New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add v1beta1 API version #3038
add v1beta1 API version #3038
Conversation
2e52a4b
to
dced9e5
Compare
/test pull-cert-manager-e2e-v1-11 |
/test pull-cert-manager-e2e-v1-11 |
3 similar comments
/test pull-cert-manager-e2e-v1-11 |
/test pull-cert-manager-e2e-v1-11 |
/test pull-cert-manager-e2e-v1-11 |
|
||
const ( | ||
// minimum permitted certificate duration by cert-manager | ||
MinimumCertificateDuration = time.Hour |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is funny.... is this enforced somewhere? I remember being able to set it lower than this (which caused a disaster), i don't remember it being enforced in the validating webhook.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That's a good question.. I'm actually not too sure. I think it may not be, and it's also quite a difficult thing for us to enforce given the CA can override the behaviour.
All of cert-manager code needs to tolerate any duration, and can't really rely on this being true.
That said, supposing a CA returns a Certificate valid for 1s, or a user requests a certificate valid for 1s, what would we really want to happen here? That's an excessively short duration, and will lead to cert-manager performing lots of certificate requests.
As a cluster administrator, I'd like to have some guard against this. Perhaps a flag on the controller which is a universal minimum value? (could be enforced by the webhook then?).
How we do handle the case where a user doesn't explicitly set a duration, yet the CA still returns one valid for 1s? Should we go into that tight request loop despite the minimum duration not being met?
Thinking even further.. what if a CA returns a certificate that is already expired?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It is used in the validation functions:
git grep MinimumCertificateDuration
pkg/apis/certmanager/v1alpha2/const.go: MinimumCertificateDuration = time.Hour
pkg/apis/certmanager/v1alpha3/const.go: MinimumCertificateDuration = time.Hour
pkg/internal/apis/certmanager/validation/certificate.go: if duration < cmapiv1alpha2.MinimumCertificateDuration {
pkg/internal/apis/certmanager/validation/certificate.go: el = append(el, field.Invalid(fldPath.Child("duration"), duration, fmt.Sprintf("certificate duration must be greater than %s", cmapiv1alpha2.MinimumCertificateDuration)))
pkg/internal/apis/certmanager/validation/certificate_test.go: errs: []*field.Error{field.Invalid(fldPath.Child("duration"), usefulDurations["half hour"].Duration, fmt.Sprintf("certificate duration must be greater than %s", cmapiv1alpha2.MinimumCertificateDuration))},
...but I also remember setting duration lower than this in the nginx workshop, so is the validation broken?
Or, perhaps we never set the duration and relied instead on the TPP policy to set a duration.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Opened #3067 to track this
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@wallrj venafi doesn't support setting the duration so yes we did there, however i tested this with the CA issuer before. Was before experimental controllers so cannot tell how it behaves now.
caeaf27
to
61bcdd3
Compare
/test all |
Signed-off-by: James Munnelly <james@munnelly.eu>
Signed-off-by: James Munnelly <james@munnelly.eu>
Signed-off-by: James Munnelly <james@munnelly.eu>
Signed-off-by: James Munnelly <james@munnelly.eu>
Signed-off-by: James Munnelly <james@munnelly.eu>
Signed-off-by: James Munnelly <james@munnelly.eu>
Signed-off-by: James Munnelly <james@munnelly.eu>
Signed-off-by: James Munnelly <james@munnelly.eu>
Signed-off-by: James Munnelly <james@munnelly.eu>
Signed-off-by: James Munnelly <james@munnelly.eu>
@@ -168,15 +168,31 @@ type ACMEChallenge struct { | |||
} | |||
|
|||
// ACMEChallengeType denotes a type of ACME challenge | |||
// +kubebuilder:validation:Enum=http-01;dns-01 | |||
// +kubebuilder:validation:Enum=http-01;dns-01;tls-alpn-01;tls-sni-01;tls-sni-02 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
i don't think we should validate these.
The source of these comes from the API not the user, the use case for validation is minimal. But that doesn't fully make the case.
"tls-alpn-01"
already makes a point here that the spec allows to add more validation methods. cert-manager misbehaves is it find a challenge type that isn't in this list as the API is not able to store it as it is "invalid", this causes all old cert-manager versions to not be able to issue certificates the moment let's encrypt (or another ACME issuer) adds any new validation type
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
i found this out the hard way in 799d253
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am not so sure - our own controllers only support a limited set of types, so I was considering also modifying the controller as part of this PR to reject unknown challenge types too.
Whilst tls-alpn-01
does demonstrate new ones can be added, we don't have an extensibility story that will actually allow these to be implemented just yet. I feel like we'd be better to leave the allowed values as http-01
and dns-01
only and then throw anything that isn't recognised away? Not sure 🤷♂️
If, for example, a user creates a Challenge resource manually and specifies type
as NOT_REAL
, it'd be far more useful if that create call fails and says "only HTTP-01 and DNS-01 allowed"
WDYT?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am pro limiting these to the ones we support where our controller is fully tested for that behavior.
// Type is the type of ACME challenge this resource represents, e.g. "dns01" | ||
// or "http01". | ||
// Type is the type of ACME challenge this resource represents. | ||
// One of "http-01" or "dns-01". | ||
Type ACMEChallengeType `json:"type"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe worth expanding that these 2 are supported by cert-manager but other values exist
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍 , but let's keep convo in #3038 (comment)
Wildcard bool `json:"wildcard"` | ||
|
||
// The type of ACME challenge this resource represents. | ||
// One of "HTTP-01" or "DNS-01". |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same on the two types here
// "timestamping", | ||
// "ocsp signing", | ||
// "microsoft sgc", | ||
// "netscape sgc" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
One day I am gonna blog about Netscape + cert-manager
@munnerz just the acme things then lgtm |
Signed-off-by: James Munnelly <james@munnelly.eu>
Signed-off-by: James Munnelly <james@munnelly.eu>
Signed-off-by: James Munnelly <james@munnelly.eu>
Signed-off-by: James Munnelly <james@munnelly.eu>
/test pull-cert-manager-e2e-v1-18 |
/lgtm |
/unhold |
What this PR does / why we need it:
Adds the v1beta1 API version.
Special notes for your reviewer:
This is WIP as I am still implementing actual changes we've described in the google doc for the v1beta1 API.
Opening this now so I can be sure I'm keeping things green with each commit 😄
Release note:
/kind feature
/area api
/hold