osm icon indicating copy to clipboard operation
osm copied to clipboard

Published 20 hours ago verified publisher icon openservicemesh

Validate MeshRootCertificate

Open schristoff opened this issue 3 years ago • 2 comments

Please describe the Improvement and/or Feature Request Part of https://github.com/openservicemesh/osm/issues/4502

Add validating webhook for MeshRootCertificate that:

  • Allow at most 2 MeshRootCertificate resources in either the pending-up, pending-down, complete, inactive, error or unknown state to be created. MeshRootCertificates that are inactive are not included in the count
    • If there are already 2 MeshRootCertificate resources in either the pending-up, pending-down, OSM will set the status to error
  • Check for the correct status settings
  • Prevent out of order status changes
  • Don’t allow operators to change certain values in existing MeshRootCertificates

Areas of Interest: Add MeshRootCertificate CRD to validatingWebhookServer https://github.com/openservicemesh/osm/blob/d4853664a5ee34dfaf7367b54822b307bd19d99e/pkg/validator/server.go#L55-L61

Create a validateFunc that satisfies the above requirements https://github.com/openservicemesh/osm/blob/966405b29161ee650d01a8c0ebaa5fe4ed324b79/pkg/validator/validators.go#L26

Validations [X]

schristoff avatar May 04 '22 23:05 schristoff

The webhook validator can also prevent deletions. We should consider what footguns we want to remove (deleting the only secret, etc)

steeling avatar May 05 '22 15:05 steeling

When this gets implemented, with the new trust domain we should also validate that no parts in strings.Split(TrustDomain, ".") are the empty string

steeling avatar Jun 10 '22 14:06 steeling

Blocked on #4962. The logic in this change is dependent on how rotation status is represented in the MRC and what rotation states are supported.

jaellio avatar Aug 24 '22 21:08 jaellio

Note: Make sure the logic from the rotation design doc is include (especially the finalizer).

keithmattix avatar Aug 29 '22 03:08 keithmattix