diff --git a/internal/apis/certmanager/validation/certificate.go b/internal/apis/certmanager/validation/certificate.go index 5c9708c80..2090885b4 100644 --- a/internal/apis/certmanager/validation/certificate.go +++ b/internal/apis/certmanager/validation/certificate.go @@ -59,8 +59,8 @@ func ValidateCertificateSpec(crt *internalcmapi.CertificateSpec, fldPath *field. el = append(el, field.Forbidden(fldPath.Child("literalSubject"), "Feature gate LiteralCertificateSubject must be enabled on both webhook and controller to use the alpha `literalSubject` field")) } - if len(crt.CommonName) != 0 { - el = append(el, field.Invalid(fldPath.Child("commonName"), crt.CommonName, "When providing a `LiteralSubject` no `commonName` may be provided.")) + if len(commonName) != 0 { + el = append(el, field.Invalid(fldPath.Child("commonName"), commonName, "When providing a `LiteralSubject` no `commonName` may be provided.")) } if crt.Subject != nil && (len(crt.Subject.Organizations) > 0 || @@ -108,12 +108,12 @@ func ValidateCertificateSpec(crt *internalcmapi.CertificateSpec, fldPath *field. len(crt.EmailAddresses) == 0 && len(crt.IPAddresses) == 0 && len(crt.OtherNames) == 0 { - el = append(el, field.Invalid(fldPath, "", "at least one of commonName, dnsNames, uriSANs, ipAddresses, emailSANs or otherNames must be set")) + el = append(el, field.Invalid(fldPath, "", "at least one of commonName (from the commonName field or from a literalSubject), dnsNames, uriSANs, ipAddresses, emailSANs or otherNames must be set")) } // if a common name has been specified, ensure it is no longer than 64 chars if len(commonName) > 64 { - el = append(el, field.TooLong(fldPath.Child("commonName"), crt.CommonName, 64)) + el = append(el, field.TooLong(fldPath.Child("commonName"), commonName, 64)) } if len(crt.IPAddresses) > 0 { diff --git a/internal/apis/certmanager/validation/certificate_test.go b/internal/apis/certmanager/validation/certificate_test.go index 6d3791d2e..cb2927032 100644 --- a/internal/apis/certmanager/validation/certificate_test.go +++ b/internal/apis/certmanager/validation/certificate_test.go @@ -165,7 +165,7 @@ func TestValidateCertificate(t *testing.T) { }, a: someAdmissionRequest, errs: []*field.Error{ - field.Invalid(fldPath, "", "at least one of commonName, dnsNames, uriSANs, ipAddresses, emailSANs or otherNames must be set"), + field.Invalid(fldPath, "", "at least one of commonName (from the commonName field or from a literalSubject), dnsNames, uriSANs, ipAddresses, emailSANs or otherNames must be set"), }, }, "certificate with no issuerRef": { @@ -1061,7 +1061,7 @@ func Test_validateLiteralSubject(t *testing.T) { }, a: someAdmissionRequest, errs: []*field.Error{ - field.Invalid(fldPath, "", "at least one of commonName, dnsNames, uriSANs, ipAddresses, emailSANs or otherNames must be set"), + field.Invalid(fldPath, "", "at least one of commonName (from the commonName field or from a literalSubject), dnsNames, uriSANs, ipAddresses, emailSANs or otherNames must be set"), }, }, "invalid with a `literalSubject` and any `Subject` other than serialNumber": { diff --git a/pkg/util/pki/csr.go b/pkg/util/pki/csr.go index a0c14c2b2..7e3d01fac 100644 --- a/pkg/util/pki/csr.go +++ b/pkg/util/pki/csr.go @@ -231,7 +231,7 @@ func GenerateCSR(crt *v1.Certificate, optFuncs ...GenerateCSROption) (*x509.Cert } if len(commonName) == 0 && sans.Empty() { - return nil, fmt.Errorf("no common name, DNS name, URI SAN, Email SAN, IP or OtherName SAN specified on certificate") + return nil, fmt.Errorf("no common name (from the commonName field or from a literalSubject), DNS name, URI SAN, Email SAN, IP or OtherName SAN specified on certificate") } pubKeyAlgo, sigAlgo, err := SignatureAlgorithm(crt)