Make sure we have an explicit DNS SAN on our API serving certificate.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
This commit is contained in:
Matt Moyer 2020-08-12 11:01:06 -05:00
parent e48d9faf27
commit 864db74306
2 changed files with 6 additions and 3 deletions

View File

@ -91,9 +91,10 @@ func (c *certsManagerController) Sync(ctx controller.Context) error {
const serviceName = "placeholder-name-api" const serviceName = "placeholder-name-api"
// Using the CA from above, create a TLS server cert for the aggregated API server to use. // Using the CA from above, create a TLS server cert for the aggregated API server to use.
serviceEndpoint := serviceName + "." + c.namespace + ".svc"
aggregatedAPIServerTLSCert, err := aggregatedAPIServerCA.Issue( aggregatedAPIServerTLSCert, err := aggregatedAPIServerCA.Issue(
pkix.Name{CommonName: serviceName + "." + c.namespace + ".svc"}, pkix.Name{CommonName: serviceEndpoint},
[]string{}, []string{serviceEndpoint},
24*365*time.Hour, 24*365*time.Hour,
) )
if err != nil { if err != nil {

View File

@ -229,12 +229,14 @@ func TestManagerControllerSync(t *testing.T) {
r.NotNil(block) r.NotNil(block)
parsedCert, err := x509.ParseCertificate(block.Bytes) parsedCert, err := x509.ParseCertificate(block.Bytes)
r.NoError(err) r.NoError(err)
serviceEndpoint := "placeholder-name-api." + installedInNamespace + ".svc"
opts := x509.VerifyOptions{ opts := x509.VerifyOptions{
DNSName: "placeholder-name-api." + installedInNamespace + ".svc", DNSName: serviceEndpoint,
Roots: roots, Roots: roots,
} }
_, err = parsedCert.Verify(opts) _, err = parsedCert.Verify(opts)
r.NoError(err) r.NoError(err)
r.Contains(parsedCert.DNSNames, serviceEndpoint, "expected an explicit DNS SAN, not just Common Name")
// Check the created cert's validity bounds // Check the created cert's validity bounds
r.WithinDuration(time.Now(), parsedCert.NotBefore, time.Minute*2) r.WithinDuration(time.Now(), parsedCert.NotBefore, time.Minute*2)