Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add an option to filter expired certificates from bundle #273

Merged
merged 6 commits into from
Jan 17, 2024
Merged

Add an option to filter expired certificates from bundle #273

merged 6 commits into from
Jan 17, 2024

Conversation

Hoega
Copy link
Contributor

@Hoega Hoega commented Jan 13, 2024
edited

Closes #272

Add an option to skip expired certificates and exclude them from the bundle.

The option is defined as a cli parameter to be passed by the helm charts values:

filterExpiredCertificates:
  # -- Whether to filter expired certificates from the trust bundle.
  enabled: false

@jetstack-bot jetstack-bot added dco-signoff: no Indicates that at least one commit in this pull request is missing the DCO sign-off message. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Jan 13, 2024
@Hoega Hoega force-pushed the feature/filter-expired-certificate branch from 876a408 to 8304f88 Compare January 15, 2024 10:04
@jetstack-bot jetstack-bot added dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. dco-signoff: no Indicates that at least one commit in this pull request is missing the DCO sign-off message. and removed dco-signoff: no Indicates that at least one commit in this pull request is missing the DCO sign-off message. dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. labels Jan 15, 2024
@Hoega Hoega force-pushed the feature/filter-expired-certificate branch from 45a5080 to 64c8cfb Compare January 15, 2024 11:49
@jetstack-bot jetstack-bot added dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. and removed dco-signoff: no Indicates that at least one commit in this pull request is missing the DCO sign-off message. labels Jan 15, 2024
@Hoega Hoega marked this pull request as ready for review January 15, 2024 11:49
@jetstack-bot jetstack-bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jan 15, 2024
@Hoega
Add an option to filter expired certificates from bundle
847ed9c 
Signed-off-by: Hoega <rouxelflorent@yahoo.fr>
@Hoega Hoega force-pushed the feature/filter-expired-certificate branch from 64c8cfb to 847ed9c Compare January 15, 2024 11:52
@erikgb
Copy link
Contributor

erikgb commented Jan 16, 2024

/ok-to-test

@erikgb
Copy link
Contributor

erikgb commented Jan 16, 2024

/test pull-trust-manager-verify

@erikgb
Copy link
Contributor

erikgb commented Jan 16, 2024

@Hoega Thanks a lot for this PR. I will try to review it soon!

Please run 'make -s update-helm-docs'

to fix the CI.

SgtCoDFish
SgtCoDFish reviewed Jan 16, 2024
View reviewed changes
Copy link
Member

@SgtCoDFish SgtCoDFish left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks really great - thank you for raising it! I've got a couple of comments - what do you think?

pkg/util/cert_pool.go Outdated
Comment on lines 57 to 58
// Append certificate to a pool
func (cp *certPool) appendCertFromPEM(PEMdata []byte) error {
func (cp *certPool) appendCertFromPEM(PEMdata []byte, filterExpiredCerts bool) error {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

suggestion: I can't imagine a situation where we'd need to configure filterExpiredCerts on a per-certificate basis like this.

Do you think it makes sense to add filterExpiredCerts as a boolean option on certPool, so we'd have newCertPool(filterExpiredCerts bool) *certPool instead and appendCertFromPEM would keep its current signature?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You are right, that would be better, I will make the change later. Thanks!

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have created new functions with a certPool receiver to preserve the signature of the previous function. I am not an expert in Go, so please let me know if you think of a better approach.

pkg/util/pem.go Outdated
Comment on lines 46 to 47
func ValidateAndSanitizePEMBundle(data []byte, filterExpiredCerts bool) ([]byte, error) {
certificates, err := ValidateAndSplitPEMBundle(data, filterExpiredCerts)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

suggestion: I'm uneasy about making a breaking change to an exported function here (and below with ValidateAndSplitPEMBundle) - I don't think we need to.

Can we change this so it's not breaking?

@jetstack-bot jetstack-bot added dco-signoff: no Indicates that at least one commit in this pull request is missing the DCO sign-off message. and removed dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. labels Jan 16, 2024
@Hoega
Update helm docs
5401436 
Signed-off-by: Hoega <rouxelflorent@yahoo.fr>
@Hoega
Preserve util functions signature
a22f23f 
Signed-off-by: Hoega <rouxelflorent@yahoo.fr>
@Hoega Hoega force-pushed the feature/filter-expired-certificate branch from 9e2eac4 to a22f23f Compare January 16, 2024 14:04
@jetstack-bot jetstack-bot added dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. and removed dco-signoff: no Indicates that at least one commit in this pull request is missing the DCO sign-off message. labels Jan 16, 2024
@erikgb
Copy link
Contributor

erikgb commented Jan 16, 2024

/test pull-trust-manager-verify

@Hoega
Reduce duplicated code in util pkg
f103e8e 
Signed-off-by: Hoega <rouxelflorent@yahoo.fr>
@Hoega @erikgb
Remove newline at the end of values.yaml
2951db3 
Co-authored-by: Erik Godding Boye <egboye@gmail.com>
Signed-off-by: Hoega <45895770+Hoega@users.noreply.github.com>
@Hoega Hoega force-pushed the feature/filter-expired-certificate branch from d04ab92 to 2951db3 Compare January 16, 2024 14:27
SgtCoDFish
SgtCoDFish reviewed Jan 16, 2024
View reviewed changes
pkg/util/cert_pool.go Outdated Show resolved Hide resolved
@Hoega
Implement options for pem functions
768009d 
Signed-off-by: Hoega <rouxelflorent@yahoo.fr>
SgtCoDFish
SgtCoDFish approved these changes Jan 17, 2024
View reviewed changes
Copy link
Member

@SgtCoDFish SgtCoDFish left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm
/approve

This looks great - really appreciate you raising this and getting involved in the community ❤️

I'll try to get around to releasing a new trust-manager version soon which will include this PR 😁

pkg/util/pem_test.go
Comment on lines +128 to +132
"valid bundle with valid certs and an expired cert": {
parts: []string{dummy.TestCertificate1, dummy.TestExpiredCertificate, dummy.TestCertificate3},
expectedOutput: []string{dummy.TestCertificate1, dummy.TestCertificate3},
expectErr: false,
},
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

comment: I think it'd be good to have a test that the expired cert is not removed if FilterExpired is false, but I don't think it should block this PR: I'll raise a followup PR to add that after this merges :)

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh wait, the cases above test that - you already have it tested 😁 Thank you!

@jetstack-bot jetstack-bot added the lgtm Indicates that a PR is ready to be merged. label Jan 17, 2024
@jetstack-bot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: SgtCoDFish

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@jetstack-bot jetstack-bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jan 17, 2024
@jetstack-bot jetstack-bot merged commit 83f1a23 into cert-manager:main Jan 17, 2024
3 of 4 checks passed
@Hoega Hoega deleted the feature/filter-expired-certificate branch January 17, 2024 17:30
SgtCoDFish added a commit that referenced this pull request Jan 18, 2024
@SgtCoDFish
Merge pull request #275 from SgtCoDFish/validate-pem-tests
2180c78 
Test tweaks following #273
@erikgb erikgb mentioned this pull request Jan 21, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@erikgb erikgb erikgb left review comments

@SgtCoDFish SgtCoDFish SgtCoDFish approved these changes

Assignees
No one assigned
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. lgtm Indicates that a PR is ready to be merged. ok-to-test size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add option to filter out expired certificates
4 participants
@Hoega @erikgb @jetstack-bot @SgtCoDFish