adds option to specify CRL Distribution Point. #2612

[skra-space]

What this PR does / why we need it:
WIP adds option to specify CRL Distribution Point. Proposal

Which issue this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close that issue when PR gets merged): fixes #2612

Special notes for your reviewer:
Here is only changes for API and self-signed. I also have plan for Vault but didn't implement it.
Release note:

Added 'CRL Distribution Points' fields to Self-signed and CA issuers

[jetstack-bot]

Hi @srbraun. Thanks for your PR.

I'm waiting for a jetstack or cert-manager member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[munnerz]

/ok-to-test

[skra-space]

/retest

[munnerz]

Please add a comment on this field explaining:

• What it does
• What values are valid
• What the default behaviour is if not specified

You should also have a // +optional line (similar to some other fields in this file) as the field is optional 😄

[munnerz]

This text is displayed to users through both our docs and kubectl explain so it really helps to provide clearly information about fields and how they should be used 😄

[munnerz]

Ah, we can also include // +kubebuilder:validation:UniqueItems here too to avoid users specifying duplicates.. not sure if it's strictly required, but it's easier to relax validation in future than it is to enforce additional validation 😄

[munnerz]

This is looking good. Are there any restrictions/requirements around the format for these strings? Do they have to be URLs? If so, we should add validation to check that invalid values are not entered 😄

[munnerz]

Also: would it be possible to extend this PR to support the 'CA' issuer type in a similar way? The implementation of these two issuers are very similar, so it shouldn't require too much extra code to do it 😄

[skra-space]

Also: would it be possible to extend this PR to support the 'CA' issuer type in a similar way? The implementation of these two issuers are very similar, so it shouldn't require too much extra code to do it smile

Yes, I will add support for CDP to 'CA' issuer. I am currently working on it. I just wanted to show you what I have first. I will work through your comments and prepare a full PR.

Thank you for the review.

[munnerz]

Only one more comment... it'd also be good if we could also add a // +kubebuilder:validation:Pattern here to restrict the types of values users can specify. I'm not 100% certain on what a good regex for this would be, as I imagine we'd have to support a variety of different URL formats (e.g. here you can see URLs starting with ldap:/// and containing commas: https://www.sysadmins.lv/blog-en/designing-crl-distribution-points-and-authority-information-access-locations.aspx).

[munnerz]

Ah, we can also include // +kubebuilder:validation:UniqueItems here too to avoid users specifying duplicates.. not sure if it's strictly required, but it's easier to relax validation in future than it is to enforce additional validation 😄

[skra-space]

Only one more comment... it'd also be good if we could also add a // +kubebuilder:validation:Pattern here to restrict the types of values users can specify.

I am not sure how to validate it. According to RFC 5280, CDP name can be directory name or path relative to CRL issuer. In x509 go lib, CDP is an array of strings.

[munnerz]

This all looks good, we can look into tightening validation after this merges as I think it may require us to bump our controller-tools dependency 😄

Would you be able to open a PR against the docs repo to note this new option, in both the selfsigned and ca issuer documentation? If you open the PR against the release-next branch so that it is included as part of the 'next' release documentation 😄

https://github.com/cert-manager/website/blob/release-next/content/en/docs/configuration/selfsigned.md && https://github.com/cert-manager/website/blob/release-next/content/en/docs/configuration/ca.md

/lgtm
/approve
/hold
/milestone v0.15
/kind feature

[jetstack-bot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: munnerz, srbraun

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [munnerz]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[munnerz]

/hold cancel

[retest-bot]

/retest
This bot automatically retries jobs that failed/flaked on approved PRs (send feedback to jetstack).
Review the full test history for this PR.
Silence the bot with an /lgtm cancel comment for consistent failures.

[cedenilla]

@srbraun Is there any possibility that you could add the feature to Vault, as you mentioned a few years ago? Thank you in advance!

[skra-space]

Hi! Thank you for reaching out to me. Unfortunately, I am not working on it anymore. I was planning to implement it for my employer but plans have changed there. I hope you'll find a solution. Good luck!