Add encode_usages_in_request to Certificate spec (fix #3301)

Signed-off-by: Raphaël Pinson <raphael.pinson@camptocamp.com>
2020-09-22 11:39:18 +02:00 · 2020-09-22 11:39:18 +02:00 · b2d719d6c3
commit b2d719d6c3
parent 31a146a4b1
7 changed files with 35 additions and 8 deletions
--- a/pkg/apis/certmanager/v1/types_certificate.go
+++ b/pkg/apis/certmanager/v1/types_certificate.go
@ -160,6 +160,11 @@ type CertificateSpec struct {
 	// Options to control private keys used for the Certificate.
 	// +optional
 	PrivateKey *CertificatePrivateKey `json:"privateKey,omitempty"`
+
+	// EncodeUsagesInRequest controls whether key usages should be present
+	// in the CertificateRequest
+	// +optional
+	EncodeUsagesInRequest *bool `json:"encodeUsagesInRequest,omitempty"`
 }

 // CertificatePrivateKey contains configuration options for private keys
--- a/pkg/apis/certmanager/v1alpha2/types_certificate.go
+++ b/pkg/apis/certmanager/v1alpha2/types_certificate.go
@ -188,6 +188,11 @@ type CertificateSpec struct {
 	// Options to control private keys used for the Certificate.
 	// +optional
 	PrivateKey *CertificatePrivateKey `json:"privateKey,omitempty"`
+
+	// EncodeUsagesInRequest controls whether key usages should be present
+	// in the CertificateRequest
+	// +optional
+	EncodeUsagesInRequest *bool `json:"encodeUsagesInRequest,omitempty"`
 }

 // CertificatePrivateKey contains configuration options for private keys
--- a/pkg/apis/certmanager/v1alpha3/types_certificate.go
+++ b/pkg/apis/certmanager/v1alpha3/types_certificate.go
@ -186,6 +186,11 @@ type CertificateSpec struct {
 	// Options to control private keys used for the Certificate.
 	// +optional
 	PrivateKey *CertificatePrivateKey `json:"privateKey,omitempty"`
+
+	// EncodeUsagesInRequest controls whether key usages should be present
+	// in the CertificateRequest
+	// +optional
+	EncodeUsagesInRequest *bool `json:"encodeUsagesInRequest,omitempty"`
 }

 // CertificatePrivateKey contains configuration options for private keys
--- a/pkg/apis/certmanager/v1beta1/types_certificate.go
+++ b/pkg/apis/certmanager/v1beta1/types_certificate.go
@ -159,6 +159,11 @@ type CertificateSpec struct {
 	// Options to control private keys used for the Certificate.
 	// +optional
 	PrivateKey *CertificatePrivateKey `json:"privateKey,omitempty"`
+
+	// EncodeUsagesInRequest controls whether key usages should be present
+	// in the CertificateRequest
+	// +optional
+	EncodeUsagesInRequest *bool `json:"encodeUsagesInRequest,omitempty"`
 }

 // CertificatePrivateKey contains configuration options for private keys
--- a/pkg/internal/apis/certmanager/types_certificate.go
+++ b/pkg/internal/apis/certmanager/types_certificate.go
@ -142,6 +142,10 @@ type CertificateSpec struct {

 	// Options to control private keys used for the Certificate.
 	PrivateKey *CertificatePrivateKey
+
+	// EncodeUsagesInRequest controls whether key usages should be present
+	// in the CertificateRequest
+	EncodeUsagesInRequest *bool
 }

 // CertificatePrivateKey contains configuration options for private keys
--- a/pkg/util/pki/csr.go
+++ b/pkg/util/pki/csr.go
@ -202,9 +202,12 @@ func GenerateCSR(crt *v1.Certificate) (*x509.CertificateRequest, error) {
 		return nil, err
 	}

-	extraExtensions, err := extensionsForCertificate(crt)
-	if err != nil {
-		return nil, err
+	var extraExtensions []pkix.Extension
+	if crt.Spec.EncodeUsagesInRequest == nil || *crt.Spec.EncodeUsagesInRequest {
+		extraExtensions, err = buildKeyUsagesExtensionsForCertificate(crt)
+		if err != nil {
+			return nil, err
+		}
 	}

 	return &x509.CertificateRequest{
@ -230,7 +233,7 @@ func GenerateCSR(crt *v1.Certificate) (*x509.CertificateRequest, error) {
 	}, nil
 }

-func extensionsForCertificate(crt *v1.Certificate) ([]pkix.Extension, error) {
+func buildKeyUsagesExtensionsForCertificate(crt *v1.Certificate) ([]pkix.Extension, error) {
 	ku, ekus, err := BuildKeyUsages(crt.Spec.Usages, crt.Spec.IsCA)
 	if err != nil {
 		return nil, fmt.Errorf("failed to build key usages: %w", err)
--- a/pkg/util/pki/csr_test.go
+++ b/pkg/util/pki/csr_test.go
@ -467,7 +467,7 @@ func TestGenerateCSR(t *testing.T) {
 	}
 }

-func Test_extensionsForCertificate(t *testing.T) {
+func Test_buildKeyUsagesExtensionsForCertificate(t *testing.T) {
 	// 0xa0 = DigitalSignature and Encipherment usage
 	asn1DefaultKeyUsage, err := asn1.Marshal(asn1.BitString{Bytes: []byte{0xa0}, BitLength: asn1BitLength([]byte{0xa0})})
 	if err != nil {
@ -542,13 +542,13 @@ func Test_extensionsForCertificate(t *testing.T) {
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			got, err := extensionsForCertificate(tt.crt)
+			got, err := buildKeyUsagesExtensionsForCertificate(tt.crt)
 			if (err != nil) != tt.wantErr {
-				t.Errorf("extensionsForCertificate() error = %v, wantErr %v", err, tt.wantErr)
+				t.Errorf("buildKeyUsagesExtensionsForCertificate() error = %v, wantErr %v", err, tt.wantErr)
 				return
 			}
 			if !reflect.DeepEqual(got, tt.want) {
-				t.Errorf("extensionsForCertificate() got = %v, want %v", got, tt.want)
+				t.Errorf("buildKeyUsagesExtensionsForCertificate() got = %v, want %v", got, tt.want)
 			}
 		})
 	}