-
Notifications
You must be signed in to change notification settings - Fork 61
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add an option to filter expired certificates from bundle #273
Add an option to filter expired certificates from bundle #273
Conversation
876a408
to
8304f88
Compare
45a5080
to
64c8cfb
Compare
Signed-off-by: Hoega <rouxelflorent@yahoo.fr>
64c8cfb
to
847ed9c
Compare
/ok-to-test |
/test pull-trust-manager-verify |
@Hoega Thanks a lot for this PR. I will try to review it soon!
to fix the CI. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks really great - thank you for raising it! I've got a couple of comments - what do you think?
pkg/util/cert_pool.go
Outdated
// Append certificate to a pool | ||
func (cp *certPool) appendCertFromPEM(PEMdata []byte) error { | ||
func (cp *certPool) appendCertFromPEM(PEMdata []byte, filterExpiredCerts bool) error { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
suggestion: I can't imagine a situation where we'd need to configure filterExpiredCerts
on a per-certificate basis like this.
Do you think it makes sense to add filterExpiredCerts
as a boolean option on certPool
, so we'd have newCertPool(filterExpiredCerts bool) *certPool
instead and appendCertFromPEM
would keep its current signature?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You are right, that would be better, I will make the change later. Thanks!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have created new functions with a certPool receiver to preserve the signature of the previous function. I am not an expert in Go, so please let me know if you think of a better approach.
pkg/util/pem.go
Outdated
func ValidateAndSanitizePEMBundle(data []byte, filterExpiredCerts bool) ([]byte, error) { | ||
certificates, err := ValidateAndSplitPEMBundle(data, filterExpiredCerts) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
suggestion: I'm uneasy about making a breaking change to an exported function here (and below with ValidateAndSplitPEMBundle
) - I don't think we need to.
Can we change this so it's not breaking?
Signed-off-by: Hoega <rouxelflorent@yahoo.fr>
Signed-off-by: Hoega <rouxelflorent@yahoo.fr>
9e2eac4
to
a22f23f
Compare
/test pull-trust-manager-verify |
Signed-off-by: Hoega <rouxelflorent@yahoo.fr>
Co-authored-by: Erik Godding Boye <egboye@gmail.com> Signed-off-by: Hoega <45895770+Hoega@users.noreply.github.com>
d04ab92
to
2951db3
Compare
Signed-off-by: Hoega <rouxelflorent@yahoo.fr>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
/approve
This looks great - really appreciate you raising this and getting involved in the community ❤️
I'll try to get around to releasing a new trust-manager version soon which will include this PR 😁
"valid bundle with valid certs and an expired cert": { | ||
parts: []string{dummy.TestCertificate1, dummy.TestExpiredCertificate, dummy.TestCertificate3}, | ||
expectedOutput: []string{dummy.TestCertificate1, dummy.TestCertificate3}, | ||
expectErr: false, | ||
}, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
comment: I think it'd be good to have a test that the expired cert is not removed if FilterExpired is false, but I don't think it should block this PR: I'll raise a followup PR to add that after this merges :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh wait, the cases above test that - you already have it tested 😁 Thank you!
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: SgtCoDFish The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Closes #272
Add an option to skip expired certificates and exclude them from the bundle.
The option is defined as a cli parameter to be passed by the helm charts values: