Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

internal/dag: improve TLS secrets validation #1714

Merged
merged 1 commit into from
Oct 18, 2019
Merged

internal/dag: improve TLS secrets validation #1714

merged 1 commit into from
Oct 18, 2019

Conversation

jpeach
Copy link
Contributor

@jpeach jpeach commented Oct 16, 2019

Clarify the validation of the types of secrets that Contour
will accept for TLS key+cert pairs and CA certificate bundles.

Contour only accepts TLS key+cert pairs from secrets of type
"kubernetes.io/tls". These secrets may contain an additional
"ca.crt" field that stores the CA certificate bundle.

Contour will otherwise accept CA certificate bundles from
generic secrets (whose type is "Opaque" or is empty).

Contour will ignore all other types of secrets.

This fixes #1697.

Signed-off-by: James Peach [email protected]

@jpeach
Copy link
Contributor Author

jpeach commented Oct 16, 2019

cc @mattalberts

@davecheney davecheney added this to the 1.0.0-rc.2 milestone Oct 16, 2019
davecheney
davecheney approved these changes Oct 17, 2019
View reviewed changes
Copy link
Contributor

@davecheney davecheney left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Thank you

internal/dag/cache_test.go Outdated Show resolved Hide resolved
youngnick
youngnick approved these changes Oct 17, 2019
View reviewed changes
Copy link
Member

@youngnick youngnick left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, I also agree with @davecheney that assert.Equal is your friend.

@davecheney davecheney mentioned this pull request Oct 17, 2019
Closed
@jpeach jpeach force-pushed the issue/1697 branch 2 times, most recently from 26589a2 to de7a3f3 Compare October 18, 2019 00:34
@jpeach
Copy link
Contributor Author

jpeach commented Oct 18, 2019

I rebased and updated the error messages for (IMHO) clarity. I'll leave this PR open for a while in case there is additional feedback.

@jpeach
internal/dag: improve TLS secrets validation
6cf5a48 
Clarify the validation of the types of secrets that Contour
will accept for TLS key+cert pairs and CA certificate bundles.

Contour only accepts TLS key+cert pairs from secrets of type
"kubernetes.io/tls". These secrets may contain an additional
"ca.crt" field that stores the CA certificate bundle.

Contour will otherwise accept CA certificate bundles from
generic secrets (whose type is "Opaque" or is empty).

Contour will ignore all other types of secrets.

This fixes projectcontour#1697.

Signed-off-by: James Peach <[email protected]>
@jpeach jpeach merged commit 46d3ae3 into projectcontour:master Oct 18, 2019
@jpeach jpeach deleted the issue/1697 branch October 18, 2019 05:49
@sunjayBhatia sunjayBhatia mentioned this pull request Feb 12, 2021
Closed
@sunjayBhatia
Copy link
Member

having a small issue due to this change, see #2138 (comment)

@alex1989hu alex1989hu mentioned this pull request Jul 14, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@youngnick youngnick youngnick approved these changes

@davecheney davecheney davecheney approved these changes

@stevesloka stevesloka Awaiting requested review from stevesloka

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
1.0.0-rc.2
Development

Successfully merging this pull request may close these issues.

Enforce the use of kubernetes.io/tls secret types.
4 participants
@jpeach @sunjayBhatia @davecheney @youngnick