Skip to content

validate cert #74

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jul 12, 2018
Merged

validate cert #74

merged 1 commit into from
Jul 12, 2018

Conversation

mengqiy
Copy link
Member

@mengqiy mengqiy commented Jul 10, 2018

No description provided.

@mengqiy mengqiy requested review from droot and Liujingfang1 July 10, 2018 23:44
@k8s-ci-robot k8s-ci-robot added the size/L Denotes a PR that changes 100-499 lines, ignoring generated files. label Jul 10, 2018
@mengqiy
Copy link
Member Author

mengqiy commented Jul 10, 2018

cc: @anfernee

@k8s-ci-robot k8s-ci-robot added the cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. label Jul 10, 2018
Liujingfang1
Liujingfang1 reviewed Jul 11, 2018
View reviewed changes
pkg/admission/cert/writer/certwriter.go Outdated
// Recreate the cert if it's invalid.
if !validCert(certs) {
valid, err := validCert(certs, dnsName, 6*month)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe move 6*month to a constant.

pkg/admission/cert/writer/certwriter.go Outdated
// e.g.
// c, err := tls.X509KeyPair(cert, key)
// err := c.Verify(options)
func validCert(certs *generator.Artifacts, dnsName string, validTime time.Duration) (bool, error) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All the return statements returns error as nil. I think you can remove this argument from the return list. Then validCert returns only a bool

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch

mengqiy
mengqiy commented Jul 11, 2018
View reviewed changes
pkg/admission/cert/writer/certwriter.go Outdated
// e.g.
// c, err := tls.X509KeyPair(cert, key)
// err := c.Verify(options)
func validCert(certs *generator.Artifacts, dnsName string, validTime time.Duration) (bool, error) {
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The linter is complaining about parameter validTime not being changed :/
It is handy to have this parameter for testing purpose.

@mengqiy
Copy link
Member Author

mengqiy commented Jul 12, 2018

PTAL

Liujingfang1
Liujingfang1 approved these changes Jul 12, 2018
View reviewed changes
Copy link
Contributor

@Liujingfang1 Liujingfang1 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

droot
droot reviewed Jul 12, 2018
View reviewed changes
Copy link
Contributor

@droot droot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looks good, a minor comment.

pkg/admission/cert/writer/certwriter.go Outdated
@@ -39,6 +42,8 @@ const (
ServerCertName = "cert.pem"
)

const sixMonths = 6 * 31 * 24 * time.Hour
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

does it have to be pkg level const ? I see it only being used inside a fn.

anfernee
anfernee reviewed Jul 12, 2018
View reviewed changes
Copy link
Member

@anfernee anfernee left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sorry for the late response. I still don't see where the notification goes to.

LGTM overall. just a question about the 6mo const

pkg/admission/cert/writer/certwriter.go Outdated
ops := x509.VerifyOptions{
DNSName: dnsName,
Roots: pool,
CurrentTime: time.Now().Add(sixMonths),
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why 6 months? also it's more like time.Now().AddDate(0, 1, 0) doc

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good point!
Updated

@mengqiy
Copy link
Member Author

mengqiy commented Jul 12, 2018

PTAL

@Liujingfang1
Copy link
Contributor

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jul 12, 2018
@Liujingfang1 Liujingfang1 added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jul 12, 2018
@k8s-ci-robot k8s-ci-robot merged commit 5999470 into kubernetes-sigs:master Jul 12, 2018
@mengqiy mengqiy deleted the validate_cert branch July 12, 2018 23:41
justinsb pushed a commit to justinsb/controller-runtime that referenced this pull request Dec 7, 2018
@k8s-ci-robot
Merge pull request kubernetes-sigs#74 from mengqiy/validate_cert
d46dfa3 
validate cert
DirectXMan12 pushed a commit that referenced this pull request Jan 31, 2020
Merge pull request #74 from droot/fix-watch-controller-of
51ed941 
fixed infinite loop in watchControllerOf API
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@droot droot droot left review comments

@anfernee anfernee anfernee left review comments

@Liujingfang1 Liujingfang1 Liujingfang1 approved these changes

Assignees

@Liujingfang1 Liujingfang1

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@mengqiy @Liujingfang1 @droot @anfernee @k8s-ci-robot