* Configurable issuer duration and renewBefore [1/3]
This is part one of (probably) three parts manually moving the changes from commit 723015174a167d746323f506ab3575cfb243d8bd to the new master. This commit moves the basic functionality of configurable duration while skipping e2e tests and docs. It does not include new work.
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Configurable issuer duration and renewBefore [2/3]
This commit moves over most of the e2e testing updates, some things are intentionally left out as they may be obsolete
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Configurable issuer duration and renewBefore [3/3]
This commit moves the documentation changes, completely the migration of the original code to the latest master
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Rerunning all hack scripts with since the massive bazel update
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Add missing boilerplate headers
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Rerun codegen hack
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Rerunning update-docs hack
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Fix failing unit tests
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Fix build errors in e2e tests
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Rerun update-deps
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Don't recreate the CA issuer, it already exists
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Need to create new issuers for the duration and renew time tests because those fields are set in the issuer, so make sure they are named uniquely
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Add duration e2e tests for self-signed issuer
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Add duration e2e tests for vault w/ custom mount path
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Add validation to disallow acme certificates with duration and renewBefore set and update unit tests to verify
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Update docs to mention duration/renew for self-signed issuer and fix potential parsing errors with rst formatting
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Self-signed issuer was missing duration validation
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Fix a bug causing certificates with a short enough renew-before w.r.t their duration to be renewed instantly and forever
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Print the exact time until renewal
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Move duration and renwal validation to the issuer validation
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Update e2e tests to work with new validation
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Add e2e test for the self-signed issuer
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Redo cert duration and renew before to appear as part of the CSR and not the issuer
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Updating tests to match new duration/renewbefore format
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Update e2e tests to match new format
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Update docs to reflect changing the field from issuers to certificates
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Remove event firing and replace with a TODO as of discussion on PR
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Run hack scripts
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Remove the sync unit test since without events there is no way to catch the warnings that it was testing
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Use IssuerOptions RenewBeforeExpiryDuration if certificates dont set a renewBefore value for immediate renewal checks
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Delete check on certificate data length in e2e test for certificate duration as there is no reason it should be there
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Update e2e tests since certificate creation will never generate an event
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Rerunning hack scripts after big rebase
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Fix a few problems that slipped through during the rebase
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Fix an e2e error that resulted from the rebase
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Add unit test for the calculateTimeBeforeExpiry function
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Adding back in a bunch of missing error checks
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Remove unused function
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Add missing boilerplate
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Remove unused constant
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Move log constants to function body
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Rerun hack scripts
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Remove mistakenly commited file
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Remove double-import of util package
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Fix bad function call in e2e vault issuer
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Change duration and renewBefore to be pointer fields as they are optional
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Remove wrong vault issuer test that got passed the rebase somehow
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Change e2e to use pointer format
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Move e2e cert tests out of issuer test file
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Move e2e self-signed issuer test to new location
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Make sure to check for nil in GenerateTemplate
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Add more empty checks to be safe
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Rerunning hacks after rebase
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Fix bad function call in new e2e test
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Try not setting duration and renewbefore on acme e2e tests
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Zero checks should really just be replaced by nil tests, zero should be caught as any other too-small value
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Fixed a missing nil check that got away
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Change e2e duration test format to use pointer times to better simulate API calls
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Fix sync unit test to match e2e test format
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Fix vault e2e test
Signed-off-by: Max Ehrlich <max.ehr@gmail.com>
* Revert changes to Certificate sync function
Signed-off-by: James Munnelly <james@munnelly.eu>
* Remove selfsigned e2e issuer.go
Signed-off-by: James Munnelly <james@munnelly.eu>
* Don't use ACME issuer in duration example and tidy up line endings
Signed-off-by: James Munnelly <james@munnelly.eu>
* Allow renewBefore to be set on ACME certificates
Signed-off-by: James Munnelly <james@munnelly.eu>
* Update renewBefore ACME docs. Remove unused fields.
Signed-off-by: James Munnelly <james@munnelly.eu>
* Rename calculateTimeBeforeExpiry to calculateDurationUntilRenew
Signed-off-by: James Munnelly <james@munnelly.eu>
- This PR adds two fields to CertificateSpec:
- `keyAlgorithm`, denotes which algorithm to use when generating
a private key. Can be either `rsa` or `ecdsa`. When not set, the
default algorithm used `rsa`.
- `keySize`, denotes the key size of the private key being generated.
For `rsa`, minimum key size is 2048 and maximum is 8192.
For `ecdsa`, sizes 224, 256, 384 & 521 are supported.
See https://golang.org/pkg/crypto/elliptic
- `keySize` can be set without being explicit about `keyAlgorithm`.
- If `keySize` is specified and `keyAlgorithm` is not provided, `rsa` will
be used as the key algorithm.
- `keyAlgorithm` can be set without being explicit about `keySize`.
- If `keyAlgorithm` is specified and `keySize` is not provided, key size
key size of `256` will be used for `ecdsa` key algorithm and
key size of `2048` will be used for `rsa` key algorithm.
- helper functions in `pki` package now return crypto.PrivateKey
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Improve validation of certificates. Fix bug in checking certificate validity
**What this PR does / why we need it**:
Improves the validation of dnsNames and commonNames on certificate resources.
Fixes a bug in checking certificate validity.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
Fixes#176, fixes#175
**Release note**:
```release-note
Fix a bug in checking certificate validity and improve validation of dnsNames and commonName
```
