Add some business validation on issuers

tsuru · Aug 16, 2024 · 300c285 · 300c285
1 parent 327efe7
commit 300c285
Show file tree

Hide file tree

Showing 3 changed files with 72 additions and 0 deletions.
diff --git a/internal/pkg/rpaas/certificates.go b/internal/pkg/rpaas/certificates.go
@@ -7,6 +7,7 @@ package rpaas
 import (
 	"context"
 	"fmt"
+	"strconv"
 	"strings"
 
 	cmv1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
@@ -71,6 +72,28 @@ func (m *k8sRpaasManager) UpdateCertManagerRequest(ctx context.Context, instance
 		return err
 	}
 
+	if issuerAnnotations[maxDNSNamesAnnotation] != "" {
+		maxDNSName, _ := strconv.Atoi(issuerAnnotations[maxDNSNamesAnnotation])
+		if len(in.DNSNames) > maxDNSName {
+			return &ValidationError{Msg: fmt.Sprintf("maximum number of DNS names exceeded (maximum allowed: %d)", maxDNSName)}
+		}
+	}
+
+	if issuerAnnotations[maxIPsAnnotation] != "" {
+		maxIPs, _ := strconv.Atoi(issuerAnnotations[maxIPsAnnotation])
+		if len(in.IPAddresses) > maxIPs {
+			return &ValidationError{Msg: fmt.Sprintf("maximum number of IP Addresses exceeded (maximum allowed: %d)", maxIPs)}
+		}
+	}
+
+	if issuerAnnotations[allowWildcardAnnotation] == "false" {
+		for _, dnsName := range in.DNSNames {
+			if strings.HasPrefix(dnsName, "*") {
+				return &ValidationError{Msg: "wildcard DNS names are not allowed on this issuer"}
+			}
+		}
+	}
+
 	newRequest := v1alpha1.CertManager{
 		Name:        in.Name,
 		Issuer:      issuer,

diff --git a/internal/pkg/rpaas/certificates_test.go b/internal/pkg/rpaas/certificates_test.go
@@ -131,6 +131,16 @@ func Test_k8sRpaasManager_UpdateCertManagerRequest(t *testing.T) {
 				},
 			},
 		},
+		&cmv1.ClusterIssuer{
+			ObjectMeta: metav1.ObjectMeta{
+				Name: "issuer-2",
+				Annotations: map[string]string{
+					maxDNSNamesAnnotation:   "1",
+					maxIPsAnnotation:        "0",
+					allowWildcardAnnotation: "false",
+				},
+			},
+		},
 		&cmv1.ClusterIssuer{
 			ObjectMeta: metav1.ObjectMeta{
 				Name: "default-issuer",
@@ -237,6 +247,42 @@ func Test_k8sRpaasManager_UpdateCertManagerRequest(t *testing.T) {
 			expectedError: "there is some DNS name with forbidden suffix (invalid ones: wrong.io, wrong.com - allowed DNS suffixes: example.com, example.org)",
 		},
 
+		"with exceeded number of DNS names": {
+			instanceName: "my-instance-1",
+			certManager: clientTypes.CertManager{
+				DNSNames: []string{"my-instance-1.example.com", "my-instance-1.example.org"},
+			},
+			cfg: config.RpaasConfig{
+				EnableCertManager:        true,
+				DefaultCertManagerIssuer: "issuer-2",
+			},
+			expectedError: "maximum number of DNS names exceeded (maximum allowed: 1)",
+		},
+
+		"with exceeded number of IP Addresses": {
+			instanceName: "my-instance-1",
+			certManager: clientTypes.CertManager{
+				IPAddresses: []string{"10.1.1.1"},
+			},
+			cfg: config.RpaasConfig{
+				EnableCertManager:        true,
+				DefaultCertManagerIssuer: "issuer-2",
+			},
+			expectedError: "maximum number of IP Addresses exceeded (maximum allowed: 0)",
+		},
+
+		"with forbidden use of wildcards": {
+			instanceName: "my-instance-1",
+			certManager: clientTypes.CertManager{
+				DNSNames: []string{"*.example.org"},
+			},
+			cfg: config.RpaasConfig{
+				EnableCertManager:        true,
+				DefaultCertManagerIssuer: "issuer-2",
+			},
+			expectedError: "wildcard DNS names are not allowed on this issuer",
+		},
+
 		"using wrong certificate issuer from configs": {
 			instanceName: "my-instance-1",
 			certManager: clientTypes.CertManager{

diff --git a/internal/pkg/rpaas/k8s.go b/internal/pkg/rpaas/k8s.go
@@ -72,6 +72,9 @@ const (
 
 	externalDNSHostnameLabel  = "external-dns.alpha.kubernetes.io/hostname"
 	allowedDNSZonesAnnotation = "rpaas.extensions.tsuru.io/allowed-dns-zones"
+	maxDNSNamesAnnotation     = "rpaas.extensions.tsuru.io/cert-manager-max-dns-names"
+	maxIPsAnnotation          = "rpaas.extensions.tsuru.io/cert-manager-max-ips"
+	allowWildcardAnnotation   = "rpaas.extensions.tsuru.io/cert-manager-allow-wildcard"
 
 	nginxContainerName = "nginx"
 )