cert-manager
Add attribute support for certificate subject
Fixes #128
This PR is a continuation of the work in #129
I have changed the code of the RequestForMetadata function to use the CSV parser instead of strings.Split as requested in the original PR.
Would it make sense to replace the splitList function with SplitWithEscapeCSV as well? I wasn't sure if that's wanted because that code is not from #129 but was already in there before, so I left it untouched for now.
And what else needs to be done in order to get this merged?
I successfully tested it with the following manifest:
apiVersion: "cert-manager.io/v1"
kind: "Issuer"
metadata:
name: "self-signed-issuer"
spec:
selfSigned: { }
---
apiVersion: "cert-manager.io/v1"
kind: "Certificate"
metadata:
name: "self-signed-root-cert"
spec:
secretName: "self-signed-root-cert"
isCA: true
commonName: "CA Cert"
issuerRef:
name: "self-signed-issuer"
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: ca-issuer
spec:
ca:
secretName: "self-signed-root-cert"
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: csi-test
spec:
selector:
matchLabels:
app: csi-test
template:
metadata:
labels:
app: csi-test
spec:
containers:
- name: csi-test
image: "docker.io/library/alpine:latest"
command:
- "/bin/sh"
- "-c"
- "apk add openssl && openssl x509 -noout -text -in /cert/tls.crt && sleep infinity"
volumeMounts:
- mountPath: "/cert"
name: cert
volumes:
- name: "cert"
csi:
driver: "csi.cert-manager.io"
readOnly: true
volumeAttributes:
csi.cert-manager.io/issuer-name: "ca-issuer"
csi.cert-manager.io/common-name: "test-cert"
csi.cert-manager.io/organizations: "organization"
csi.cert-manager.io/organizationalunits: "organizationalunit"
csi.cert-manager.io/countries: "country"
csi.cert-manager.io/provinces: "province"
csi.cert-manager.io/localities: "locality"
csi.cert-manager.io/streetaddresses: "streetaddress"
csi.cert-manager.io/postalcodes: "postalcode"
resulting in the following output:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
ab:ca:22:02:06:92:c3:27:47:aa:d2:5b:55:b2:f5:01
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = CA Cert
Validity
Not Before: Mar 27 16:34:50 2024 GMT
Not After : Jun 25 16:34:50 2024 GMT
Subject: C = country, ST = province, L = locality, street = streetaddress, postalCode = postalcode, O = organization, OU = organizationalunit, CN = test-cert
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:c7:d0:55:35:99:bc:11:39:eb:b7:11:0d:56:65:
02:53:b3:c6:a0:5c:6c:6b:0d:f8:b8:c2:77:99:55:
88:d0:b8:ca:ad:0c:83:38:fe:f6:79:df:b8:ba:d6:
e3:1c:a4:b1:35:65:29:ec:0b:72:94:6e:27:97:47:
62:6f:10:06:32:e7:e1:42:d4:cf:c1:3e:bc:69:a5:
12:58:7e:85:ea:61:39:86:eb:aa:1a:2d:08:f8:22:
02:e2:cf:91:e8:04:cf:62:10:54:9d:b3:25:02:49:
5f:3c:57:45:03:2f:85:c5:d0:85:32:e9:74:c3:57:
f6:41:37:93:c3:9e:a7:40:3b:de:42:83:ed:e3:b6:
d0:f4:20:c2:d3:9e:e4:cc:5c:db:65:45:c3:42:d2:
59:b3:28:3e:42:4e:05:20:28:3d:d0:40:b9:59:50:
90:5d:1f:66:d3:f5:d4:50:79:b6:01:46:50:4f:b0:
18:36:dc:8e:23:ff:a1:98:20:fe:9a:21:55:dd:fb:
4b:7a:ed:ef:80:3b:59:47:2c:31:93:ff:78:57:f1:
4a:a1:86:9d:38:01:cf:cc:01:dd:88:2f:86:ce:4f:
21:6c:a0:2f:29:47:41:ed:b2:4a:d8:d2:3f:27:49:
54:6d:4d:7c:ab:ed:67:6e:ba:00:b3:7c:a5:15:09:
07:95
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Authority Key Identifier:
41:B9:47:09:7C:34:AD:30:16:33:C3:08:2A:9A:BD:BF:6C:AB:10:DA
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
03:07:49:e6:6e:2e:87:5d:82:df:d4:10:f2:4d:62:33:0d:df:
17:59:ce:ff:99:bc:40:02:8a:46:e2:71:1c:f9:0b:7a:eb:fb:
9e:6a:df:01:e7:52:0b:82:0c:c9:a8:93:c7:a1:b2:fe:ee:a2:
1b:80:4e:b8:a5:ac:d5:45:cb:8e:12:0a:ab:bd:76:70:3b:00:
aa:f9:58:ed:a8:17:76:5b:64:74:a1:33:3b:d9:5d:a5:12:2f:
c7:92:d5:90:b3:38:29:98:0e:e1:bc:6c:f8:ce:f1:2b:13:86:
e6:1b:8c:00:9f:1f:32:62:9b:fc:a4:83:e6:21:69:56:ab:0e:
b1:fa:ec:15:48:9d:8d:12:48:d1:8f:22:9f:ee:f8:7b:b7:e3:
52:67:be:f8:5d:70:a3:f2:7a:ad:00:e0:14:aa:08:90:34:69:
17:9d:4d:ee:57:06:7d:ec:12:f0:6f:32:04:60:dc:0a:ed:27:
2b:02:98:de:0a:1e:19:d0:0d:42:8d:e7:6f:6a:3b:00:fd:16:
91:d2:2b:76:e7:f0:51:af:ac:83:b3:a5:0b:b1:3e:fa:3d:20:
e2:e3:4e:df:8a:7a:d8:da:8d:f8:3f:2f:e6:95:7b:c9:a3:64:
56:26:a6:c1:95:94:de:c6:c2:c3:75:dd:be:76:66:56:50:e5:
40:51:98:0d
[APPROVALNOTIFIER] This PR is NOT APPROVED
This pull-request has been approved by: Once this PR has been reviewed and has the lgtm label, please assign sgtcodfish for approval. For more information see the Kubernetes Code Review Process.
The full list of commands accepted by this bot can be found here.
Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment
Hi @nzbr. Thanks for your PR.
I'm waiting for a cert-manager member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.
Once the patch is verified, the new status will be reflected by the ok-to-test label.
I understand the commands that are listed here.
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.
Also I think https://github.com/cert-manager/csi-driver/pull/254 will merge before this and create a merge conflict - sorry about that, but it should be an easy fix!
[APPROVALNOTIFIER] This PR is APPROVED
This pull-request has been approved by: SgtCoDFish
The full list of commands accepted by this bot can be found here.
The pull request process is described here
- ~~OWNERS~~ [SgtCoDFish]
Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment
![cert-manager-prow[bot] avatar](https://avatars.githubusercontent.com/in/877404?v=4 "Published by a pub.dev verified publisher"){kind=small}