Conversation
|
/ok-to-test |
pkg/issuer/cfssl/fakes/lister.go
Outdated
| ) | ||
|
|
||
| // Lister is a struct that implements kubernetes api secrets.SecretLister interface | ||
| // It is used solely for testing to mock calls to list secrets |
There was a problem hiding this comment.
So client-go already has fairly extensive lister testing capabilities. I'd like to see us re-using these instead of creating our own 😄.
You can create a fake clientset using the fake sub-package of the client-go client (or our own clientset in pkg/client, if you need to test with cert-manager types).
There was a problem hiding this comment.
Same goes for basically this whole package 😄
There was a problem hiding this comment.
Makes sense. I'll reuse that package for the tests and delete this custom pkg
|
|
||
| type CFSSLCertificateKeyConfig struct { | ||
| Size int `json:"size"` | ||
| Algo string `json:"algo"` |
There was a problem hiding this comment.
These fields should be removed in favour of generic fields on the Certificate itself that apply to all issuer types (and not just specific to individual issuers).
As we do not currently support all of these fields in the spec (although there is some pre-existing work to add support), we should simply omit them for now and hardcode values (similar to how the other issuers currently do it). I think the majority of the algorithm and size selection is now handled in the pkg/utils/pki package now, anyway 😄
There was a problem hiding this comment.
Once that PR #722 is reviewed, I'll change this PR to use it.
| CommonName: pki.CommonNameForCertificate(crt), | ||
| }, | ||
| DNSNames: pki.DNSNamesForCertificate(crt), | ||
| } |
There was a problem hiding this comment.
There is a new function in the pki package to handle this now.
pkg/issuer/cfssl/issue.go
Outdated
| return nil, fmt.Errorf("error building request body: %s", err) | ||
| } | ||
|
|
||
| issuerSpec := c.issuer.GetSpec().CFSSL |
There was a problem hiding this comment.
It should never be the case that this is nil, but worth double checking in case (and just returning an unexpected error or something if it is). Better weird errors than panics 😄
pkg/issuer/cfssl/issue.go
Outdated
| return []byte(certificate.(string)), nil | ||
| } | ||
|
|
||
| func (c *CFSSL) buildRequestBody(csrPem []byte) ([]byte, error) { |
There was a problem hiding this comment.
Let's make csrPem type-safe and accept a *x509.CertificateRequest here - we can perform encoding at the time then.
| authKeySecret := c.issuer.GetSpec().CFSSL.AuthKey | ||
| if authKeySecret == nil { | ||
| return requestBytes, nil | ||
| } |
There was a problem hiding this comment.
Could you add a comment to clarify why we return early if authKeySecret is nil 😄
pkg/issuer/cfssl/issue.go
Outdated
| } | ||
|
|
||
| h := hmac.New(sha256.New, []byte(hexAuthKey)) | ||
| h.Write(requestBytes) |
pkg/issuer/cfssl/issue_test.go
Outdated
| keyAlgo: ecdsaKeyAlgo, | ||
| keySize: ecdsaKeySize, | ||
| expectedCrt: certStr, | ||
| expectedRespBody: fmt.Sprintf(`{"success":true,"result":{"certificate":"%s"}}`, certStr), |
There was a problem hiding this comment.
this test case says it should fail, but this response includes success? 🤔
|
|
||
| return ecdsa.GenerateKey(ecCurve, rand.Reader) | ||
| } | ||
|
|
There was a problem hiding this comment.
The addition of EC keys is great, but can this be extracted out into a separate PR? It will take additional work to support this for all Issuer types.
There was a problem hiding this comment.
Cool. I've extracted this work to PR #722
test/e2e/issuer/issuer_cfssl.go
Outdated
| f := framework.NewDefaultFramework("create-cfssl-issuer") | ||
|
|
||
| issuerName := "test-cfssl-issuer" | ||
| serverURL := "http://local.cfssl.server" |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: If they are not already assigned, you can assign the PR to them by writing The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
4578002 to
8f27756
Compare
|
/ping @munnerz Please review when you get a chance to. I'd like to get this going and hopefully accepted and merged by the next release 🙂 |
7a33cd8 to
b836360
Compare
|
@badie: The following tests failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
@badie: PR needs rebase. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
What this PR does / why we need it:
It adds support for a cfssl issuer to allow issuing certs from a cfssl based CA.
Release note: