Skip to content

Commit

Permalink
internal: allow multiple SANs in upstream validation
Browse files Browse the repository at this point in the history
Signed-off-by: Clay Kauzlaric <[email protected]>
  • Loading branch information
KauzClay committed Oct 13, 2023
1 parent af938e6 commit eb6760d
Show file tree
Hide file tree
Showing 12 changed files with 394 additions and 17 deletions.
10 changes: 10 additions & 0 deletions apis/projectcontour/v1/httpproxy.go
Original file line number Diff line number Diff line change
Expand Up @@ -1306,14 +1306,24 @@ type HeaderValue struct {
}

// UpstreamValidation defines how to verify the backend service's certificate
// +kubebuilder:validation:XValidation:message="subjectNames[0] must equal subjectName if set",rule="has(self.subjectNames) ? self.subjectNames[0] == self.subjectName : true"
type UpstreamValidation struct {
// Name or namespaced name of the Kubernetes secret used to validate the certificate presented by the backend.
// The secret must contain key named ca.crt.
// The name can be optionally prefixed with namespace "namespace/name".
// When cross-namespace reference is used, TLSCertificateDelegation resource must exist in the namespace to grant access to the secret.
CACertificate string `json:"caSecret"`
// Key which is expected to be present in the 'subjectAltName' of the presented certificate.
// Deprecated, migrate to using the plural field subjectNames.
// +kubebuilder:validation:MinLength=1
// +kubebuilder:validation:MaxLength=256
SubjectName string `json:"subjectName"`
// List of keys, of which at least one is expected to be present in the 'subjectAltName of the
// presented certificate.
// +optional
// +kubebuilder:validation:MinItems=1
// +kubebuilder:validation:MaxItems=8
SubjectNames []string `json:"subjectNames"`
}

// DownstreamValidation defines how to verify the client certificate.
Expand Down
9 changes: 7 additions & 2 deletions apis/projectcontour/v1/zz_generated.deepcopy.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion apis/projectcontour/v1alpha1/zz_generated.deepcopy.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

67 changes: 66 additions & 1 deletion examples/contour/01-crds.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -4750,12 +4750,27 @@ spec:
type: string
subjectName:
description: Key which is expected to be present in the 'subjectAltName'
of the presented certificate.
of the presented certificate. Deprecated, migrate to using the
plural field subjectNames.
maxLength: 256
minLength: 1
type: string
subjectNames:
description: List of keys, of which at least one is expected to
be present in the 'subjectAltName of the presented certificate.
items:
type: string
maxItems: 8
minItems: 1
type: array
required:
- caSecret
- subjectName
type: object
x-kubernetes-validations:
- message: subjectNames[0] must equal subjectName if set
rule: 'has(self.subjectNames) ? self.subjectNames[0] == self.subjectName
: true'
required:
- services
type: object
Expand Down Expand Up @@ -6382,11 +6397,27 @@ spec:
subjectName:
description: Key which is expected to be present in
the 'subjectAltName' of the presented certificate.
Deprecated, migrate to using the plural field subjectNames.
maxLength: 256
minLength: 1
type: string
subjectNames:
description: List of keys, of which at least one is
expected to be present in the 'subjectAltName of
the presented certificate.
items:
type: string
maxItems: 8
minItems: 1
type: array
required:
- caSecret
- subjectName
type: object
x-kubernetes-validations:
- message: subjectNames[0] must equal subjectName if set
rule: 'has(self.subjectNames) ? self.subjectNames[0]
== self.subjectName : true'
weight:
description: Weight defines percentage of traffic to balance
traffic
Expand Down Expand Up @@ -6777,11 +6808,27 @@ spec:
subjectName:
description: Key which is expected to be present in
the 'subjectAltName' of the presented certificate.
Deprecated, migrate to using the plural field subjectNames.
maxLength: 256
minLength: 1
type: string
subjectNames:
description: List of keys, of which at least one is
expected to be present in the 'subjectAltName of the
presented certificate.
items:
type: string
maxItems: 8
minItems: 1
type: array
required:
- caSecret
- subjectName
type: object
x-kubernetes-validations:
- message: subjectNames[0] must equal subjectName if set
rule: 'has(self.subjectNames) ? self.subjectNames[0] ==
self.subjectName : true'
weight:
description: Weight defines percentage of traffic to balance
traffic
Expand Down Expand Up @@ -7099,11 +7146,29 @@ spec:
subjectName:
description: Key which is expected to be present
in the 'subjectAltName' of the presented certificate.
Deprecated, migrate to using the plural field
subjectNames.
maxLength: 256
minLength: 1
type: string
subjectNames:
description: List of keys, of which at least one
is expected to be present in the 'subjectAltName
of the presented certificate.
items:
type: string
maxItems: 8
minItems: 1
type: array
required:
- caSecret
- subjectName
type: object
x-kubernetes-validations:
- message: subjectNames[0] must equal subjectName if
set
rule: 'has(self.subjectNames) ? self.subjectNames[0]
== self.subjectName : true'
required:
- uri
type: object
Expand Down
67 changes: 66 additions & 1 deletion examples/render/contour-deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -4969,12 +4969,27 @@ spec:
type: string
subjectName:
description: Key which is expected to be present in the 'subjectAltName'
of the presented certificate.
of the presented certificate. Deprecated, migrate to using the
plural field subjectNames.
maxLength: 256
minLength: 1
type: string
subjectNames:
description: List of keys, of which at least one is expected to
be present in the 'subjectAltName of the presented certificate.
items:
type: string
maxItems: 8
minItems: 1
type: array
required:
- caSecret
- subjectName
type: object
x-kubernetes-validations:
- message: subjectNames[0] must equal subjectName if set
rule: 'has(self.subjectNames) ? self.subjectNames[0] == self.subjectName
: true'
required:
- services
type: object
Expand Down Expand Up @@ -6601,11 +6616,27 @@ spec:
subjectName:
description: Key which is expected to be present in
the 'subjectAltName' of the presented certificate.
Deprecated, migrate to using the plural field subjectNames.
maxLength: 256
minLength: 1
type: string
subjectNames:
description: List of keys, of which at least one is
expected to be present in the 'subjectAltName of
the presented certificate.
items:
type: string
maxItems: 8
minItems: 1
type: array
required:
- caSecret
- subjectName
type: object
x-kubernetes-validations:
- message: subjectNames[0] must equal subjectName if set
rule: 'has(self.subjectNames) ? self.subjectNames[0]
== self.subjectName : true'
weight:
description: Weight defines percentage of traffic to balance
traffic
Expand Down Expand Up @@ -6996,11 +7027,27 @@ spec:
subjectName:
description: Key which is expected to be present in
the 'subjectAltName' of the presented certificate.
Deprecated, migrate to using the plural field subjectNames.
maxLength: 256
minLength: 1
type: string
subjectNames:
description: List of keys, of which at least one is
expected to be present in the 'subjectAltName of the
presented certificate.
items:
type: string
maxItems: 8
minItems: 1
type: array
required:
- caSecret
- subjectName
type: object
x-kubernetes-validations:
- message: subjectNames[0] must equal subjectName if set
rule: 'has(self.subjectNames) ? self.subjectNames[0] ==
self.subjectName : true'
weight:
description: Weight defines percentage of traffic to balance
traffic
Expand Down Expand Up @@ -7318,11 +7365,29 @@ spec:
subjectName:
description: Key which is expected to be present
in the 'subjectAltName' of the presented certificate.
Deprecated, migrate to using the plural field
subjectNames.
maxLength: 256
minLength: 1
type: string
subjectNames:
description: List of keys, of which at least one
is expected to be present in the 'subjectAltName
of the presented certificate.
items:
type: string
maxItems: 8
minItems: 1
type: array
required:
- caSecret
- subjectName
type: object
x-kubernetes-validations:
- message: subjectNames[0] must equal subjectName if
set
rule: 'has(self.subjectNames) ? self.subjectNames[0]
== self.subjectName : true'
required:
- uri
type: object
Expand Down
Loading

0 comments on commit eb6760d

Please sign in to comment.