cert-manager: Add annotation to validate dns zones

tsuru · Aug 19, 2021 · 40fbe6d · 40fbe6d
1 parent 8dbcf09
commit 40fbe6d
Show file tree

Hide file tree

Showing 2 changed files with 53 additions and 2 deletions.
diff --git a/internal/pkg/rpaas/k8s.go b/internal/pkg/rpaas/k8s.go
@@ -60,7 +60,8 @@ const (
 	defaultNamespace      = "rpaasv2"
 	defaultKeyLabelPrefix = "rpaas.extensions.tsuru.io"
 
-	externalDNSHostnameLabel = "external-dns.alpha.kubernetes.io/hostname"
+	externalDNSHostnameLabel  = "external-dns.alpha.kubernetes.io/hostname"
+	allowedDNSZonesAnnotation = "rpaas.extensions.tsuru.io/allowed-dns-zones"
 
 	nginxContainerName = "nginx"
 )
@@ -2264,7 +2265,7 @@ func (m *k8sRpaasManager) UpdateCertManagerRequest(ctx context.Context, instance
 		return &ValidationError{Msg: "cert-manager issuer cannot be empty"}
 	}
 
-	_, _, err = m.GetIssuerMetadata(ctx, instance.ObjectMeta.Namespace, issuer)
+	issuerMeta, _, err := m.GetIssuerMetadata(ctx, instance.ObjectMeta.Namespace, issuer)
 	if err != nil {
 		return err
 	}
@@ -2273,6 +2274,13 @@ func (m *k8sRpaasManager) UpdateCertManagerRequest(ctx context.Context, instance
 		return &ValidationError{Msg: "you should provide a list of DNS names or IP addresses"}
 	}
 
+	if annotation := issuerMeta.Annotations[allowedDNSZonesAnnotation]; annotation != "" {
+		err = allowDNSNames(in.DNSNames, strings.Split(annotation, ","))
+		if err != nil {
+			return err
+		}
+	}
+
 	instance.Spec.DynamicCertificates.CertManager = &v1alpha1.CertManager{
 		Issuer:      issuer,
 		DNSNames:    in.DNSNames,
@@ -2325,3 +2333,31 @@ func (m *k8sRpaasManager) GetIssuerMetadata(ctx context.Context, namespace, issu
 
 	return &clusterIssuer.ObjectMeta, &clusterIssuer.Spec, nil
 }
+
+func allowDNSNames(dnsNames, dnsZones []string) error {
+	if len(dnsZones) == 0 {
+		return nil
+	}
+	match := func(dnsName string) bool {
+		for _, dnsZone := range dnsZones {
+			if strings.HasSuffix(dnsName, "."+dnsZone) {
+				return true
+			}
+		}
+
+		return false
+	}
+
+	unmatchedDNSNames := []string{}
+	for _, dnsName := range dnsNames {
+		if !match(dnsName) {
+			unmatchedDNSNames = append(unmatchedDNSNames, dnsName)
+		}
+	}
+
+	if len(unmatchedDNSNames) > 0 {
+		return fmt.Errorf("These DNS Names is not allowed: %s", strings.Join(unmatchedDNSNames, ", "))
+	}
+
+	return nil
+}
diff --git a/internal/pkg/rpaas/k8s_test.go b/internal/pkg/rpaas/k8s_test.go
@@ -4959,6 +4959,9 @@ func Test_k8sRpaasManager_UpdateCertManagerRequest(t *testing.T) {
 		&cmv1.ClusterIssuer{
 			ObjectMeta: metav1.ObjectMeta{
 				Name: "issuer-1",
+				Annotations: map[string]string{
+					allowedDNSZonesAnnotation: "example.com,example.org",
+				},
 			},
 		},
 		&cmv1.ClusterIssuer{
@@ -5027,6 +5030,18 @@ func Test_k8sRpaasManager_UpdateCertManagerRequest(t *testing.T) {
 			},
 		},
 
+		"using unmanaged dns-names": {
+			instanceName: "my-instance-1",
+			certManager: clientTypes.CertManager{
+				DNSNames: []string{"my-instance-1.example.com", "my-instance-1.example.org", "wrong.io", "wrong.com"},
+			},
+			cfg: config.RpaasConfig{
+				EnableCertManager:        true,
+				DefaultCertManagerIssuer: "issuer-1",
+			},
+			expectedError: "These DNS Names is not allowed: wrong.io, wrong.com",
+		},
+
 		"using wrong certificate issuer from configs": {
 			instanceName: "my-instance-1",
 			certManager: clientTypes.CertManager{