Skip to content

'Runtime' validation support #735

Closed
Closed
'Runtime' validation support#735
Assignees
kragniz
Labels
area/apiIndicates a PR directly modifies the 'pkg/apis' directorykind/featureCategorizes issue or PR as related to a new feature.
Milestone
v0.5
@munnerz

Description

@munnerz
munnerz
opened on Jul 18, 2018

We now have validation for API resources, however there are some configuration cases that we cannot properly test for as part of validation.

Namely, we cannot determine whether the Certificate is for an ACME Issuer vs a CA issuer, and provide Issuer-specific validation of Certificates.

Some examples of cases we currently cannot/do not validate:

  1. With Add keyAlgorithm and keySize fields to Certificates, and support ECDSA keys #722, we support custom key algorithms. However the ACME spec only supports RSA, so we should fail early in the certificates controller when this configuration is detected.

  2. With Configurable issuer duration and renewBefore #520, we accept a custom certificate duration. This is not possible in all cases when using ACME.

  3. We'll soon support custom key usages - again, these are not possible with ACME.

We need to include some form of 'runtime validation', i.e. validation that occurs at the start of the controller's sync cycle instead of before persisting the resource into the apiserver/etcd.

Metadata

Metadata

Assignees

Labels

area/apiIndicates a PR directly modifies the 'pkg/apis' directorykind/featureCategorizes issue or PR as related to a new feature.

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions