Merge pull request #39698 from mikedanese/default-csr

Automatic merge from submit-queue (batch tested with PRs 39803, 39698, 39537, 39478)

default a CSR's allowed usage to key encipherment and digital signing

Some pretty safe and sane defaults.

@liggitt

pkg/api/defaulting_test.go

@@ -91,6 +91,8 @@ func TestDefaulting(t *testing.T) {
 		{Group: "batch", Version: "v2alpha1", Kind: "JobTemplate"}:                                 {},
 		{Group: "batch", Version: "v2alpha1", Kind: "ScheduledJob"}:                                {},
 		{Group: "batch", Version: "v2alpha1", Kind: "ScheduledJobList"}:                            {},
+		{Group: "certificates.k8s.io", Version: "v1alpha1", Kind: "CertificateSigningRequest"}:     {},
+		{Group: "certificates.k8s.io", Version: "v1alpha1", Kind: "CertificateSigningRequestList"}: {},
 		{Group: "componentconfig", Version: "v1alpha1", Kind: "KubeProxyConfiguration"}:            {},
 		{Group: "componentconfig", Version: "v1alpha1", Kind: "KubeSchedulerConfiguration"}:        {},
 		{Group: "componentconfig", Version: "v1alpha1", Kind: "KubeletConfiguration"}:              {},

pkg/api/testing/BUILD

@@ -23,6 +23,7 @@ go_library(
         "//pkg/api/v1:go_default_library",
         "//pkg/apis/autoscaling:go_default_library",
         "//pkg/apis/batch:go_default_library",
+        "//pkg/apis/certificates:go_default_library",
         "//pkg/apis/extensions:go_default_library",
         "//pkg/apis/policy:go_default_library",
         "//pkg/apis/rbac:go_default_library",

pkg/api/testing/fuzzer.go

@@ -34,6 +34,7 @@ import (
 	"k8s.io/kubernetes/pkg/api/testapi"
 	"k8s.io/kubernetes/pkg/apis/autoscaling"
 	"k8s.io/kubernetes/pkg/apis/batch"
+	"k8s.io/kubernetes/pkg/apis/certificates"
 	"k8s.io/kubernetes/pkg/apis/extensions"
 	"k8s.io/kubernetes/pkg/apis/policy"
 	"k8s.io/kubernetes/pkg/apis/rbac"
@@ -567,6 +568,10 @@ func FuzzerFor(t *testing.T, version schema.GroupVersion, src rand.Source) *fuzz
 			c.FuzzNoCustom(s) // fuzz self without calling this function again
 			s.PodDisruptionsAllowed = int32(c.Rand.Intn(2))
 		},
+		func(obj *certificates.CertificateSigningRequestSpec, c fuzz.Continue) {
+			c.FuzzNoCustom(obj) // fuzz self without calling this function again
+			obj.Usages = []certificates.KeyUsage{certificates.UsageKeyEncipherment}
+		},
 	)
 	return f
 }

pkg/apis/certificates/v1alpha1/BUILD

@@ -11,6 +11,7 @@ go_library(
     name = "go_default_library",
     srcs = [
         "conversion.go",
+        "defaults.go",
         "doc.go",
         "generated.pb.go",
         "register.go",

pkg/apis/certificates/v1alpha1/defaults.go

@@ -0,0 +1,31 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import "k8s.io/apimachinery/pkg/runtime"
+
+func addDefaultingFuncs(scheme *runtime.Scheme) error {
+	RegisterDefaults(scheme)
+	return scheme.AddDefaultingFuncs(
+		SetDefaults_CertificateSigningRequestSpec,
+	)
+}
+func SetDefaults_CertificateSigningRequestSpec(obj *CertificateSigningRequestSpec) {
+	if obj.Usages == nil {
+		obj.Usages = []KeyUsage{UsageDigitalSignature, UsageKeyEncipherment}
+	}
+}

pkg/apis/certificates/v1alpha1/register.go

@@ -1,5 +1,5 @@
 /*
-Copyright 2016 The Kubernetes Authors.
+Copyright 2017 The Kubernetes Authors.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -40,7 +40,7 @@ func Resource(resource string) schema.GroupResource {
 }
 
 var (
-	SchemeBuilder = runtime.NewSchemeBuilder(addKnownTypes, addConversionFuncs)
+	SchemeBuilder = runtime.NewSchemeBuilder(addKnownTypes, addConversionFuncs, addDefaultingFuncs)
 	AddToScheme   = SchemeBuilder.AddToScheme
 )
 

pkg/apis/certificates/v1alpha1/zz_generated.defaults.go

@@ -28,5 +28,20 @@ import (
 // Public to allow building arbitrary schemes.
 // All generated defaulters are covering - they call all nested defaulters.
 func RegisterDefaults(scheme *runtime.Scheme) error {
+	scheme.AddTypeDefaultingFunc(&CertificateSigningRequest{}, func(obj interface{}) { SetObjectDefaults_CertificateSigningRequest(obj.(*CertificateSigningRequest)) })
+	scheme.AddTypeDefaultingFunc(&CertificateSigningRequestList{}, func(obj interface{}) {
+		SetObjectDefaults_CertificateSigningRequestList(obj.(*CertificateSigningRequestList))
+	})
 	return nil
 }
+
+func SetObjectDefaults_CertificateSigningRequest(in *CertificateSigningRequest) {
+	SetDefaults_CertificateSigningRequestSpec(&in.Spec)
+}
+
+func SetObjectDefaults_CertificateSigningRequestList(in *CertificateSigningRequestList) {
+	for i := range in.Items {
+		a := &in.Items[i]
+		SetObjectDefaults_CertificateSigningRequest(a)
+	}
+}

pkg/apis/certificates/validation/validation.go

@@ -50,8 +50,14 @@ func ValidateCertificateSigningRequest(csr *certificates.CertificateSigningReque
 	isNamespaced := false
 	allErrs := apivalidation.ValidateObjectMeta(&csr.ObjectMeta, isNamespaced, ValidateCertificateRequestName, field.NewPath("metadata"))
 	err := validateCSR(csr)
+
+	specPath := field.NewPath("spec")
+
 	if err != nil {
-		allErrs = append(allErrs, field.Invalid(field.NewPath("request"), csr.Spec.Request, fmt.Sprintf("%v", err)))
+		allErrs = append(allErrs, field.Invalid(specPath.Child("request"), csr.Spec.Request, fmt.Sprintf("%v", err)))
+	}
+	if len(csr.Spec.Usages) == 0 {
+		allErrs = append(allErrs, field.Required(specPath.Child("usages"), "usages must be provided"))
 	}
 	return allErrs
 }