Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

adding a new feature set for Public ACME servers #4244

Merged
merged 5 commits into from Aug 2, 2021
Merged

adding a new feature set for Public ACME servers #4244

merged 5 commits into from Aug 2, 2021

Conversation

RinkiyaKeDad
Copy link
Contributor

Signed-off-by: Arsh Sharma arshsharma461@gmail.com

What this PR does / why we need it:

Which issue this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close that issue when PR gets merged): fixes #

Special notes for your reviewer:

Release note:

NONE

@RinkiyaKeDad
changes from pair programming session 22nd July
83f8069 
Signed-off-by: Arsh Sharma <arshsharma461@gmail.com>
@jetstack-bot jetstack-bot added do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. release-note-none Denotes a PR that doesn't merit a release note. dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. area/testing Issues relating to testing needs-kind Indicates a PR lacks a `kind/foo` label and requires one. labels Jul 23, 2021
@jetstack-bot
Copy link
Collaborator

Hi @RinkiyaKeDad. Thanks for your PR.

I'm waiting for a jetstack or cert-manager member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@jetstack-bot jetstack-bot added needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Jul 23, 2021
@RinkiyaKeDad
created a fs for long domain
2baaea3 
Signed-off-by: Arsh Sharma <arshsharma461@gmail.com>
@RinkiyaKeDad RinkiyaKeDad changed the title [WIP] adding a new feature set for Public ACME servers adding a new feature set for Public ACME servers Jul 27, 2021
@RinkiyaKeDad RinkiyaKeDad marked this pull request as ready for review July 27, 2021 14:33
@jetstack-bot jetstack-bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jul 27, 2021
munnerz
munnerz reviewed Jul 29, 2021
View reviewed changes
test/e2e/framework/helper/featureset/featureset.go

// LongDomainFeatureSet denotes whether the target issuer is able to sign
// a certificate that defines a long domain
LongDomainFeatureSet Feature = "LongDomain"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What is a LongDomain in this context? (i.e. how long?) - I'd have assumed all our issuers should be able to sign for any domain that is within the length restrictions noted in RFCs.

munnerz
munnerz reviewed Jul 29, 2021
View reviewed changes
test/e2e/suite/conformance/certificates/tests.go
@@ -795,7 +795,7 @@ func (s *Suite) Define() {
By("Sanity-check the issued Certificate")
err = f.Helper().ValidateCertificate(f.Namespace.Name, "testcert", validations...)
Expect(err).NotTo(HaveOccurred())
}, featureset.OnlySAN)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah, I see here that 'LongDomain' is defined as something that contains a subdomain segment that is maxLengthOfDomainSegment long (which I think is 63 characters) - I don't think any public ACME servers/Let's Encrypt's staging environment has a restriction on this? 🤔 if it does, and the 'pebble' based ACME server does not, then Pebble needs modifying to also fail in these cases as it aims to replicate the ACME RFC as closely as possible

Copy link
Member

@jakexks jakexks Jul 29, 2021
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The issue is with Let's Encrypt specifically rather than the ACME protocol. There's a discussion here: certbot/certbot#1915

Let's encrypt copies one of the names from the subject alternative name (which supports arbitrary length domains) to the Common Name field (which is useless in modern TLS). Unfortunately, this field has a maximum length of 64 chars (C definition, so bytes).

This isn't a problem with cert-manager as we don't set the subject CN at all

@jakexks
Copy link
Member

jakexks commented Jul 29, 2021

/ok-to-test

@jetstack-bot jetstack-bot added ok-to-test and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Jul 29, 2021
@RinkiyaKeDad
testing: seeing if skip option fixes the failing tests
8ce7ca8 
Signed-off-by: Arsh Sharma <arshsharma461@gmail.com>
@RinkiyaKeDad
added comment for skip
58410f5 
Signed-off-by: Arsh Sharma <arshsharma461@gmail.com>
@RinkiyaKeDad
changes from pair programming sesh
89bf002 
Signed-off-by: Arsh Sharma <arshsharma461@gmail.com>
@jakexks
Copy link
Member

jakexks commented Aug 2, 2021

/lgtm

@jetstack-bot jetstack-bot added the lgtm Indicates that a PR is ready to be merged. label Aug 2, 2021
@jakexks
Copy link
Member

jakexks commented Aug 2, 2021

/approve

@jetstack-bot
Copy link
Collaborator

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jakexks, RinkiyaKeDad

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@jetstack-bot jetstack-bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Aug 2, 2021
@RinkiyaKeDad
Copy link
Contributor Author

/kind feature

@jetstack-bot jetstack-bot added the kind/feature Categorizes issue or PR as related to a new feature. label Aug 2, 2021
@jetstack-bot jetstack-bot removed the needs-kind Indicates a PR lacks a `kind/foo` label and requires one. label Aug 2, 2021
@jetstack-bot jetstack-bot merged commit 94d854c into cert-manager:master Aug 2, 2021
@jetstack-bot jetstack-bot added this to the v1.5 milestone Aug 2, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@munnerz munnerz munnerz left review comments

@jakexks jakexks jakexks left review comments

Assignees

@jakexks jakexks

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/testing Issues relating to testing dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. kind/feature Categorizes issue or PR as related to a new feature. lgtm Indicates that a PR is ready to be merged. ok-to-test release-note-none Denotes a PR that doesn't merit a release note. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Milestone
v1.5
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@RinkiyaKeDad @jetstack-bot @jakexks @munnerz