Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Validate user provided certificates #834

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Validate user provided certificates #834

wants to merge 1 commit into from

Conversation

petrutlucian94
Copy link
Contributor

We'll validate user provided certificates, checking fields such as:

  • Common Name
  • Organization
  • NotBefore, NotAfter
  • DNS Subject Alternative Name

Also, we ensure that the certificates are signed by the specified CAs.

@petrutlucian94 petrutlucian94 requested a review from a team as a code owner November 22, 2024 14:02
@petrutlucian94
Validate user provided certificates
3d28d7c 
We'll validate user provided certificates, checking fields such as:

* Common Name
* Organization
* NotBefore, NotAfter
* DNS Subject Alternative Name

Also, we ensure that the certificates are signed by the specified
CAs.
bschimke95
bschimke95 approved these changes Nov 25, 2024
View reviewed changes
Copy link
Contributor

@bschimke95 bschimke95 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, only minor nits and a question

src/k8s/pkg/k8sd/pki/control_plane.go
DNSSANs: []string{"kubernetes", "kubernetes.default", "kubernetes.default.svc", "kubernetes.default.svc.cluster", "kubernetes.default.svc.cluster.local"},
}
if err := certCheck.ValidateKeypair(c.APIServerCert, c.APIServerKey); err != nil {
return fmt.Errorf("kube-apiservert certificate validation failure: %w", err)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: typo

src/k8s/pkg/k8sd/pki/control_plane_test.go
@@ -142,4 +190,101 @@ func TestControlPlaneCertificates(t *testing.T) {
g.Expect(cert.DNSNames).To(ConsistOf(expectedDNSNames))
})
})

t.Run("InvalidSan", func(t *testing.T) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: InvalidSAN according to go convention

src/k8s/pkg/utils/pki/validate.go
}
}
for _, ip := range check.IPSANs {
if err := cert.VerifyHostname("[" + ip + "]"); err != nil {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this IPv6-safe?
I guess ip cannot be [<ipv6>] so that we would have double brackets, right?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bschimke95 bschimke95 bschimke95 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@petrutlucian94 @bschimke95