From e33e28c4fd05729701765c193a97b52b12c1d80c Mon Sep 17 00:00:00 2001 From: Joshua Mathianas Date: Wed, 15 Jan 2020 12:28:00 -0500 Subject: [PATCH 1/5] add backwards compatability for using existing common name or organization if x509name ones are not set add ability to specify more subject attributes for csr Signed-off-by: Joshua Mathianas --- .../cert-manager/crds/certificates.yaml | 40 +++++++++++++ deploy/manifests/00-crds.yaml | 40 +++++++++++++ .../certmanager/v1alpha2/types_certificate.go | 20 +++++++ .../v1alpha2/zz_generated.deepcopy.go | 56 +++++++++++++++++++ .../apis/certmanager/types_certificate.go | 20 +++++++ .../v1alpha2/zz_generated.conversion.go | 48 ++++++++++++++++ .../apis/certmanager/zz_generated.deepcopy.go | 56 +++++++++++++++++++ pkg/util/pki/csr.go | 44 ++++++++++++--- 8 files changed, 316 insertions(+), 8 deletions(-) diff --git a/deploy/charts/cert-manager/crds/certificates.yaml b/deploy/charts/cert-manager/crds/certificates.yaml index afb884b69..18e6b2b99 100644 --- a/deploy/charts/cert-manager/crds/certificates.yaml +++ b/deploy/charts/cert-manager/crds/certificates.yaml @@ -190,6 +190,46 @@ spec: - ocsp signing - microsoft sgc - netscape sgc + x509Name: + description: Full X509 name specification (https://golang.org/pkg/crypto/x509/pkix/#Name). + If specified, overrides any other name elements below. + type: object + properties: + commonName: + type: string + country: + description: Country/Region + type: array + items: + type: string + locality: + description: City + type: array + items: + type: string + organization: + type: array + items: + type: string + organizationalUnit: + type: array + items: + type: string + postalCode: + type: array + items: + type: string + province: + description: State/Province + type: array + items: + type: string + serialNumber: + type: string + streetAddress: + type: array + items: + type: string status: description: CertificateStatus defines the observed state of Certificate type: object diff --git a/deploy/manifests/00-crds.yaml b/deploy/manifests/00-crds.yaml index 21c5565c7..94fac9527 100644 --- a/deploy/manifests/00-crds.yaml +++ b/deploy/manifests/00-crds.yaml @@ -381,6 +381,46 @@ spec: - ocsp signing - microsoft sgc - netscape sgc + x509Name: + description: Full X509 name specification (https://golang.org/pkg/crypto/x509/pkix/#Name). + If specified, overrides any other name elements below. + type: object + properties: + commonName: + type: string + country: + description: Country/Region + type: array + items: + type: string + locality: + description: City + type: array + items: + type: string + organization: + type: array + items: + type: string + organizationalUnit: + type: array + items: + type: string + postalCode: + type: array + items: + type: string + province: + description: State/Province + type: array + items: + type: string + serialNumber: + type: string + streetAddress: + type: array + items: + type: string status: description: CertificateStatus defines the observed state of Certificate type: object diff --git a/pkg/apis/certmanager/v1alpha2/types_certificate.go b/pkg/apis/certmanager/v1alpha2/types_certificate.go index b453dd504..3d3a0519c 100644 --- a/pkg/apis/certmanager/v1alpha2/types_certificate.go +++ b/pkg/apis/certmanager/v1alpha2/types_certificate.go @@ -72,6 +72,11 @@ const ( // A valid Certificate requires at least one of a CommonName, DNSName, or // URISAN to be valid. type CertificateSpec struct { + // Full X509 name specification (https://golang.org/pkg/crypto/x509/pkix/#Name). + // If specified, overrides any other name elements below. + // +optional + X509Name *X509DistinguishedName `json:"x509Name,omitempty"` + // CommonName is a common name to be used on the Certificate. // The CommonName should have a length of 64 characters or fewer to avoid // generating invalid CSRs. @@ -145,6 +150,21 @@ type CertificateSpec struct { KeyEncoding KeyEncoding `json:"keyEncoding,omitempty"` } +type X509DistinguishedName struct { + // Country/Region + Country []string `json:"country,omitempty"` + Organization []string `json:"organization,omitempty"` + OrganizationalUnit []string `json:"organizationalUnit,omitempty"` + // City + Locality []string `json:"locality,omitempty"` + // State/Province + Province []string `json:"province,omitempty"` + StreetAddress []string `json:"streetAddress,omitempty"` + PostalCode []string `json:"postalCode,omitempty"` + SerialNumber string `json:"serialNumber,omitempty"` + CommonName string `json:"commonName,omitempty"` +} + // CertificateStatus defines the observed state of Certificate type CertificateStatus struct { // +optional diff --git a/pkg/apis/certmanager/v1alpha2/zz_generated.deepcopy.go b/pkg/apis/certmanager/v1alpha2/zz_generated.deepcopy.go index 8f58c82d5..0419225ef 100644 --- a/pkg/apis/certmanager/v1alpha2/zz_generated.deepcopy.go +++ b/pkg/apis/certmanager/v1alpha2/zz_generated.deepcopy.go @@ -277,6 +277,11 @@ func (in *CertificateRequestStatus) DeepCopy() *CertificateRequestStatus { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *CertificateSpec) DeepCopyInto(out *CertificateSpec) { *out = *in + if in.X509Name != nil { + in, out := &in.X509Name, &out.X509Name + *out = new(X509DistinguishedName) + (*in).DeepCopyInto(*out) + } if in.Organization != nil { in, out := &in.Organization, &out.Organization *out = make([]string, len(*in)) @@ -752,3 +757,54 @@ func (in *VenafiTPP) DeepCopy() *VenafiTPP { in.DeepCopyInto(out) return out } + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *X509DistinguishedName) DeepCopyInto(out *X509DistinguishedName) { + *out = *in + if in.Country != nil { + in, out := &in.Country, &out.Country + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.Organization != nil { + in, out := &in.Organization, &out.Organization + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.OrganizationalUnit != nil { + in, out := &in.OrganizationalUnit, &out.OrganizationalUnit + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.Locality != nil { + in, out := &in.Locality, &out.Locality + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.Province != nil { + in, out := &in.Province, &out.Province + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.StreetAddress != nil { + in, out := &in.StreetAddress, &out.StreetAddress + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.PostalCode != nil { + in, out := &in.PostalCode, &out.PostalCode + *out = make([]string, len(*in)) + copy(*out, *in) + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new X509DistinguishedName. +func (in *X509DistinguishedName) DeepCopy() *X509DistinguishedName { + if in == nil { + return nil + } + out := new(X509DistinguishedName) + in.DeepCopyInto(out) + return out +} diff --git a/pkg/internal/apis/certmanager/types_certificate.go b/pkg/internal/apis/certmanager/types_certificate.go index 32f010ee9..0ebfaec8f 100644 --- a/pkg/internal/apis/certmanager/types_certificate.go +++ b/pkg/internal/apis/certmanager/types_certificate.go @@ -59,6 +59,11 @@ const ( // CertificateSpec defines the desired state of Certificate type CertificateSpec struct { + // Full X509 name specification (https://golang.org/pkg/crypto/x509/pkix/#Name). + // If specified, overrides any other name elements below. + // +optional + X509Name *X509DistinguishedName `json:"x509Name,omitempty"` + // A valid Certificate requires at least one of a CommonName, DNSName, or // URISAN to be valid. @@ -135,6 +140,21 @@ type CertificateSpec struct { KeyEncoding KeyEncoding `json:"keyEncoding,omitempty"` } +type X509DistinguishedName struct { + // Country/Region + Country []string `json:"country,omitempty"` + Organization []string `json:"organization,omitempty"` + OrganizationalUnit []string `json:"organizationalUnit,omitempty"` + // City + Locality []string `json:"locality,omitempty"` + // State/Province + Province []string `json:"province,omitempty"` + StreetAddress []string `json:"streetAddress,omitempty"` + PostalCode []string `json:"postalCode,omitempty"` + SerialNumber string `json:"serialNumber,omitempty"` + CommonName string `json:"commonName,omitempty"` +} + // CertificateStatus defines the observed state of Certificate type CertificateStatus struct { // +optional diff --git a/pkg/internal/apis/certmanager/v1alpha2/zz_generated.conversion.go b/pkg/internal/apis/certmanager/v1alpha2/zz_generated.conversion.go index 9f8ce7d17..2072bb9e9 100644 --- a/pkg/internal/apis/certmanager/v1alpha2/zz_generated.conversion.go +++ b/pkg/internal/apis/certmanager/v1alpha2/zz_generated.conversion.go @@ -311,6 +311,16 @@ func RegisterConversions(s *runtime.Scheme) error { }); err != nil { return err } + if err := s.AddGeneratedConversionFunc((*v1alpha2.X509DistinguishedName)(nil), (*certmanager.X509DistinguishedName)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_v1alpha2_X509DistinguishedName_To_certmanager_X509DistinguishedName(a.(*v1alpha2.X509DistinguishedName), b.(*certmanager.X509DistinguishedName), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*certmanager.X509DistinguishedName)(nil), (*v1alpha2.X509DistinguishedName)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_certmanager_X509DistinguishedName_To_v1alpha2_X509DistinguishedName(a.(*certmanager.X509DistinguishedName), b.(*v1alpha2.X509DistinguishedName), scope) + }); err != nil { + return err + } return nil } @@ -559,6 +569,7 @@ func Convert_certmanager_CertificateRequestStatus_To_v1alpha2_CertificateRequest } func autoConvert_v1alpha2_CertificateSpec_To_certmanager_CertificateSpec(in *v1alpha2.CertificateSpec, out *certmanager.CertificateSpec, s conversion.Scope) error { + out.X509Name = (*certmanager.X509DistinguishedName)(unsafe.Pointer(in.X509Name)) out.CommonName = in.CommonName out.Organization = *(*[]string)(unsafe.Pointer(&in.Organization)) out.Duration = (*v1.Duration)(unsafe.Pointer(in.Duration)) @@ -585,6 +596,7 @@ func Convert_v1alpha2_CertificateSpec_To_certmanager_CertificateSpec(in *v1alpha } func autoConvert_certmanager_CertificateSpec_To_v1alpha2_CertificateSpec(in *certmanager.CertificateSpec, out *v1alpha2.CertificateSpec, s conversion.Scope) error { + out.X509Name = (*v1alpha2.X509DistinguishedName)(unsafe.Pointer(in.X509Name)) out.CommonName = in.CommonName out.Organization = *(*[]string)(unsafe.Pointer(&in.Organization)) out.Duration = (*v1.Duration)(unsafe.Pointer(in.Duration)) @@ -1057,3 +1069,39 @@ func autoConvert_certmanager_VenafiTPP_To_v1alpha2_VenafiTPP(in *certmanager.Ven func Convert_certmanager_VenafiTPP_To_v1alpha2_VenafiTPP(in *certmanager.VenafiTPP, out *v1alpha2.VenafiTPP, s conversion.Scope) error { return autoConvert_certmanager_VenafiTPP_To_v1alpha2_VenafiTPP(in, out, s) } + +func autoConvert_v1alpha2_X509DistinguishedName_To_certmanager_X509DistinguishedName(in *v1alpha2.X509DistinguishedName, out *certmanager.X509DistinguishedName, s conversion.Scope) error { + out.Country = *(*[]string)(unsafe.Pointer(&in.Country)) + out.Organization = *(*[]string)(unsafe.Pointer(&in.Organization)) + out.OrganizationalUnit = *(*[]string)(unsafe.Pointer(&in.OrganizationalUnit)) + out.Locality = *(*[]string)(unsafe.Pointer(&in.Locality)) + out.Province = *(*[]string)(unsafe.Pointer(&in.Province)) + out.StreetAddress = *(*[]string)(unsafe.Pointer(&in.StreetAddress)) + out.PostalCode = *(*[]string)(unsafe.Pointer(&in.PostalCode)) + out.SerialNumber = in.SerialNumber + out.CommonName = in.CommonName + return nil +} + +// Convert_v1alpha2_X509DistinguishedName_To_certmanager_X509DistinguishedName is an autogenerated conversion function. +func Convert_v1alpha2_X509DistinguishedName_To_certmanager_X509DistinguishedName(in *v1alpha2.X509DistinguishedName, out *certmanager.X509DistinguishedName, s conversion.Scope) error { + return autoConvert_v1alpha2_X509DistinguishedName_To_certmanager_X509DistinguishedName(in, out, s) +} + +func autoConvert_certmanager_X509DistinguishedName_To_v1alpha2_X509DistinguishedName(in *certmanager.X509DistinguishedName, out *v1alpha2.X509DistinguishedName, s conversion.Scope) error { + out.Country = *(*[]string)(unsafe.Pointer(&in.Country)) + out.Organization = *(*[]string)(unsafe.Pointer(&in.Organization)) + out.OrganizationalUnit = *(*[]string)(unsafe.Pointer(&in.OrganizationalUnit)) + out.Locality = *(*[]string)(unsafe.Pointer(&in.Locality)) + out.Province = *(*[]string)(unsafe.Pointer(&in.Province)) + out.StreetAddress = *(*[]string)(unsafe.Pointer(&in.StreetAddress)) + out.PostalCode = *(*[]string)(unsafe.Pointer(&in.PostalCode)) + out.SerialNumber = in.SerialNumber + out.CommonName = in.CommonName + return nil +} + +// Convert_certmanager_X509DistinguishedName_To_v1alpha2_X509DistinguishedName is an autogenerated conversion function. +func Convert_certmanager_X509DistinguishedName_To_v1alpha2_X509DistinguishedName(in *certmanager.X509DistinguishedName, out *v1alpha2.X509DistinguishedName, s conversion.Scope) error { + return autoConvert_certmanager_X509DistinguishedName_To_v1alpha2_X509DistinguishedName(in, out, s) +} diff --git a/pkg/internal/apis/certmanager/zz_generated.deepcopy.go b/pkg/internal/apis/certmanager/zz_generated.deepcopy.go index 6255768fc..c065bbc56 100644 --- a/pkg/internal/apis/certmanager/zz_generated.deepcopy.go +++ b/pkg/internal/apis/certmanager/zz_generated.deepcopy.go @@ -277,6 +277,11 @@ func (in *CertificateRequestStatus) DeepCopy() *CertificateRequestStatus { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *CertificateSpec) DeepCopyInto(out *CertificateSpec) { *out = *in + if in.X509Name != nil { + in, out := &in.X509Name, &out.X509Name + *out = new(X509DistinguishedName) + (*in).DeepCopyInto(*out) + } if in.Organization != nil { in, out := &in.Organization, &out.Organization *out = make([]string, len(*in)) @@ -752,3 +757,54 @@ func (in *VenafiTPP) DeepCopy() *VenafiTPP { in.DeepCopyInto(out) return out } + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *X509DistinguishedName) DeepCopyInto(out *X509DistinguishedName) { + *out = *in + if in.Country != nil { + in, out := &in.Country, &out.Country + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.Organization != nil { + in, out := &in.Organization, &out.Organization + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.OrganizationalUnit != nil { + in, out := &in.OrganizationalUnit, &out.OrganizationalUnit + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.Locality != nil { + in, out := &in.Locality, &out.Locality + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.Province != nil { + in, out := &in.Province, &out.Province + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.StreetAddress != nil { + in, out := &in.StreetAddress, &out.StreetAddress + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.PostalCode != nil { + in, out := &in.PostalCode, &out.PostalCode + *out = make([]string, len(*in)) + copy(*out, *in) + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new X509DistinguishedName. +func (in *X509DistinguishedName) DeepCopy() *X509DistinguishedName { + if in == nil { + return nil + } + out := new(X509DistinguishedName) + in.DeepCopyInto(out) + return out +} diff --git a/pkg/util/pki/csr.go b/pkg/util/pki/csr.go index 6256a22bc..05dae3dad 100644 --- a/pkg/util/pki/csr.go +++ b/pkg/util/pki/csr.go @@ -124,14 +124,28 @@ Outer: const defaultOrganization = "cert-manager" // OrganizationForCertificate will return the Organization to set for the -// Certificate resource. +// Certificate resource or if X509Name.Organization is set will return that // If an Organization is not specifically set, a default will be used. func OrganizationForCertificate(crt *v1alpha2.Certificate) []string { - if len(crt.Spec.Organization) == 0 { + if len(crt.Spec.Organization) == 0 && len(crt.Spec.X509Name.Organization) == 0 { return []string{defaultOrganization} } - return crt.Spec.Organization + if len(crt.Spec.X509Name.Organization) == 0 { + return crt.Spec.Organization + } + + return crt.Spec.X509Name.Organization +} + +// CommonNameForCertificate will return the CommonName to set for the +// Certificate resource or if X509Name.CommonName is set will return that +func CommonNameForCertificate(crt *v1alpha2.Certificate) string { + if len(crt.Spec.X509Name.CommonName) == 0 { + return crt.Spec.CommonName + } + + return crt.Spec.X509Name.CommonName } var serialNumberLimit = new(big.Int).Lsh(big.NewInt(1), 128) @@ -164,9 +178,16 @@ func BuildKeyUsages(usages []v1alpha2.KeyUsage, isCA bool) (ku x509.KeyUsage, ek // The CSR will not be signed, and should be passed to either EncodeCSR or // to the x509.CreateCertificateRequest function. func GenerateCSR(crt *v1alpha2.Certificate) (*x509.CertificateRequest, error) { - commonName := crt.Spec.CommonName - iPAddresses := IPAddressesForCertificate(crt) + country := crt.Spec.X509Name.Country organization := OrganizationForCertificate(crt) + organizationalUnit := crt.Spec.X509Name.OrganizationalUnit + locality := crt.Spec.X509Name.Locality + province := crt.Spec.X509Name.Province + streetAddress := crt.Spec.X509Name.StreetAddress + postalCode := crt.Spec.X509Name.PostalCode + serialNumber := crt.Spec.X509Name.SerialNumber + commonName := CommonNameForCertificate(crt) + iPAddresses := IPAddressesForCertificate(crt) dnsNames, err := DNSNamesForCertificate(crt) if err != nil { @@ -192,8 +213,15 @@ func GenerateCSR(crt *v1alpha2.Certificate) (*x509.CertificateRequest, error) { SignatureAlgorithm: sigAlgo, PublicKeyAlgorithm: pubKeyAlgo, Subject: pkix.Name{ - Organization: organization, - CommonName: commonName, + Country: country, + Organization: organization, + OrganizationalUnit: organizationalUnit, + Locality: locality, + Province: province, + StreetAddress: streetAddress, + PostalCode: postalCode, + SerialNumber: serialNumber, + CommonName: commonName, }, DNSNames: dnsNames, IPAddresses: iPAddresses, @@ -208,7 +236,7 @@ func GenerateCSR(crt *v1alpha2.Certificate) (*x509.CertificateRequest, error) { // generated by GenerateCSR. // The PublicKey field must be populated by the caller. func GenerateTemplate(crt *v1alpha2.Certificate) (*x509.Certificate, error) { - commonName := crt.Spec.CommonName + commonName := CommonNameForCertificate(crt) dnsNames := crt.Spec.DNSNames ipAddresses := IPAddressesForCertificate(crt) organization := OrganizationForCertificate(crt) From b096e0f0afbfff1bdfb4965d6b83122d6dc7d491 Mon Sep 17 00:00:00 2001 From: Joshua Mathianas Date: Thu, 16 Jan 2020 09:41:16 -0500 Subject: [PATCH 2/5] Made requested changes from review Signed-off-by: Joshua Mathianas --- .../certmanager/v1alpha2/types_certificate.go | 39 ++++++++----- .../apis/certmanager/types_certificate.go | 36 +++++++----- pkg/util/pki/csr.go | 58 +++++++------------ 3 files changed, 69 insertions(+), 64 deletions(-) diff --git a/pkg/apis/certmanager/v1alpha2/types_certificate.go b/pkg/apis/certmanager/v1alpha2/types_certificate.go index 3d3a0519c..1a0a7e69e 100644 --- a/pkg/apis/certmanager/v1alpha2/types_certificate.go +++ b/pkg/apis/certmanager/v1alpha2/types_certificate.go @@ -73,9 +73,8 @@ const ( // URISAN to be valid. type CertificateSpec struct { // Full X509 name specification (https://golang.org/pkg/crypto/x509/pkix/#Name). - // If specified, overrides any other name elements below. // +optional - X509Name *X509DistinguishedName `json:"x509Name,omitempty"` + Subject *X509Subject `json:"subject,omitempty"` // CommonName is a common name to be used on the Certificate. // The CommonName should have a length of 64 characters or fewer to avoid @@ -150,19 +149,29 @@ type CertificateSpec struct { KeyEncoding KeyEncoding `json:"keyEncoding,omitempty"` } -type X509DistinguishedName struct { - // Country/Region - Country []string `json:"country,omitempty"` - Organization []string `json:"organization,omitempty"` - OrganizationalUnit []string `json:"organizationalUnit,omitempty"` - // City - Locality []string `json:"locality,omitempty"` - // State/Province - Province []string `json:"province,omitempty"` - StreetAddress []string `json:"streetAddress,omitempty"` - PostalCode []string `json:"postalCode,omitempty"` - SerialNumber string `json:"serialNumber,omitempty"` - CommonName string `json:"commonName,omitempty"` +// X509Subject Full X509 name specification +type X509Subject struct { + // Countries to be used on the Certificate. + // +optional + Countries []string `json:"country,omitempty"` + // Organizational Units to be used on the Certificate. + // +optional + OrganizationalUnits []string `json:"organizationalUnit,omitempty"` + // Cities to be used on the Certificate. + // +optional + Localities []string `json:"locality,omitempty"` + // State/Provinces to be used on the Certificate. + // +optional + Provinces []string `json:"province,omitempty"` + // Street addresses to be used on the Certificate. + // +optional + StreetAddresses []string `json:"streetAddress,omitempty"` + // Postal codes to be used on the Certificate. + // +optional + PostalCodes []string `json:"postalCode,omitempty"` + // Serial number to be used on the Certificate. + // +optional + SerialNumber string `json:"serialNumber,omitempty"` } // CertificateStatus defines the observed state of Certificate diff --git a/pkg/internal/apis/certmanager/types_certificate.go b/pkg/internal/apis/certmanager/types_certificate.go index 0ebfaec8f..0dfe61bd3 100644 --- a/pkg/internal/apis/certmanager/types_certificate.go +++ b/pkg/internal/apis/certmanager/types_certificate.go @@ -140,19 +140,29 @@ type CertificateSpec struct { KeyEncoding KeyEncoding `json:"keyEncoding,omitempty"` } -type X509DistinguishedName struct { - // Country/Region - Country []string `json:"country,omitempty"` - Organization []string `json:"organization,omitempty"` - OrganizationalUnit []string `json:"organizationalUnit,omitempty"` - // City - Locality []string `json:"locality,omitempty"` - // State/Province - Province []string `json:"province,omitempty"` - StreetAddress []string `json:"streetAddress,omitempty"` - PostalCode []string `json:"postalCode,omitempty"` - SerialNumber string `json:"serialNumber,omitempty"` - CommonName string `json:"commonName,omitempty"` +// X509Subject Full X509 name specification +type X509Subject struct { + // Countries to be used on the Certificate. + // +optional + Countries []string `json:"country,omitempty"` + // Organizational Units to be used on the Certificate. + // +optional + OrganizationalUnits []string `json:"organizationalUnit,omitempty"` + // Cities to be used on the Certificate. + // +optional + Localities []string `json:"locality,omitempty"` + // State/Provinces to be used on the Certificate. + // +optional + Provinces []string `json:"province,omitempty"` + // Street addresses to be used on the Certificate. + // +optional + StreetAddresses []string `json:"streetAddress,omitempty"` + // Postal codes to be used on the Certificate. + // +optional + PostalCodes []string `json:"postalCode,omitempty"` + // Serial number to be used on the Certificate. + // +optional + SerialNumber string `json:"serialNumber,omitempty"` } // CertificateStatus defines the observed state of Certificate diff --git a/pkg/util/pki/csr.go b/pkg/util/pki/csr.go index 05dae3dad..00f57cebf 100644 --- a/pkg/util/pki/csr.go +++ b/pkg/util/pki/csr.go @@ -124,28 +124,14 @@ Outer: const defaultOrganization = "cert-manager" // OrganizationForCertificate will return the Organization to set for the -// Certificate resource or if X509Name.Organization is set will return that +// Certificate resource. // If an Organization is not specifically set, a default will be used. func OrganizationForCertificate(crt *v1alpha2.Certificate) []string { - if len(crt.Spec.Organization) == 0 && len(crt.Spec.X509Name.Organization) == 0 { + if len(crt.Spec.Organization) == 0 { return []string{defaultOrganization} } - if len(crt.Spec.X509Name.Organization) == 0 { - return crt.Spec.Organization - } - - return crt.Spec.X509Name.Organization -} - -// CommonNameForCertificate will return the CommonName to set for the -// Certificate resource or if X509Name.CommonName is set will return that -func CommonNameForCertificate(crt *v1alpha2.Certificate) string { - if len(crt.Spec.X509Name.CommonName) == 0 { - return crt.Spec.CommonName - } - - return crt.Spec.X509Name.CommonName + return crt.Spec.Organization } var serialNumberLimit = new(big.Int).Lsh(big.NewInt(1), 128) @@ -178,16 +164,9 @@ func BuildKeyUsages(usages []v1alpha2.KeyUsage, isCA bool) (ku x509.KeyUsage, ek // The CSR will not be signed, and should be passed to either EncodeCSR or // to the x509.CreateCertificateRequest function. func GenerateCSR(crt *v1alpha2.Certificate) (*x509.CertificateRequest, error) { - country := crt.Spec.X509Name.Country - organization := OrganizationForCertificate(crt) - organizationalUnit := crt.Spec.X509Name.OrganizationalUnit - locality := crt.Spec.X509Name.Locality - province := crt.Spec.X509Name.Province - streetAddress := crt.Spec.X509Name.StreetAddress - postalCode := crt.Spec.X509Name.PostalCode - serialNumber := crt.Spec.X509Name.SerialNumber - commonName := CommonNameForCertificate(crt) + commonName := crt.Spec.CommonName iPAddresses := IPAddressesForCertificate(crt) + organization := OrganizationForCertificate(crt) dnsNames, err := DNSNamesForCertificate(crt) if err != nil { @@ -213,14 +192,14 @@ func GenerateCSR(crt *v1alpha2.Certificate) (*x509.CertificateRequest, error) { SignatureAlgorithm: sigAlgo, PublicKeyAlgorithm: pubKeyAlgo, Subject: pkix.Name{ - Country: country, + Country: crt.Spec.Subject.Countries, Organization: organization, - OrganizationalUnit: organizationalUnit, - Locality: locality, - Province: province, - StreetAddress: streetAddress, - PostalCode: postalCode, - SerialNumber: serialNumber, + OrganizationalUnit: crt.Spec.Subject.OrganizationalUnits, + Locality: crt.Spec.Subject.Localities, + Province: crt.Spec.Subject.Provinces, + StreetAddress: crt.Spec.Subject.StreetAddresses, + PostalCode: crt.Spec.Subject.PostalCodes, + SerialNumber: crt.Spec.Subject.SerialNumber, CommonName: commonName, }, DNSNames: dnsNames, @@ -236,7 +215,7 @@ func GenerateCSR(crt *v1alpha2.Certificate) (*x509.CertificateRequest, error) { // generated by GenerateCSR. // The PublicKey field must be populated by the caller. func GenerateTemplate(crt *v1alpha2.Certificate) (*x509.Certificate, error) { - commonName := CommonNameForCertificate(crt) + commonName := crt.Spec.CommonName dnsNames := crt.Spec.DNSNames ipAddresses := IPAddressesForCertificate(crt) organization := OrganizationForCertificate(crt) @@ -268,8 +247,15 @@ func GenerateTemplate(crt *v1alpha2.Certificate) (*x509.Certificate, error) { PublicKeyAlgorithm: pubKeyAlgo, IsCA: crt.Spec.IsCA, Subject: pkix.Name{ - Organization: organization, - CommonName: commonName, + Country: crt.Spec.Subject.Countries, + Organization: organization, + OrganizationalUnit: crt.Spec.Subject.OrganizationalUnits, + Locality: crt.Spec.Subject.Localities, + Province: crt.Spec.Subject.Provinces, + StreetAddress: crt.Spec.Subject.StreetAddresses, + PostalCode: crt.Spec.Subject.PostalCodes, + SerialNumber: crt.Spec.Subject.SerialNumber, + CommonName: commonName, }, NotBefore: time.Now(), NotAfter: time.Now().Add(certDuration), From 9ee6ea7b7db904d36116a0adb2cabb80dd86302a Mon Sep 17 00:00:00 2001 From: Joshua Mathianas Date: Thu, 16 Jan 2020 09:49:40 -0500 Subject: [PATCH 3/5] Fixed a typo and ran generators Signed-off-by: Joshua Mathianas --- .../cert-manager/crds/certificates.yaml | 77 +++++++++---------- deploy/manifests/00-crds.yaml | 77 +++++++++---------- .../v1alpha2/zz_generated.deepcopy.go | 43 +++++------ .../apis/certmanager/types_certificate.go | 3 +- .../v1alpha2/zz_generated.conversion.go | 66 +++++++--------- .../apis/certmanager/zz_generated.deepcopy.go | 39 ++++------ 6 files changed, 137 insertions(+), 168 deletions(-) diff --git a/deploy/charts/cert-manager/crds/certificates.yaml b/deploy/charts/cert-manager/crds/certificates.yaml index 18e6b2b99..29eabe698 100644 --- a/deploy/charts/cert-manager/crds/certificates.yaml +++ b/deploy/charts/cert-manager/crds/certificates.yaml @@ -144,6 +144,43 @@ spec: description: SecretName is the name of the secret resource to store this secret in type: string + subject: + description: Full X509 name specification (https://golang.org/pkg/crypto/x509/pkix/#Name). + type: object + properties: + country: + description: Countries to be used on the Certificate. + type: array + items: + type: string + locality: + description: Cities to be used on the Certificate. + type: array + items: + type: string + organizationalUnit: + description: Organizational Units to be used on the Certificate. + type: array + items: + type: string + postalCode: + description: Postal codes to be used on the Certificate. + type: array + items: + type: string + province: + description: State/Provinces to be used on the Certificate. + type: array + items: + type: string + serialNumber: + description: Serial number to be used on the Certificate. + type: string + streetAddress: + description: Street addresses to be used on the Certificate. + type: array + items: + type: string uriSANs: description: URISANs is a list of URI Subject Alternative Names to be set on this Certificate. @@ -190,46 +227,6 @@ spec: - ocsp signing - microsoft sgc - netscape sgc - x509Name: - description: Full X509 name specification (https://golang.org/pkg/crypto/x509/pkix/#Name). - If specified, overrides any other name elements below. - type: object - properties: - commonName: - type: string - country: - description: Country/Region - type: array - items: - type: string - locality: - description: City - type: array - items: - type: string - organization: - type: array - items: - type: string - organizationalUnit: - type: array - items: - type: string - postalCode: - type: array - items: - type: string - province: - description: State/Province - type: array - items: - type: string - serialNumber: - type: string - streetAddress: - type: array - items: - type: string status: description: CertificateStatus defines the observed state of Certificate type: object diff --git a/deploy/manifests/00-crds.yaml b/deploy/manifests/00-crds.yaml index 94fac9527..002ccb7f1 100644 --- a/deploy/manifests/00-crds.yaml +++ b/deploy/manifests/00-crds.yaml @@ -335,6 +335,43 @@ spec: description: SecretName is the name of the secret resource to store this secret in type: string + subject: + description: Full X509 name specification (https://golang.org/pkg/crypto/x509/pkix/#Name). + type: object + properties: + country: + description: Countries to be used on the Certificate. + type: array + items: + type: string + locality: + description: Cities to be used on the Certificate. + type: array + items: + type: string + organizationalUnit: + description: Organizational Units to be used on the Certificate. + type: array + items: + type: string + postalCode: + description: Postal codes to be used on the Certificate. + type: array + items: + type: string + province: + description: State/Provinces to be used on the Certificate. + type: array + items: + type: string + serialNumber: + description: Serial number to be used on the Certificate. + type: string + streetAddress: + description: Street addresses to be used on the Certificate. + type: array + items: + type: string uriSANs: description: URISANs is a list of URI Subject Alternative Names to be set on this Certificate. @@ -381,46 +418,6 @@ spec: - ocsp signing - microsoft sgc - netscape sgc - x509Name: - description: Full X509 name specification (https://golang.org/pkg/crypto/x509/pkix/#Name). - If specified, overrides any other name elements below. - type: object - properties: - commonName: - type: string - country: - description: Country/Region - type: array - items: - type: string - locality: - description: City - type: array - items: - type: string - organization: - type: array - items: - type: string - organizationalUnit: - type: array - items: - type: string - postalCode: - type: array - items: - type: string - province: - description: State/Province - type: array - items: - type: string - serialNumber: - type: string - streetAddress: - type: array - items: - type: string status: description: CertificateStatus defines the observed state of Certificate type: object diff --git a/pkg/apis/certmanager/v1alpha2/zz_generated.deepcopy.go b/pkg/apis/certmanager/v1alpha2/zz_generated.deepcopy.go index 0419225ef..1ab249c59 100644 --- a/pkg/apis/certmanager/v1alpha2/zz_generated.deepcopy.go +++ b/pkg/apis/certmanager/v1alpha2/zz_generated.deepcopy.go @@ -277,9 +277,9 @@ func (in *CertificateRequestStatus) DeepCopy() *CertificateRequestStatus { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *CertificateSpec) DeepCopyInto(out *CertificateSpec) { *out = *in - if in.X509Name != nil { - in, out := &in.X509Name, &out.X509Name - *out = new(X509DistinguishedName) + if in.Subject != nil { + in, out := &in.Subject, &out.Subject + *out = new(X509Subject) (*in).DeepCopyInto(*out) } if in.Organization != nil { @@ -759,52 +759,47 @@ func (in *VenafiTPP) DeepCopy() *VenafiTPP { } // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *X509DistinguishedName) DeepCopyInto(out *X509DistinguishedName) { +func (in *X509Subject) DeepCopyInto(out *X509Subject) { *out = *in - if in.Country != nil { - in, out := &in.Country, &out.Country + if in.Countries != nil { + in, out := &in.Countries, &out.Countries *out = make([]string, len(*in)) copy(*out, *in) } - if in.Organization != nil { - in, out := &in.Organization, &out.Organization + if in.OrganizationalUnits != nil { + in, out := &in.OrganizationalUnits, &out.OrganizationalUnits *out = make([]string, len(*in)) copy(*out, *in) } - if in.OrganizationalUnit != nil { - in, out := &in.OrganizationalUnit, &out.OrganizationalUnit + if in.Localities != nil { + in, out := &in.Localities, &out.Localities *out = make([]string, len(*in)) copy(*out, *in) } - if in.Locality != nil { - in, out := &in.Locality, &out.Locality + if in.Provinces != nil { + in, out := &in.Provinces, &out.Provinces *out = make([]string, len(*in)) copy(*out, *in) } - if in.Province != nil { - in, out := &in.Province, &out.Province + if in.StreetAddresses != nil { + in, out := &in.StreetAddresses, &out.StreetAddresses *out = make([]string, len(*in)) copy(*out, *in) } - if in.StreetAddress != nil { - in, out := &in.StreetAddress, &out.StreetAddress - *out = make([]string, len(*in)) - copy(*out, *in) - } - if in.PostalCode != nil { - in, out := &in.PostalCode, &out.PostalCode + if in.PostalCodes != nil { + in, out := &in.PostalCodes, &out.PostalCodes *out = make([]string, len(*in)) copy(*out, *in) } return } -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new X509DistinguishedName. -func (in *X509DistinguishedName) DeepCopy() *X509DistinguishedName { +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new X509Subject. +func (in *X509Subject) DeepCopy() *X509Subject { if in == nil { return nil } - out := new(X509DistinguishedName) + out := new(X509Subject) in.DeepCopyInto(out) return out } diff --git a/pkg/internal/apis/certmanager/types_certificate.go b/pkg/internal/apis/certmanager/types_certificate.go index 0dfe61bd3..59826f085 100644 --- a/pkg/internal/apis/certmanager/types_certificate.go +++ b/pkg/internal/apis/certmanager/types_certificate.go @@ -60,9 +60,8 @@ const ( // CertificateSpec defines the desired state of Certificate type CertificateSpec struct { // Full X509 name specification (https://golang.org/pkg/crypto/x509/pkix/#Name). - // If specified, overrides any other name elements below. // +optional - X509Name *X509DistinguishedName `json:"x509Name,omitempty"` + X509Name *X509Subject `json:"x509Name,omitempty"` // A valid Certificate requires at least one of a CommonName, DNSName, or // URISAN to be valid. diff --git a/pkg/internal/apis/certmanager/v1alpha2/zz_generated.conversion.go b/pkg/internal/apis/certmanager/v1alpha2/zz_generated.conversion.go index 2072bb9e9..9a5ba34c2 100644 --- a/pkg/internal/apis/certmanager/v1alpha2/zz_generated.conversion.go +++ b/pkg/internal/apis/certmanager/v1alpha2/zz_generated.conversion.go @@ -311,13 +311,13 @@ func RegisterConversions(s *runtime.Scheme) error { }); err != nil { return err } - if err := s.AddGeneratedConversionFunc((*v1alpha2.X509DistinguishedName)(nil), (*certmanager.X509DistinguishedName)(nil), func(a, b interface{}, scope conversion.Scope) error { - return Convert_v1alpha2_X509DistinguishedName_To_certmanager_X509DistinguishedName(a.(*v1alpha2.X509DistinguishedName), b.(*certmanager.X509DistinguishedName), scope) + if err := s.AddGeneratedConversionFunc((*v1alpha2.X509Subject)(nil), (*certmanager.X509Subject)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_v1alpha2_X509Subject_To_certmanager_X509Subject(a.(*v1alpha2.X509Subject), b.(*certmanager.X509Subject), scope) }); err != nil { return err } - if err := s.AddGeneratedConversionFunc((*certmanager.X509DistinguishedName)(nil), (*v1alpha2.X509DistinguishedName)(nil), func(a, b interface{}, scope conversion.Scope) error { - return Convert_certmanager_X509DistinguishedName_To_v1alpha2_X509DistinguishedName(a.(*certmanager.X509DistinguishedName), b.(*v1alpha2.X509DistinguishedName), scope) + if err := s.AddGeneratedConversionFunc((*certmanager.X509Subject)(nil), (*v1alpha2.X509Subject)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_certmanager_X509Subject_To_v1alpha2_X509Subject(a.(*certmanager.X509Subject), b.(*v1alpha2.X509Subject), scope) }); err != nil { return err } @@ -569,7 +569,7 @@ func Convert_certmanager_CertificateRequestStatus_To_v1alpha2_CertificateRequest } func autoConvert_v1alpha2_CertificateSpec_To_certmanager_CertificateSpec(in *v1alpha2.CertificateSpec, out *certmanager.CertificateSpec, s conversion.Scope) error { - out.X509Name = (*certmanager.X509DistinguishedName)(unsafe.Pointer(in.X509Name)) + // WARNING: in.Subject requires manual conversion: does not exist in peer-type out.CommonName = in.CommonName out.Organization = *(*[]string)(unsafe.Pointer(&in.Organization)) out.Duration = (*v1.Duration)(unsafe.Pointer(in.Duration)) @@ -590,13 +590,8 @@ func autoConvert_v1alpha2_CertificateSpec_To_certmanager_CertificateSpec(in *v1a return nil } -// Convert_v1alpha2_CertificateSpec_To_certmanager_CertificateSpec is an autogenerated conversion function. -func Convert_v1alpha2_CertificateSpec_To_certmanager_CertificateSpec(in *v1alpha2.CertificateSpec, out *certmanager.CertificateSpec, s conversion.Scope) error { - return autoConvert_v1alpha2_CertificateSpec_To_certmanager_CertificateSpec(in, out, s) -} - func autoConvert_certmanager_CertificateSpec_To_v1alpha2_CertificateSpec(in *certmanager.CertificateSpec, out *v1alpha2.CertificateSpec, s conversion.Scope) error { - out.X509Name = (*v1alpha2.X509DistinguishedName)(unsafe.Pointer(in.X509Name)) + // WARNING: in.X509Name requires manual conversion: does not exist in peer-type out.CommonName = in.CommonName out.Organization = *(*[]string)(unsafe.Pointer(&in.Organization)) out.Duration = (*v1.Duration)(unsafe.Pointer(in.Duration)) @@ -617,11 +612,6 @@ func autoConvert_certmanager_CertificateSpec_To_v1alpha2_CertificateSpec(in *cer return nil } -// Convert_certmanager_CertificateSpec_To_v1alpha2_CertificateSpec is an autogenerated conversion function. -func Convert_certmanager_CertificateSpec_To_v1alpha2_CertificateSpec(in *certmanager.CertificateSpec, out *v1alpha2.CertificateSpec, s conversion.Scope) error { - return autoConvert_certmanager_CertificateSpec_To_v1alpha2_CertificateSpec(in, out, s) -} - func autoConvert_v1alpha2_CertificateStatus_To_certmanager_CertificateStatus(in *v1alpha2.CertificateStatus, out *certmanager.CertificateStatus, s conversion.Scope) error { out.Conditions = *(*[]certmanager.CertificateCondition)(unsafe.Pointer(&in.Conditions)) out.LastFailureTime = (*v1.Time)(unsafe.Pointer(in.LastFailureTime)) @@ -1070,38 +1060,34 @@ func Convert_certmanager_VenafiTPP_To_v1alpha2_VenafiTPP(in *certmanager.VenafiT return autoConvert_certmanager_VenafiTPP_To_v1alpha2_VenafiTPP(in, out, s) } -func autoConvert_v1alpha2_X509DistinguishedName_To_certmanager_X509DistinguishedName(in *v1alpha2.X509DistinguishedName, out *certmanager.X509DistinguishedName, s conversion.Scope) error { - out.Country = *(*[]string)(unsafe.Pointer(&in.Country)) - out.Organization = *(*[]string)(unsafe.Pointer(&in.Organization)) - out.OrganizationalUnit = *(*[]string)(unsafe.Pointer(&in.OrganizationalUnit)) - out.Locality = *(*[]string)(unsafe.Pointer(&in.Locality)) - out.Province = *(*[]string)(unsafe.Pointer(&in.Province)) - out.StreetAddress = *(*[]string)(unsafe.Pointer(&in.StreetAddress)) - out.PostalCode = *(*[]string)(unsafe.Pointer(&in.PostalCode)) +func autoConvert_v1alpha2_X509Subject_To_certmanager_X509Subject(in *v1alpha2.X509Subject, out *certmanager.X509Subject, s conversion.Scope) error { + out.Countries = *(*[]string)(unsafe.Pointer(&in.Countries)) + out.OrganizationalUnits = *(*[]string)(unsafe.Pointer(&in.OrganizationalUnits)) + out.Localities = *(*[]string)(unsafe.Pointer(&in.Localities)) + out.Provinces = *(*[]string)(unsafe.Pointer(&in.Provinces)) + out.StreetAddresses = *(*[]string)(unsafe.Pointer(&in.StreetAddresses)) + out.PostalCodes = *(*[]string)(unsafe.Pointer(&in.PostalCodes)) out.SerialNumber = in.SerialNumber - out.CommonName = in.CommonName return nil } -// Convert_v1alpha2_X509DistinguishedName_To_certmanager_X509DistinguishedName is an autogenerated conversion function. -func Convert_v1alpha2_X509DistinguishedName_To_certmanager_X509DistinguishedName(in *v1alpha2.X509DistinguishedName, out *certmanager.X509DistinguishedName, s conversion.Scope) error { - return autoConvert_v1alpha2_X509DistinguishedName_To_certmanager_X509DistinguishedName(in, out, s) +// Convert_v1alpha2_X509Subject_To_certmanager_X509Subject is an autogenerated conversion function. +func Convert_v1alpha2_X509Subject_To_certmanager_X509Subject(in *v1alpha2.X509Subject, out *certmanager.X509Subject, s conversion.Scope) error { + return autoConvert_v1alpha2_X509Subject_To_certmanager_X509Subject(in, out, s) } -func autoConvert_certmanager_X509DistinguishedName_To_v1alpha2_X509DistinguishedName(in *certmanager.X509DistinguishedName, out *v1alpha2.X509DistinguishedName, s conversion.Scope) error { - out.Country = *(*[]string)(unsafe.Pointer(&in.Country)) - out.Organization = *(*[]string)(unsafe.Pointer(&in.Organization)) - out.OrganizationalUnit = *(*[]string)(unsafe.Pointer(&in.OrganizationalUnit)) - out.Locality = *(*[]string)(unsafe.Pointer(&in.Locality)) - out.Province = *(*[]string)(unsafe.Pointer(&in.Province)) - out.StreetAddress = *(*[]string)(unsafe.Pointer(&in.StreetAddress)) - out.PostalCode = *(*[]string)(unsafe.Pointer(&in.PostalCode)) +func autoConvert_certmanager_X509Subject_To_v1alpha2_X509Subject(in *certmanager.X509Subject, out *v1alpha2.X509Subject, s conversion.Scope) error { + out.Countries = *(*[]string)(unsafe.Pointer(&in.Countries)) + out.OrganizationalUnits = *(*[]string)(unsafe.Pointer(&in.OrganizationalUnits)) + out.Localities = *(*[]string)(unsafe.Pointer(&in.Localities)) + out.Provinces = *(*[]string)(unsafe.Pointer(&in.Provinces)) + out.StreetAddresses = *(*[]string)(unsafe.Pointer(&in.StreetAddresses)) + out.PostalCodes = *(*[]string)(unsafe.Pointer(&in.PostalCodes)) out.SerialNumber = in.SerialNumber - out.CommonName = in.CommonName return nil } -// Convert_certmanager_X509DistinguishedName_To_v1alpha2_X509DistinguishedName is an autogenerated conversion function. -func Convert_certmanager_X509DistinguishedName_To_v1alpha2_X509DistinguishedName(in *certmanager.X509DistinguishedName, out *v1alpha2.X509DistinguishedName, s conversion.Scope) error { - return autoConvert_certmanager_X509DistinguishedName_To_v1alpha2_X509DistinguishedName(in, out, s) +// Convert_certmanager_X509Subject_To_v1alpha2_X509Subject is an autogenerated conversion function. +func Convert_certmanager_X509Subject_To_v1alpha2_X509Subject(in *certmanager.X509Subject, out *v1alpha2.X509Subject, s conversion.Scope) error { + return autoConvert_certmanager_X509Subject_To_v1alpha2_X509Subject(in, out, s) } diff --git a/pkg/internal/apis/certmanager/zz_generated.deepcopy.go b/pkg/internal/apis/certmanager/zz_generated.deepcopy.go index c065bbc56..97c0f6530 100644 --- a/pkg/internal/apis/certmanager/zz_generated.deepcopy.go +++ b/pkg/internal/apis/certmanager/zz_generated.deepcopy.go @@ -279,7 +279,7 @@ func (in *CertificateSpec) DeepCopyInto(out *CertificateSpec) { *out = *in if in.X509Name != nil { in, out := &in.X509Name, &out.X509Name - *out = new(X509DistinguishedName) + *out = new(X509Subject) (*in).DeepCopyInto(*out) } if in.Organization != nil { @@ -759,52 +759,47 @@ func (in *VenafiTPP) DeepCopy() *VenafiTPP { } // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *X509DistinguishedName) DeepCopyInto(out *X509DistinguishedName) { +func (in *X509Subject) DeepCopyInto(out *X509Subject) { *out = *in - if in.Country != nil { - in, out := &in.Country, &out.Country + if in.Countries != nil { + in, out := &in.Countries, &out.Countries *out = make([]string, len(*in)) copy(*out, *in) } - if in.Organization != nil { - in, out := &in.Organization, &out.Organization + if in.OrganizationalUnits != nil { + in, out := &in.OrganizationalUnits, &out.OrganizationalUnits *out = make([]string, len(*in)) copy(*out, *in) } - if in.OrganizationalUnit != nil { - in, out := &in.OrganizationalUnit, &out.OrganizationalUnit + if in.Localities != nil { + in, out := &in.Localities, &out.Localities *out = make([]string, len(*in)) copy(*out, *in) } - if in.Locality != nil { - in, out := &in.Locality, &out.Locality + if in.Provinces != nil { + in, out := &in.Provinces, &out.Provinces *out = make([]string, len(*in)) copy(*out, *in) } - if in.Province != nil { - in, out := &in.Province, &out.Province + if in.StreetAddresses != nil { + in, out := &in.StreetAddresses, &out.StreetAddresses *out = make([]string, len(*in)) copy(*out, *in) } - if in.StreetAddress != nil { - in, out := &in.StreetAddress, &out.StreetAddress - *out = make([]string, len(*in)) - copy(*out, *in) - } - if in.PostalCode != nil { - in, out := &in.PostalCode, &out.PostalCode + if in.PostalCodes != nil { + in, out := &in.PostalCodes, &out.PostalCodes *out = make([]string, len(*in)) copy(*out, *in) } return } -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new X509DistinguishedName. -func (in *X509DistinguishedName) DeepCopy() *X509DistinguishedName { +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new X509Subject. +func (in *X509Subject) DeepCopy() *X509Subject { if in == nil { return nil } - out := new(X509DistinguishedName) + out := new(X509Subject) in.DeepCopyInto(out) return out } From 05ff21250d566913f7d911aa820b226798eff469 Mon Sep 17 00:00:00 2001 From: Joshua Mathianas Date: Thu, 16 Jan 2020 10:30:20 -0500 Subject: [PATCH 4/5] Updates plural names and destination attribute name to match source Signed-off-by: Joshua Mathianas --- deploy/charts/cert-manager/crds/certificates.yaml | 12 ++++++------ deploy/manifests/00-crds.yaml | 12 ++++++------ pkg/apis/certmanager/v1alpha2/types_certificate.go | 12 ++++++------ pkg/internal/apis/certmanager/types_certificate.go | 14 +++++++------- .../v1alpha2/zz_generated.conversion.go | 14 ++++++++++++-- .../apis/certmanager/zz_generated.deepcopy.go | 4 ++-- 6 files changed, 39 insertions(+), 29 deletions(-) diff --git a/deploy/charts/cert-manager/crds/certificates.yaml b/deploy/charts/cert-manager/crds/certificates.yaml index 29eabe698..4bfe2ad7d 100644 --- a/deploy/charts/cert-manager/crds/certificates.yaml +++ b/deploy/charts/cert-manager/crds/certificates.yaml @@ -148,27 +148,27 @@ spec: description: Full X509 name specification (https://golang.org/pkg/crypto/x509/pkix/#Name). type: object properties: - country: + countries: description: Countries to be used on the Certificate. type: array items: type: string - locality: + localities: description: Cities to be used on the Certificate. type: array items: type: string - organizationalUnit: + organizationalUnits: description: Organizational Units to be used on the Certificate. type: array items: type: string - postalCode: + postalCodes: description: Postal codes to be used on the Certificate. type: array items: type: string - province: + provinces: description: State/Provinces to be used on the Certificate. type: array items: @@ -176,7 +176,7 @@ spec: serialNumber: description: Serial number to be used on the Certificate. type: string - streetAddress: + streetAddresses: description: Street addresses to be used on the Certificate. type: array items: diff --git a/deploy/manifests/00-crds.yaml b/deploy/manifests/00-crds.yaml index 002ccb7f1..f08752954 100644 --- a/deploy/manifests/00-crds.yaml +++ b/deploy/manifests/00-crds.yaml @@ -339,27 +339,27 @@ spec: description: Full X509 name specification (https://golang.org/pkg/crypto/x509/pkix/#Name). type: object properties: - country: + countries: description: Countries to be used on the Certificate. type: array items: type: string - locality: + localities: description: Cities to be used on the Certificate. type: array items: type: string - organizationalUnit: + organizationalUnits: description: Organizational Units to be used on the Certificate. type: array items: type: string - postalCode: + postalCodes: description: Postal codes to be used on the Certificate. type: array items: type: string - province: + provinces: description: State/Provinces to be used on the Certificate. type: array items: @@ -367,7 +367,7 @@ spec: serialNumber: description: Serial number to be used on the Certificate. type: string - streetAddress: + streetAddresses: description: Street addresses to be used on the Certificate. type: array items: diff --git a/pkg/apis/certmanager/v1alpha2/types_certificate.go b/pkg/apis/certmanager/v1alpha2/types_certificate.go index 1a0a7e69e..2c5aa9217 100644 --- a/pkg/apis/certmanager/v1alpha2/types_certificate.go +++ b/pkg/apis/certmanager/v1alpha2/types_certificate.go @@ -153,22 +153,22 @@ type CertificateSpec struct { type X509Subject struct { // Countries to be used on the Certificate. // +optional - Countries []string `json:"country,omitempty"` + Countries []string `json:"countries,omitempty"` // Organizational Units to be used on the Certificate. // +optional - OrganizationalUnits []string `json:"organizationalUnit,omitempty"` + OrganizationalUnits []string `json:"organizationalUnits,omitempty"` // Cities to be used on the Certificate. // +optional - Localities []string `json:"locality,omitempty"` + Localities []string `json:"localities,omitempty"` // State/Provinces to be used on the Certificate. // +optional - Provinces []string `json:"province,omitempty"` + Provinces []string `json:"provinces,omitempty"` // Street addresses to be used on the Certificate. // +optional - StreetAddresses []string `json:"streetAddress,omitempty"` + StreetAddresses []string `json:"streetAddresses,omitempty"` // Postal codes to be used on the Certificate. // +optional - PostalCodes []string `json:"postalCode,omitempty"` + PostalCodes []string `json:"postalCodes,omitempty"` // Serial number to be used on the Certificate. // +optional SerialNumber string `json:"serialNumber,omitempty"` diff --git a/pkg/internal/apis/certmanager/types_certificate.go b/pkg/internal/apis/certmanager/types_certificate.go index 59826f085..92b2cbfb1 100644 --- a/pkg/internal/apis/certmanager/types_certificate.go +++ b/pkg/internal/apis/certmanager/types_certificate.go @@ -61,7 +61,7 @@ const ( type CertificateSpec struct { // Full X509 name specification (https://golang.org/pkg/crypto/x509/pkix/#Name). // +optional - X509Name *X509Subject `json:"x509Name,omitempty"` + Subject *X509Subject `json:"subject,omitempty"` // A valid Certificate requires at least one of a CommonName, DNSName, or // URISAN to be valid. @@ -143,22 +143,22 @@ type CertificateSpec struct { type X509Subject struct { // Countries to be used on the Certificate. // +optional - Countries []string `json:"country,omitempty"` + Countries []string `json:"countries,omitempty"` // Organizational Units to be used on the Certificate. // +optional - OrganizationalUnits []string `json:"organizationalUnit,omitempty"` + OrganizationalUnits []string `json:"organizationalUnits,omitempty"` // Cities to be used on the Certificate. // +optional - Localities []string `json:"locality,omitempty"` + Localities []string `json:"localities,omitempty"` // State/Provinces to be used on the Certificate. // +optional - Provinces []string `json:"province,omitempty"` + Provinces []string `json:"provinces,omitempty"` // Street addresses to be used on the Certificate. // +optional - StreetAddresses []string `json:"streetAddress,omitempty"` + StreetAddresses []string `json:"streetAddresses,omitempty"` // Postal codes to be used on the Certificate. // +optional - PostalCodes []string `json:"postalCode,omitempty"` + PostalCodes []string `json:"postalCodes,omitempty"` // Serial number to be used on the Certificate. // +optional SerialNumber string `json:"serialNumber,omitempty"` diff --git a/pkg/internal/apis/certmanager/v1alpha2/zz_generated.conversion.go b/pkg/internal/apis/certmanager/v1alpha2/zz_generated.conversion.go index 9a5ba34c2..bfb860c0f 100644 --- a/pkg/internal/apis/certmanager/v1alpha2/zz_generated.conversion.go +++ b/pkg/internal/apis/certmanager/v1alpha2/zz_generated.conversion.go @@ -569,7 +569,7 @@ func Convert_certmanager_CertificateRequestStatus_To_v1alpha2_CertificateRequest } func autoConvert_v1alpha2_CertificateSpec_To_certmanager_CertificateSpec(in *v1alpha2.CertificateSpec, out *certmanager.CertificateSpec, s conversion.Scope) error { - // WARNING: in.Subject requires manual conversion: does not exist in peer-type + out.Subject = (*certmanager.X509Subject)(unsafe.Pointer(in.Subject)) out.CommonName = in.CommonName out.Organization = *(*[]string)(unsafe.Pointer(&in.Organization)) out.Duration = (*v1.Duration)(unsafe.Pointer(in.Duration)) @@ -590,8 +590,13 @@ func autoConvert_v1alpha2_CertificateSpec_To_certmanager_CertificateSpec(in *v1a return nil } +// Convert_v1alpha2_CertificateSpec_To_certmanager_CertificateSpec is an autogenerated conversion function. +func Convert_v1alpha2_CertificateSpec_To_certmanager_CertificateSpec(in *v1alpha2.CertificateSpec, out *certmanager.CertificateSpec, s conversion.Scope) error { + return autoConvert_v1alpha2_CertificateSpec_To_certmanager_CertificateSpec(in, out, s) +} + func autoConvert_certmanager_CertificateSpec_To_v1alpha2_CertificateSpec(in *certmanager.CertificateSpec, out *v1alpha2.CertificateSpec, s conversion.Scope) error { - // WARNING: in.X509Name requires manual conversion: does not exist in peer-type + out.Subject = (*v1alpha2.X509Subject)(unsafe.Pointer(in.Subject)) out.CommonName = in.CommonName out.Organization = *(*[]string)(unsafe.Pointer(&in.Organization)) out.Duration = (*v1.Duration)(unsafe.Pointer(in.Duration)) @@ -612,6 +617,11 @@ func autoConvert_certmanager_CertificateSpec_To_v1alpha2_CertificateSpec(in *cer return nil } +// Convert_certmanager_CertificateSpec_To_v1alpha2_CertificateSpec is an autogenerated conversion function. +func Convert_certmanager_CertificateSpec_To_v1alpha2_CertificateSpec(in *certmanager.CertificateSpec, out *v1alpha2.CertificateSpec, s conversion.Scope) error { + return autoConvert_certmanager_CertificateSpec_To_v1alpha2_CertificateSpec(in, out, s) +} + func autoConvert_v1alpha2_CertificateStatus_To_certmanager_CertificateStatus(in *v1alpha2.CertificateStatus, out *certmanager.CertificateStatus, s conversion.Scope) error { out.Conditions = *(*[]certmanager.CertificateCondition)(unsafe.Pointer(&in.Conditions)) out.LastFailureTime = (*v1.Time)(unsafe.Pointer(in.LastFailureTime)) diff --git a/pkg/internal/apis/certmanager/zz_generated.deepcopy.go b/pkg/internal/apis/certmanager/zz_generated.deepcopy.go index 97c0f6530..91fbdd141 100644 --- a/pkg/internal/apis/certmanager/zz_generated.deepcopy.go +++ b/pkg/internal/apis/certmanager/zz_generated.deepcopy.go @@ -277,8 +277,8 @@ func (in *CertificateRequestStatus) DeepCopy() *CertificateRequestStatus { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *CertificateSpec) DeepCopyInto(out *CertificateSpec) { *out = *in - if in.X509Name != nil { - in, out := &in.X509Name, &out.X509Name + if in.Subject != nil { + in, out := &in.Subject, &out.Subject *out = new(X509Subject) (*in).DeepCopyInto(*out) } From 39cc63a205b070f98083ed9cd32987541a5e8b4a Mon Sep 17 00:00:00 2001 From: Joshua Mathianas Date: Thu, 16 Jan 2020 11:34:44 -0500 Subject: [PATCH 5/5] resolve failing unit tests Signed-off-by: Joshua Mathianas --- pkg/util/pki/csr.go | 39 +++++++++++++++++++++++++-------------- 1 file changed, 25 insertions(+), 14 deletions(-) diff --git a/pkg/util/pki/csr.go b/pkg/util/pki/csr.go index 00f57cebf..7767d42fc 100644 --- a/pkg/util/pki/csr.go +++ b/pkg/util/pki/csr.go @@ -134,6 +134,15 @@ func OrganizationForCertificate(crt *v1alpha2.Certificate) []string { return crt.Spec.Organization } +// SubjectForCertificate will return the Subject from the Certificate resource or an empty one if it is not set +func SubjectForCertificate(crt *v1alpha2.Certificate) v1alpha2.X509Subject { + if crt.Spec.Subject == nil { + return v1alpha2.X509Subject{} + } + + return *crt.Spec.Subject +} + var serialNumberLimit = new(big.Int).Lsh(big.NewInt(1), 128) func BuildKeyUsages(usages []v1alpha2.KeyUsage, isCA bool) (ku x509.KeyUsage, eku []x509.ExtKeyUsage, err error) { @@ -167,6 +176,7 @@ func GenerateCSR(crt *v1alpha2.Certificate) (*x509.CertificateRequest, error) { commonName := crt.Spec.CommonName iPAddresses := IPAddressesForCertificate(crt) organization := OrganizationForCertificate(crt) + subject := SubjectForCertificate(crt) dnsNames, err := DNSNamesForCertificate(crt) if err != nil { @@ -192,14 +202,14 @@ func GenerateCSR(crt *v1alpha2.Certificate) (*x509.CertificateRequest, error) { SignatureAlgorithm: sigAlgo, PublicKeyAlgorithm: pubKeyAlgo, Subject: pkix.Name{ - Country: crt.Spec.Subject.Countries, + Country: subject.Countries, Organization: organization, - OrganizationalUnit: crt.Spec.Subject.OrganizationalUnits, - Locality: crt.Spec.Subject.Localities, - Province: crt.Spec.Subject.Provinces, - StreetAddress: crt.Spec.Subject.StreetAddresses, - PostalCode: crt.Spec.Subject.PostalCodes, - SerialNumber: crt.Spec.Subject.SerialNumber, + OrganizationalUnit: subject.OrganizationalUnits, + Locality: subject.Localities, + Province: subject.Provinces, + StreetAddress: subject.StreetAddresses, + PostalCode: subject.PostalCodes, + SerialNumber: subject.SerialNumber, CommonName: commonName, }, DNSNames: dnsNames, @@ -219,6 +229,7 @@ func GenerateTemplate(crt *v1alpha2.Certificate) (*x509.Certificate, error) { dnsNames := crt.Spec.DNSNames ipAddresses := IPAddressesForCertificate(crt) organization := OrganizationForCertificate(crt) + subject := SubjectForCertificate(crt) keyUsages, extKeyUsages, err := BuildKeyUsages(crt.Spec.Usages, crt.Spec.IsCA) if err != nil { return nil, err @@ -247,14 +258,14 @@ func GenerateTemplate(crt *v1alpha2.Certificate) (*x509.Certificate, error) { PublicKeyAlgorithm: pubKeyAlgo, IsCA: crt.Spec.IsCA, Subject: pkix.Name{ - Country: crt.Spec.Subject.Countries, + Country: subject.Countries, Organization: organization, - OrganizationalUnit: crt.Spec.Subject.OrganizationalUnits, - Locality: crt.Spec.Subject.Localities, - Province: crt.Spec.Subject.Provinces, - StreetAddress: crt.Spec.Subject.StreetAddresses, - PostalCode: crt.Spec.Subject.PostalCodes, - SerialNumber: crt.Spec.Subject.SerialNumber, + OrganizationalUnit: subject.OrganizationalUnits, + Locality: subject.Localities, + Province: subject.Provinces, + StreetAddress: subject.StreetAddresses, + PostalCode: subject.PostalCodes, + SerialNumber: subject.SerialNumber, CommonName: commonName, }, NotBefore: time.Now(),