Skip to content

Simplify the removal of all certificates from a namespace #477

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
shakeelrao merged 3 commits into from
Sep 22, 2025
Merged

Simplify the removal of all certificates from a namespace #477

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
4854c14
impl
shakeelrao Sep 22, 2025
3feeb7c
tests
shakeelrao Sep 22, 2025
e7db089
additional test-case
shakeelrao Sep 22, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
63 changes: 43 additions & 20 deletions app/namespace.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1060,46 +1060,69 @@ func NewNamespaceCommand(getNamespaceClientFn GetNamespaceClientFn) (CommandOut,
CaCertificateFlag,
CaCertificateFileFlag,
caCertificateFingerprintFlag,
&cli.BoolFlag{
Name: "all",
Usage: "If set, all existing certificates will be removed",
},
},
Action: func(ctx *cli.Context) error {
removeAll := ctx.Bool("all")
if removeAll && (ctx.String(caCertificateFingerprintFlagName) != "" ||
ctx.String(CaCertificateFlagName) != "" ||
ctx.Path(CaCertificateFileFlagName) != "") {
return fmt.Errorf("cannot use --all with other certificate flags")
}

n, existingCerts, err := c.parseExistingCerts(ctx)
if err != nil {
return err
}
var certs caCerts
if ctx.String(caCertificateFingerprintFlagName) != "" {
certs, err = removeCertWithFingerprint(
existingCerts,
ctx.String(caCertificateFingerprintFlagName),
)
if err != nil {
return err
}
} else {
readCerts, err := readAndParseCACerts(ctx)
if err != nil {
return err

if removeAll && (n.Spec.AuthMethod == namespace.AUTH_METHOD_MTLS ||
n.Spec.AuthMethod == namespace.AUTH_METHOD_API_KEY_OR_MTLS) {
return fmt.Errorf("cannot remove all certificates when mTLS is enabled")
}

var certBundle string
if !removeAll {
var certs caCerts
if ctx.String(caCertificateFingerprintFlagName) != "" {
certs, err = removeCertWithFingerprint(
existingCerts,
ctx.String(caCertificateFingerprintFlagName),
)
if err != nil {
return err
}
} else {
readCerts, err := readAndParseCACerts(ctx)
if err != nil {
return err
}
certs, err = removeCerts(existingCerts, readCerts)
if err != nil {
return err
}
}
certs, err = removeCerts(existingCerts, readCerts)
certBundle, err = certs.bundle()
if err != nil {
return err
}
}
bundle, err := certs.bundle()
if err != nil {
return err
}
if n.Spec.AcceptedClientCa == bundle {

if n.Spec.AcceptedClientCa == certBundle {
if ctx.Bool(IdempotentFlagName) {
return nil
}
return errors.New("nothing to change")
}
n.Spec.AcceptedClientCa = bundle

n.Spec.AcceptedClientCa = certBundle
y, err := ConfirmPrompt(ctx, "removing ca certificates can cause connectivity disruption if there are any clients using certificates that cannot be verified. confirm remove?")
if err != nil || !y {
return err
}

return c.updateNamespace(ctx, n)
},
},
Expand Down
43 changes: 43 additions & 0 deletions app/namespace_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -634,6 +634,18 @@ func (s *NamespaceTestSuite) TestUpdateRemoveCA() {
expectGet: func(g *namespaceservice.GetNamespaceResponse) {},
args: []string{"namespace", "accepted-client-ca", "remove", "--namespace", ns},
expectErr: true,
}, {
name: "err cert flag with all",
args: []string{"namespace", "accepted-client-ca", "remove", "--namespace", ns, "--ca-certificate", cert1, "--all"},
expectErr: true,
}, {
name: "err cert file flag with all",
args: []string{"namespace", "accepted-client-ca", "remove", "--namespace", ns, "--ca-certificate-file", path, "--all"},
expectErr: true,
}, {
name: "err cert fingerprint flag with all",
args: []string{"namespace", "accepted-client-ca", "remove", "--namespace", ns, "--ca-certificate-fingerprint", cert2fingerprint, "--all"},
expectErr: true,
}, {
name: "remove 1st cert",
args: []string{"n", "ca", "remove", "-n", ns, "--ca-certificate", cert1},
Expand All @@ -648,6 +660,36 @@ func (s *NamespaceTestSuite) TestUpdateRemoveCA() {
expectUpdate: func(r *namespaceservice.UpdateNamespaceRequest) {
r.Spec.AcceptedClientCa = cert1
},
}, {
name: "err remove all certs with mtls",
args: []string{"n", "ca", "remove", "-n", ns, "--all"},
expectGet: func(g *namespaceservice.GetNamespaceResponse) {},
expectErr: true,
}, {
name: "err remove all certs with api_key_or_mtls",
args: []string{"n", "ca", "remove", "-n", ns, "--all"},
expectGet: func(g *namespaceservice.GetNamespaceResponse) {
g.Namespace.Spec.AuthMethod = namespace.AUTH_METHOD_API_KEY_OR_MTLS
},
expectErr: true,
}, {
name: "remove all certs: api_key",
args: []string{"n", "ca", "remove", "-n", ns, "--all"},
expectGet: func(g *namespaceservice.GetNamespaceResponse) {
g.Namespace.Spec.AuthMethod = namespace.AUTH_METHOD_API_KEY
},
expectUpdate: func(r *namespaceservice.UpdateNamespaceRequest) {
r.Spec.AcceptedClientCa = ""
},
}, {
name: "remove all certs: restricted",
args: []string{"n", "ca", "remove", "-n", ns, "--all"},
expectGet: func(g *namespaceservice.GetNamespaceResponse) {
g.Namespace.Spec.AuthMethod = namespace.AUTH_METHOD_RESTRICTED
},
expectUpdate: func(r *namespaceservice.UpdateNamespaceRequest) {
r.Spec.AcceptedClientCa = ""
},
}, {
name: "remove unknown cert",
args: []string{"n", "ca", "r", "-n", ns, "--ca-certificate", cert3},
Expand Down Expand Up @@ -710,6 +752,7 @@ func (s *NamespaceTestSuite) TestUpdateRemoveCA() {
"attr1": namespace.SEARCH_ATTRIBUTE_TYPE_BOOL,
},
RetentionDays: 7,
AuthMethod: namespace.AUTH_METHOD_MTLS,
},
State: namespace.STATE_ACTIVE,
ResourceVersion: "ver1",
Expand Down