truenas/chart
1
0
Fork 0
mirror of https://github.com/truenas/charts.git synced 2026-06-15 22:48:44 +08:00
Code Issues Packages Projects Releases Wiki Activity

forbid using revoked or expired certs

Browse Source
This commit is contained in:
Stavros kois
2023-01-26 13:49:25 +02:00
parent 068eca4d3c
commit bcbbbc2e41
6 changed files with 2 additions and 144 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
docs/common/values/certificates.md
View File

@@ -38,10 +38,6 @@ scaleCerts:
certPath: /some/path/in/the/container/crt.key
# Optional, If populated, it will mount the private key in the container's path
keyPath: /some/path/in/the/container/key.key
# Optional, Allow the use of revoked certs, even if is not allowed globally
useRevoked: false
# Optional, Allow the use of expired certs, even if is not allowed globally
useExpired: false
```
---
@@ -81,8 +77,4 @@ scaleCertsList:
certPath:
# Optional
keyPath:
# Optional
useRevoked: false
# Optional
useExpired: false
```

4
docs/common/values/global.md
View File

@@ -11,10 +11,6 @@
# If not defined on per pod or in ixChartContext, assume this.
# Empty means NO runtimeClassName
runtimeClassName: ""
# If not defined on the the cert item, assume this
useRevokedCerts: false
# If not defined on the the cert item, assume this
useExpiredCerts: false
# If not defined on the pod, assume this
dnsPolicy: ClusterFirst
# If no restart Policy is defined, assume this

53
library/common-test/tests/cert/cert_dict_test.yaml
View File

@@ -184,59 +184,6 @@ tests:
expired: true
asserts: *basicAssertion
- it: should pass with 1 REVOKED secret created and global allow
documentIndex: *secretDoc
set:
global:
defaults:
useRevokedCerts: true
scaleCerts:
certname:
id: 1
# Simulating middleware injection
ixCertificates:
"1":
privatekey: some_key
certificate: cert_content
revoked: true
asserts: *basicAssertion
- it: should pass with 1 EXPIRED secret created and local allow
documentIndex: *secretDoc
set:
global:
defaults:
useExpiredCerts: false
scaleCerts:
certname:
id: 1
useExpired: true
# Simulating middleware injection
ixCertificates:
"1":
certificate: cert_content
privatekey: some_key
expired: true
asserts: *basicAssertion
- it: should pass with 1 REVOKED secret created and local allow
documentIndex: *secretDoc
set:
global:
defaults:
useRevokedCerts: false
scaleCerts:
certname:
id: 1
useRevoked: true
# Simulating middleware injection
ixCertificates:
"1":
privatekey: some_key
certificate: cert_content
revoked: true
asserts: *basicAssertion
- it: should pass with 2 secret created (doc1)
documentIndex: *secretDoc
set:

53
library/common-test/tests/cert/cert_list_test.yaml
View File

@@ -184,59 +184,6 @@ tests:
expired: true
asserts: *basicAssertion
- it: should pass with 1 REVOKED secret created and global allow
documentIndex: *secretDoc
set:
global:
defaults:
useRevokedCerts: true
scaleCertsList:
- name: certname
id: 1
# Simulating middleware injection
ixCertificates:
"1":
privatekey: some_key
certificate: cert_content
revoked: true
asserts: *basicAssertion
- it: should pass with 1 EXPIRED secret created and local allow
documentIndex: *secretDoc
set:
global:
defaults:
useExpiredCerts: false
scaleCertsList:
- name: certname
id: 1
useExpired: true
# Simulating middleware injection
ixCertificates:
"1":
certificate: cert_content
privatekey: some_key
expired: true
asserts: *basicAssertion
- it: should pass with 1 REVOKED secret created and local allow
documentIndex: *secretDoc
set:
global:
defaults:
useRevokedCerts: false
scaleCertsList:
- name: certname
id: 1
useRevoked: true
# Simulating middleware injection
ixCertificates:
"1":
privatekey: some_key
certificate: cert_content
revoked: true
asserts: *basicAssertion
- it: should pass with 2 secret created (doc1)
documentIndex: *secretDoc
set:

18
library/common/1.0.0/templates/lib/certificate/_certGet.tpl
View File

@@ -27,8 +27,6 @@ Example keys (certificate, privatekey, expired, revoked)
{{- $root := .root -}}
{{- $key := .key -}}
{{- $certID := (toString $cert.id) -}}
{{- $useRevoked := $root.Values.global.defaults.useRevokedCerts -}}
{{- $useExpired := $root.Values.global.defaults.useExpiredCerts -}}
{{- if not $key -}} {{/* This is something that should not happen when using this library */}}
{{- fail "You need to provide a <key> when calling this template (certificate.get)" -}}
@@ -37,27 +35,15 @@ Example keys (certificate, privatekey, expired, revoked)
{{- if eq (include "ix.v1.common.certificate.exists" (dict "root" $root "certID" $certID)) "true" -}}
{{- $certificate := (get $root.Values.ixCertificates (toString $certID)) -}}
{{- if (hasKey $cert "useRevoked") -}}
{{- $useRevoked = $cert.useRevoked -}}
{{- end -}}
{{- if (hasKey $cert "useExpired") -}}
{{- $useExpired = $cert.useExpired -}}
{{- end -}}
{{- if (hasKey $certificate "revoked") -}}
{{- if (eq (get $certificate "revoked") true) -}}
{{- if not $useRevoked -}}
{{- fail (printf "Certificate (%s) has been revoked" $certID) -}}
{{- end -}}
{{- fail (printf "Certificate (%s) has been revoked" $certID) -}}
{{- end -}}
{{- end -}}
{{- if (hasKey $certificate "expired") -}}
{{- if (eq (get $certificate "expired") true) -}}
{{- if not $useExpired -}}
{{- fail (printf "Certificate (%s) is expired" $certID) -}}
{{- end -}}
{{- fail (printf "Certificate (%s) is expired" $certID) -}}
{{- end -}}
{{- end -}}

10
library/common/1.0.0/values.yaml
View File

@@ -11,10 +11,6 @@ global:
# If not defined on per pod or in ixChartContext, assume this.
# Empty means NO runtimeClassName
runtimeClassName: ""
# If not defined on the the cert item, assume this
useRevokedCerts: false
# If not defined on the the cert item, assume this
useExpiredCerts: false
# If not defined on the pod, assume this
dnsPolicy: ClusterFirst
# If no restart Policy is defined, assume this
@@ -211,12 +207,6 @@ rbac:
primary: true
clusterWide: false
# Creates a configmap
configmap: {}
# Creates a secret
secret: {}
# Defines lifecycle hooks
lifecycle: {}