() defer cancel()
utilfeature.DefaultMutableFeatureGate.Set("DontAllowInsecureCSRUsageDefinition=false") utilfeature.DefaultMutableFeatureGate.Set("DisallowInsecureCSRUsageDefinition=false")
config, stop := framework.RunControlPlane(t, ctx) config, stop := framework.RunControlPlane(t, ctx)
defer stop() defer stop()