Skip to content

Commit

Permalink
allow multiple SANS in upstream validation (projectcontour#5849)
Browse files Browse the repository at this point in the history 
Signed-off-by: Clay Kauzlaric <[email protected]>
  • Loading branch information
@KauzClay
KauzClay authored Jan 5, 2024
1 parent 387e6a7 commit c1dd2da
Show file tree
Hide file tree
Showing 27 changed files with 783 additions and 110 deletions.
13 changes: 13 additions & 0 deletions apis/projectcontour/v1/httpproxy.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1306,14 +1306,27 @@ type HeaderValue struct {
}

// UpstreamValidation defines how to verify the backend service's certificate
// +kubebuilder:validation:XValidation:message="subjectNames[0] must equal subjectName if set",rule="has(self.subjectNames) ? self.subjectNames[0] == self.subjectName : true"
type UpstreamValidation struct {
// Name or namespaced name of the Kubernetes secret used to validate the certificate presented by the backend.
// The secret must contain key named ca.crt.
// The name can be optionally prefixed with namespace "namespace/name".
// When cross-namespace reference is used, TLSCertificateDelegation resource must exist in the namespace to grant access to the secret.
// Max length should be the actual max possible length of a namespaced name (63 + 253 + 1 = 317)
// +kubebuilder:validation:MinLength=1
// +kubebuilder:validation:MaxLength=317
CACertificate string `json:"caSecret"`
// Key which is expected to be present in the 'subjectAltName' of the presented certificate.
// Deprecated: migrate to using the plural field subjectNames.
// +kubebuilder:validation:MinLength=1
// +kubebuilder:validation:MaxLength=250
SubjectName string `json:"subjectName"`
// List of keys, of which at least one is expected to be present in the 'subjectAltName of the
// presented certificate.
// +optional
// +kubebuilder:validation:MinItems=1
// +kubebuilder:validation:MaxItems=8
SubjectNames []string `json:"subjectNames"`
}

// DownstreamValidation defines how to verify the client certificate.
Expand Down
9 changes: 7 additions & 2 deletions apis/projectcontour/v1/zz_generated.deepcopy.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion apis/projectcontour/v1alpha1/zz_generated.deepcopy.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

6 changes: 6 additions & 0 deletions changelogs/unreleased/5849-KauzClay-deprecation.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
## Deprecate `subjectName` field on UpstreamValidation

The `subjectName` field is being deprecated in favor of `subjectNames`, which is
an list of subjectNames. `subjectName` will continue to behave as it has. If
using `subjectNames`, the first entry in `subjectNames` must match the value of
`subjectName`. this will be enforced by CEL validation.
5 changes: 5 additions & 0 deletions changelogs/unreleased/5849-KauzClay-minor.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
## Allow Multiple SANs in Upstream Validation section of HTTPProxy

This change introduces a max length of 250 characters to the field `subjectName` in the UpstreamValidation block.

Allow multiple SANs in Upstream Validation by adding a new field `subjectNames` to the UpstreamValidtion block. This will exist side by side with the previous `subjectName` field. Using CEL validation, we can enforce that when both are present, the first entry in `subjectNames` must match the value of `subjectName`.
104 changes: 92 additions & 12 deletions examples/contour/01-crds.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5033,16 +5033,35 @@ spec:
secret must contain key named ca.crt. The name can be optionally
prefixed with namespace "namespace/name". When cross-namespace
reference is used, TLSCertificateDelegation resource must exist
in the namespace to grant access to the secret.
in the namespace to grant access to the secret. Max length should
be the actual max possible length of a namespaced name (63 +
253 + 1 = 317)
maxLength: 317
minLength: 1
type: string
subjectName:
description: Key which is expected to be present in the 'subjectAltName'
of the presented certificate.
description: 'Key which is expected to be present in the ''subjectAltName''
of the presented certificate. Deprecated: migrate to using the
plural field subjectNames.'
maxLength: 250
minLength: 1
type: string
subjectNames:
description: List of keys, of which at least one is expected to
be present in the 'subjectAltName of the presented certificate.
items:
type: string
maxItems: 8
minItems: 1
type: array
required:
- caSecret
- subjectName
type: object
x-kubernetes-validations:
- message: subjectNames[0] must equal subjectName if set
rule: 'has(self.subjectNames) ? self.subjectNames[0] == self.subjectName
: true'
required:
- services
type: object
Expand Down Expand Up @@ -6664,16 +6683,35 @@ spec:
namespace "namespace/name". When cross-namespace
reference is used, TLSCertificateDelegation resource
must exist in the namespace to grant access to the
secret.
secret. Max length should be the actual max possible
length of a namespaced name (63 + 253 + 1 = 317)
maxLength: 317
minLength: 1
type: string
subjectName:
description: Key which is expected to be present in
the 'subjectAltName' of the presented certificate.
description: 'Key which is expected to be present
in the ''subjectAltName'' of the presented certificate.
Deprecated: migrate to using the plural field subjectNames.'
maxLength: 250
minLength: 1
type: string
subjectNames:
description: List of keys, of which at least one is
expected to be present in the 'subjectAltName of
the presented certificate.
items:
type: string
maxItems: 8
minItems: 1
type: array
required:
- caSecret
- subjectName
type: object
x-kubernetes-validations:
- message: subjectNames[0] must equal subjectName if set
rule: 'has(self.subjectNames) ? self.subjectNames[0]
== self.subjectName : true'
weight:
description: Weight defines percentage of traffic to balance
traffic
Expand Down Expand Up @@ -7059,16 +7097,36 @@ spec:
ca.crt. The name can be optionally prefixed with namespace
"namespace/name". When cross-namespace reference is
used, TLSCertificateDelegation resource must exist
in the namespace to grant access to the secret.
in the namespace to grant access to the secret. Max
length should be the actual max possible length of
a namespaced name (63 + 253 + 1 = 317)
maxLength: 317
minLength: 1
type: string
subjectName:
description: Key which is expected to be present in
the 'subjectAltName' of the presented certificate.
description: 'Key which is expected to be present in
the ''subjectAltName'' of the presented certificate.
Deprecated: migrate to using the plural field subjectNames.'
maxLength: 250
minLength: 1
type: string
subjectNames:
description: List of keys, of which at least one is
expected to be present in the 'subjectAltName of the
presented certificate.
items:
type: string
maxItems: 8
minItems: 1
type: array
required:
- caSecret
- subjectName
type: object
x-kubernetes-validations:
- message: subjectNames[0] must equal subjectName if set
rule: 'has(self.subjectNames) ? self.subjectNames[0] ==
self.subjectName : true'
weight:
description: Weight defines percentage of traffic to balance
traffic
Expand Down Expand Up @@ -7381,16 +7439,38 @@ spec:
namespace "namespace/name". When cross-namespace
reference is used, TLSCertificateDelegation resource
must exist in the namespace to grant access to
the secret.
the secret. Max length should be the actual max
possible length of a namespaced name (63 + 253
+ 1 = 317)
maxLength: 317
minLength: 1
type: string
subjectName:
description: Key which is expected to be present
in the 'subjectAltName' of the presented certificate.
description: 'Key which is expected to be present
in the ''subjectAltName'' of the presented certificate.
Deprecated: migrate to using the plural field
subjectNames.'
maxLength: 250
minLength: 1
type: string
subjectNames:
description: List of keys, of which at least one
is expected to be present in the 'subjectAltName
of the presented certificate.
items:
type: string
maxItems: 8
minItems: 1
type: array
required:
- caSecret
- subjectName
type: object
x-kubernetes-validations:
- message: subjectNames[0] must equal subjectName if
set
rule: 'has(self.subjectNames) ? self.subjectNames[0]
== self.subjectName : true'
required:
- uri
type: object
Expand Down
Loading

0 comments on commit c1dd2da

Please sign in to comment.