Validate fields of OpenstackDataPlaneServiceCert in OpenStackDataPlan…

…eServiceSpec

Set default KeyUsages to "key encipherment","digital signature","server auth".

Signed-off-by: Jiri Podivin <jpodivin@redhat.com>

api/bases/dataplane.openstack.org_openstackdataplaneservices.yaml

@@ -96,6 +96,10 @@ spec:
                     issuer:
                       type: string
                     keyUsages:
+                      default:
+                      - key encipherment
+                      - digital signature
+                      - server auth
                       items:
                         enum:
                         - signing

api/v1beta1/openstackdataplaneservice_types.go

@@ -44,7 +44,8 @@ type OpenstackDataPlaneServiceCert struct {
 
 	// KeyUsages to be added to the issued cert
 	// +kubebuilder:validation:Optional
-	KeyUsages []certmgrv1.KeyUsage `json:"keyUsages,omitempty" yaml:"keyUsages,omitempty"`
+	// +kubebuilder:default={"key encipherment","digital signature","server auth"}
+	KeyUsages []certmgrv1.KeyUsage `json:"keyUsages" yaml:"keyUsages"`
 
 	// EDPMRoleServiceName is the value of the <role>_service_name variable from
 	// the edpm-ansible role where this certificate is used. For example if the

api/v1beta1/openstackdataplaneservice_webhook.go

@@ -17,6 +17,9 @@ limitations under the License.
 package v1beta1
 
 import (
+	"fmt"
+
+	"golang.org/x/exp/slices"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/runtime/schema"
@@ -78,9 +81,15 @@ func (r *OpenStackDataPlaneService) ValidateCreate() (admission.Warnings, error)
 }
 
 func (r *OpenStackDataPlaneServiceSpec) ValidateCreate() field.ErrorList {
-	// TODO(user): fill in your validation logic upon object creation.
+	var errs field.ErrorList
 
-	return field.ErrorList{}
+	if r.TLSCerts != nil {
+		for _, v := range r.TLSCerts {
+			errs = append(errs, v.ValidateContents()...)
+		}
+	}
+
+	return errs
 }
 
 func (r *OpenStackDataPlaneService) ValidateUpdate(original runtime.Object) (admission.Warnings, error) {
@@ -99,9 +108,15 @@ func (r *OpenStackDataPlaneService) ValidateUpdate(original runtime.Object) (adm
 }
 
 func (r *OpenStackDataPlaneServiceSpec) ValidateUpdate() field.ErrorList {
-	// TODO(user): fill in your validation logic upon object creation.
+	var errs field.ErrorList
 
-	return field.ErrorList{}
+	if r.TLSCerts != nil {
+		for _, v := range r.TLSCerts {
+			errs = append(errs, v.ValidateContents()...)
+		}
+	}
+
+	return errs
 }
 
 func (r *OpenStackDataPlaneService) ValidateDelete() (admission.Warnings, error) {
@@ -125,3 +140,22 @@ func (r *OpenStackDataPlaneServiceSpec) ValidateDelete() field.ErrorList {
 
 	return field.ErrorList{}
 }
+
+func (r *OpenstackDataPlaneServiceCert) ValidateContents() field.ErrorList {
+
+	var errs field.ErrorList
+	// "dnsnames" and "ips" are only allowed usages
+	allowedContents := []string{
+		"dnsnames",
+		"ips",
+	}
+	for _, val := range r.Contents {
+
+		if !slices.Contains(allowedContents, val) {
+			errs = append(errs, field.Invalid(field.NewPath("spec.tlsCert.Contents"),
+				r.KeyUsages,
+				fmt.Sprintf("error validating contents of TLSCert, %s, only valid contents are %v ", val, allowedContents)))
+		}
+	}
+	return errs
+}

config/crd/bases/dataplane.openstack.org_openstackdataplaneservices.yaml

@@ -96,6 +96,10 @@ spec:
                     issuer:
                       type: string
                     keyUsages:
+                      default:
+                      - key encipherment
+                      - digital signature
+                      - server auth
                       items:
                         enum:
                         - signing

docs/assemblies/custom_resources.adoc

@@ -409,7 +409,7 @@ OpenstackDataPlaneServiceCert defines the property of a TLS cert issued for a da
 | keyUsages
 | KeyUsages to be added to the issued cert
 | []certmgrv1.KeyUsage
-| false
+| true
 
 | edpmRoleServiceName
 | EDPMRoleServiceName is the value of the +++<role>+++_service_name variable from the edpm-ansible role where this certificate is used. For example if the certificate is for edpm_ovn from edpm-ansible, EDPMRoleServiceName must be ovn, which matches the edpm_ovn_service_name variable from the role. If not set, OpenStackDataPlaneService.Spec.EDPMServiceType is used. If OpenStackDataPlaneService.Spec.EDPMServiceType is not set, then OpenStackDataPlaneService.Name is used.+++</role>+++