-
Notifications
You must be signed in to change notification settings - Fork 689
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
allow multiple SANS in upstream validation #5849
allow multiple SANS in upstream validation #5849
Conversation
685858b
to
36d4655
Compare
36d4655
to
eb6760d
Compare
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #5849 +/- ##
==========================================
+ Coverage 78.77% 78.81% +0.03%
==========================================
Files 138 138
Lines 19747 19765 +18
==========================================
+ Hits 15555 15577 +22
+ Misses 3888 3885 -3
+ Partials 304 303 -1
|
The Contour project currently lacks enough contributors to adequately respond to all PRs. This bot triages PRs according to the following rules:
You can:
Please send feedback to the #contour channel in the Kubernetes Slack |
The Contour project currently lacks enough contributors to adequately respond to all PRs. This bot triages PRs according to the following rules:
You can:
Please send feedback to the #contour channel in the Kubernetes Slack |
hmm it seems like the rule I'm trying to add costs too much, just barely though :/
I don't quite understand why the operation is too expensive. Maybe it is because we are checking equality on string with no max length? I don't know if you can set maxlength on the strings within the array... |
The Contour project currently lacks enough contributors to adequately respond to all PRs. This bot triages PRs according to the following rules:
You can:
Please send feedback to the #contour channel in the Kubernetes Slack |
Hm, adding a new type alias for string with a min/max length and using that doesn't seem to reduce complexity adding a check for existence of self.subjectName increases complexity slightly somehow (
|
Ah, reducing the max length of the diff --git a/apis/projectcontour/v1/httpproxy.go b/apis/projectcontour/v1/httpproxy.go
index e6bb66d9..d8a563b5 100644
--- a/apis/projectcontour/v1/httpproxy.go
+++ b/apis/projectcontour/v1/httpproxy.go
@@ -1318,7 +1318,7 @@ type UpstreamValidation struct {
// Key which is expected to be present in the 'subjectAltName' of the presented certificate.
// Deprecated: migrate to using the plural field subjectNames.
// +kubebuilder:validation:MinLength=1
- // +kubebuilder:validation:MaxLength=256
+ // +kubebuilder:validation:MaxLength=100
SubjectName string `json:"subjectName"`
// List of keys, of which at least one is expected to be present in the 'subjectAltName of the
// presented certificate. I'm not sure in practice if there is a limit in any RFC here on the length of an DNS name or other identifier in a cert: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.6 |
The Contour project currently lacks enough contributors to adequately respond to all PRs. This bot triages PRs according to the following rules:
You can:
Please send feedback to the #contour channel in the Kubernetes Slack |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we remove the WIP from the title here @KauzClay
This looks like it should work, only minor issue would be that we're adding a length limit to a field that did not used to have one, something to call out in the release note just in case. Technically this could be a breaking change but I would think this is a rare case? Thoughts @projectcontour/maintainers @projectcontour/contour-reviewers?
Signed-off-by: Clay Kauzlaric <ckauzlaric@vmware.com>
Signed-off-by: Clay Kauzlaric <ckauzlaric@vmware.com>
Signed-off-by: Clay Kauzlaric <ckauzlaric@vmware.com>
Signed-off-by: Clay Kauzlaric <ckauzlaric@vmware.com>
Signed-off-by: Clay Kauzlaric <ckauzlaric@vmware.com>
Signed-off-by: Clay Kauzlaric <ckauzlaric@vmware.com>
Signed-off-by: Clay Kauzlaric <ckauzlaric@vmware.com>
Signed-off-by: Clay Kauzlaric <ckauzlaric@vmware.com>
* allows the CEL validation rule to get a passing score Signed-off-by: Clay Kauzlaric <ckauzlaric@vmware.com>
Signed-off-by: Clay Kauzlaric <ckauzlaric@vmware.com>
f75406a
to
a3ac00b
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Approving but will wait for some more thoughts from @projectcontour/maintainers and @projectcontour/contour-reviewers
apis/projectcontour/v1/httpproxy.go
Outdated
CACertificate string `json:"caSecret"` | ||
// Key which is expected to be present in the 'subjectAltName' of the presented certificate. | ||
// Deprecated: migrate to using the plural field subjectNames. | ||
// +kubebuilder:validation:MinLength=1 | ||
// +kubebuilder:validation:MaxLength=100 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we know what the highest possible max we could use here is? The higher it is, the less likely it is to break a user, and given that this is effectively a breaking API change, I'd rather go as high as we possibly can to try to minimize the set of affected users.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
good point, I will try to find the max possible value
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Okay, it seems to accept a max length of 250.
Aside, do you have any idea on how to better test this?
I've tried to apply the CRD to my own cluster, and I don't get an error, but then when I push and the PR tests run, it fails after installing giving me the warning about the CEL score.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
hmm, not sure off the top of my head, @sunjayBhatia any thoughts here since you were playing around with this earlier?
I do feel much better about 250 vs. 100 as a limit, seems much less likely to have any actual user impact.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
what version of k8s is your cluster @KauzClay? You don't happen to have the CustomResourceValidationExpressions
feature gate off?
Also TIL https://playcel.undistro.io/ exists which might be useful
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If we want to test the CEL validation itself works as expected, we could add an e2e test here too:
contour/test/e2e/httpproxy/httpproxy_test.go
Lines 57 to 66 in 0b8ab80
// Contains specs that test that kubebuilder API validations | |
// work as expected, and do not require a Contour instance to | |
// be running. | |
var _ = Describe("HTTPProxy API validation", func() { | |
f.NamespacedTest("httpproxy-required-field-validation", testRequiredFieldValidation) | |
f.NamespacedTest("httpproxy-invalid-wildcard-fqdn", testWildcardFQDN) | |
f.NamespacedTest("invalid-cookie-rewrite-fields", testInvalidCookieRewriteFields) | |
}) |
e.g. try to create an HTTPProxy with upstreamvalidation set such that the resource should be rejected, and appropriate assertions etc.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I was using a 1.27.7 from GKE, but I didn't know about CustomResourceValidationExpressions
feature gate though, maybe that is turned off somehow?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
According to https://kubernetes.io/docs/reference/command-line-tools-reference/feature-gates/#feature-gates-for-graduated-or-deprecated-features that feature gate should be on by default in 1.27, but maybe GKE is doing something weird?
* include reference to deprecation and new field Signed-off-by: Clay Kauzlaric <ckauzlaric@vmware.com>
* for cacert and subjectname Signed-off-by: Clay Kauzlaric <ckauzlaric@vmware.com>
Signed-off-by: Clay Kauzlaric <ckauzlaric@vmware.com>
Signed-off-by: Clay Kauzlaric <ckauzlaric@vmware.com>
Signed-off-by: Clay Kauzlaric <ckauzlaric@vmware.com>
* only use SubjectNames in dag, take SubjectName and make single item slice when present Signed-off-by: Clay Kauzlaric <ckauzlaric@vmware.com>
Signed-off-by: Clay Kauzlaric <ckauzlaric@vmware.com>
apis/projectcontour/v1/httpproxy.go
Outdated
CACertificate string `json:"caSecret"` | ||
// Key which is expected to be present in the 'subjectAltName' of the presented certificate. | ||
// Deprecated: migrate to using the plural field subjectNames. | ||
// +kubebuilder:validation:MinLength=1 | ||
// +kubebuilder:validation:MaxLength=100 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
hmm, not sure off the top of my head, @sunjayBhatia any thoughts here since you were playing around with this earlier?
I do feel much better about 250 vs. 100 as a limit, seems much less likely to have any actual user impact.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Couple little things but otherwise looks about ready to me
Signed-off-by: Clay Kauzlaric <ckauzlaric@vmware.com>
Signed-off-by: Clay Kauzlaric <ckauzlaric@vmware.com>
Signed-off-by: Clay Kauzlaric <ckauzlaric@vmware.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, thanks @KauzClay!
@sunjayBhatia leaving this one for you to merge when ready |
Signed-off-by: Clay Kauzlaric <ckauzlaric@vmware.com>
So many CI flakes today.. |
Fixes #5520
release-note/minor