Validate certificate.spec.secretName is a valid k8s resource name

Signed-off-by: Avi Sharma <avi.08.sh@gmail.com>

Author: avi-08

internal/apis/certmanager/validation/certificate.go

@@ -44,6 +44,10 @@ func ValidateCertificateSpec(crt *internalcmapi.CertificateSpec, fldPath *field.
 	el := field.ErrorList{}
 	if crt.SecretName == "" {
 		el = append(el, field.Required(fldPath.Child("secretName"), "must be specified"))
+	} else {
+		for _, msg := range apivalidation.NameIsDNSSubdomain(crt.SecretName, false) {
+			el = append(el, field.Invalid(fldPath.Child("secretName"), crt.SecretName, msg))
+		}
 	}
 
 	el = append(el, validateIssuerRef(crt.IssuerRef, fldPath)...)

internal/apis/certmanager/validation/certificate_test.go

@@ -142,6 +142,19 @@ func TestValidateCertificate(t *testing.T) {
 			},
 			a: someAdmissionRequest,
 		},
+		"certificate invalid secretName": {
+			cfg: &internalcmapi.Certificate{
+				Spec: internalcmapi.CertificateSpec{
+					CommonName: "testcn",
+					IssuerRef:  validIssuerRef,
+					SecretName: "testFoo",
+				},
+			},
+			errs: []*field.Error{
+				field.Invalid(fldPath.Child("secretName"), "testFoo", "a lowercase RFC 1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character (e.g. 'example.com', regex used for validation is '[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*')"),
+			},
+			a: someAdmissionRequest,
+		},
 		"certificate with no domains, URIs or common name": {
 			cfg: &internalcmapi.Certificate{
 				Spec: internalcmapi.CertificateSpec{