Define ClusterTrustBundlePEM projected volume

This commit defines the ClusterTrustBundlePEM projected volume types.
These types have been renamed from the KEP (PEMTrustAnchors) in order to
leave open the possibility of a similar projection drawing from a
yet-to-exist namespaced-scoped TrustBundle object, which came up during
KEP discussion.

* Add the projection field to internal and v1 APIs.
* Add validation to ensure that usages of the project must specify a
  name and path.
* Add TODO covering admission control to forbid mirror pods from using
  the projection.

Part of KEP-3257.

pkg/apis/certificates/validation/validation.go

@@ -21,14 +21,11 @@ import (
 	"crypto/x509"
 	"encoding/pem"
 	"fmt"
-	"strings"
 
 	"github.com/google/go-cmp/cmp"
 	v1 "k8s.io/api/core/v1"
 	apiequality "k8s.io/apimachinery/pkg/api/equality"
-	apimachineryvalidation "k8s.io/apimachinery/pkg/api/validation"
 	"k8s.io/apimachinery/pkg/util/sets"
-	utilvalidation "k8s.io/apimachinery/pkg/util/validation"
 	"k8s.io/apimachinery/pkg/util/validation/field"
 	utilcert "k8s.io/client-go/util/cert"
 	"k8s.io/kubernetes/pkg/apis/certificates"
@@ -198,7 +195,7 @@ func validateCertificateSigningRequest(csr *certificates.CertificateSigningReque
 	if !opts.allowLegacySignerName && csr.Spec.SignerName == certificates.LegacyUnknownSignerName {
 		allErrs = append(allErrs, field.Invalid(specPath.Child("signerName"), csr.Spec.SignerName, "the legacy signerName is not allowed via this API version"))
 	} else {
-		allErrs = append(allErrs, ValidateSignerName(specPath.Child("signerName"), csr.Spec.SignerName)...)
+		allErrs = append(allErrs, apivalidation.ValidateSignerName(specPath.Child("signerName"), csr.Spec.SignerName)...)
 	}
 	if csr.Spec.ExpirationSeconds != nil && *csr.Spec.ExpirationSeconds < 600 {
 		allErrs = append(allErrs, field.Invalid(specPath.Child("expirationSeconds"), *csr.Spec.ExpirationSeconds, "may not specify a duration less than 600 seconds (10 minutes)"))
@@ -266,82 +263,6 @@ func validateConditions(fldPath *field.Path, csr *certificates.CertificateSignin
 	return allErrs
 }
 
-// ensure signerName is of the form domain.com/something and up to 571 characters.
-// This length and format is specified to accommodate signerNames like:
-// <fqdn>/<resource-namespace>.<resource-name>.
-// The max length of a FQDN is 253 characters (DNS1123Subdomain max length)
-// The max length of a namespace name is 63 characters (DNS1123Label max length)
-// The max length of a resource name is 253 characters (DNS1123Subdomain max length)
-// We then add an additional 2 characters to account for the one '.' and one '/'.
-func ValidateSignerName(fldPath *field.Path, signerName string) field.ErrorList {
-	var el field.ErrorList
-	if len(signerName) == 0 {
-		el = append(el, field.Required(fldPath, ""))
-		return el
-	}
-
-	segments := strings.Split(signerName, "/")
-	// validate that there is one '/' in the signerName.
-	// we do this after validating the domain segment to provide more info to the user.
-	if len(segments) != 2 {
-		el = append(el, field.Invalid(fldPath, signerName, "must be a fully qualified domain and path of the form 'example.com/signer-name'"))
-		// return early here as we should not continue attempting to validate a missing or malformed path segment
-		// (i.e. one containing multiple or zero `/`)
-		return el
-	}
-
-	// validate that segments[0] is less than 253 characters altogether
-	maxDomainSegmentLength := utilvalidation.DNS1123SubdomainMaxLength
-	if len(segments[0]) > maxDomainSegmentLength {
-		el = append(el, field.TooLong(fldPath, segments[0], maxDomainSegmentLength))
-	}
-	// validate that segments[0] consists of valid DNS1123 labels separated by '.'
-	domainLabels := strings.Split(segments[0], ".")
-	for _, lbl := range domainLabels {
-		// use IsDNS1123Label as we want to ensure the max length of any single label in the domain
-		// is 63 characters
-		if errs := utilvalidation.IsDNS1123Label(lbl); len(errs) > 0 {
-			for _, err := range errs {
-				el = append(el, field.Invalid(fldPath, segments[0], fmt.Sprintf("validating label %q: %s", lbl, err)))
-			}
-			// if we encounter any errors whilst parsing the domain segment, break from
-			// validation as any further error messages will be duplicates, and non-distinguishable
-			// from each other, confusing users.
-			break
-		}
-	}
-
-	// validate that there is at least one '.' in segments[0]
-	if len(domainLabels) < 2 {
-		el = append(el, field.Invalid(fldPath, segments[0], "should be a domain with at least two segments separated by dots"))
-	}
-
-	// validate that segments[1] consists of valid DNS1123 subdomains separated by '.'.
-	pathLabels := strings.Split(segments[1], ".")
-	for _, lbl := range pathLabels {
-		// use IsDNS1123Subdomain because it enforces a length restriction of 253 characters
-		// which is required in order to fit a full resource name into a single 'label'
-		if errs := utilvalidation.IsDNS1123Subdomain(lbl); len(errs) > 0 {
-			for _, err := range errs {
-				el = append(el, field.Invalid(fldPath, segments[1], fmt.Sprintf("validating label %q: %s", lbl, err)))
-			}
-			// if we encounter any errors whilst parsing the path segment, break from
-			// validation as any further error messages will be duplicates, and non-distinguishable
-			// from each other, confusing users.
-			break
-		}
-	}
-
-	// ensure that segments[1] can accommodate a dns label + dns subdomain + '.'
-	maxPathSegmentLength := utilvalidation.DNS1123SubdomainMaxLength + utilvalidation.DNS1123LabelMaxLength + 1
-	maxSignerNameLength := maxDomainSegmentLength + maxPathSegmentLength + 1
-	if len(signerName) > maxSignerNameLength {
-		el = append(el, field.TooLong(fldPath, signerName, maxSignerNameLength))
-	}
-
-	return el
-}
-
 func ValidateCertificateSigningRequestUpdate(newCSR, oldCSR *certificates.CertificateSigningRequest) field.ErrorList {
 	opts := getValidationOptions(newCSR, oldCSR)
 	return validateCertificateSigningRequestUpdate(newCSR, oldCSR, opts)
@@ -539,24 +460,6 @@ func hasDuplicateUsage(usages []certificates.KeyUsage) bool {
 	return false
 }
 
-// We require your name to be prefixed by .spec.signerName
-func validateClusterTrustBundleName(signerName string) func(name string, prefix bool) []string {
-	return func(name string, isPrefix bool) []string {
-		if signerName == "" {
-			if strings.Contains(name, ":") {
-				return []string{"ClusterTrustBundle without signer name must not have \":\" in its name"}
-			}
-			return apimachineryvalidation.NameIsDNSSubdomain(name, isPrefix)
-		}
-
-		requiredPrefix := strings.ReplaceAll(signerName, "/", ":") + ":"
-		if !strings.HasPrefix(name, requiredPrefix) {
-			return []string{fmt.Sprintf("ClusterTrustBundle for signerName %s must be named with prefix %s", signerName, requiredPrefix)}
-		}
-		return apimachineryvalidation.NameIsDNSSubdomain(strings.TrimPrefix(name, requiredPrefix), isPrefix)
-	}
-}
-
 type ValidateClusterTrustBundleOptions struct {
 	SuppressBundleParsing bool
 }
@@ -565,11 +468,11 @@ type ValidateClusterTrustBundleOptions struct {
 func ValidateClusterTrustBundle(bundle *certificates.ClusterTrustBundle, opts ValidateClusterTrustBundleOptions) field.ErrorList {
 	var allErrors field.ErrorList
 
-	metaErrors := apivalidation.ValidateObjectMeta(&bundle.ObjectMeta, false, validateClusterTrustBundleName(bundle.Spec.SignerName), field.NewPath("metadata"))
+	metaErrors := apivalidation.ValidateObjectMeta(&bundle.ObjectMeta, false, apivalidation.ValidateClusterTrustBundleName(bundle.Spec.SignerName), field.NewPath("metadata"))
 	allErrors = append(allErrors, metaErrors...)
 
 	if bundle.Spec.SignerName != "" {
-		signerNameErrors := ValidateSignerName(field.NewPath("spec", "signerName"), bundle.Spec.SignerName)
+		signerNameErrors := apivalidation.ValidateSignerName(field.NewPath("spec", "signerName"), bundle.Spec.SignerName)
 		allErrors = append(allErrors, signerNameErrors...)
 	}