From 864db743061921a935c15bfa0204bdf449b84a70 Mon Sep 17 00:00:00 2001 From: Matt Moyer Date: Wed, 12 Aug 2020 11:01:06 -0500 Subject: [PATCH] Make sure we have an explicit DNS SAN on our API serving certificate. Signed-off-by: Matt Moyer --- internal/controller/apicerts/certs_manager.go | 5 +++-- internal/controller/apicerts/certs_manager_test.go | 4 +++- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/internal/controller/apicerts/certs_manager.go b/internal/controller/apicerts/certs_manager.go index 8cfbcaf9..b817152f 100644 --- a/internal/controller/apicerts/certs_manager.go +++ b/internal/controller/apicerts/certs_manager.go @@ -91,9 +91,10 @@ func (c *certsManagerController) Sync(ctx controller.Context) error { const serviceName = "placeholder-name-api" // Using the CA from above, create a TLS server cert for the aggregated API server to use. + serviceEndpoint := serviceName + "." + c.namespace + ".svc" aggregatedAPIServerTLSCert, err := aggregatedAPIServerCA.Issue( - pkix.Name{CommonName: serviceName + "." + c.namespace + ".svc"}, - []string{}, + pkix.Name{CommonName: serviceEndpoint}, + []string{serviceEndpoint}, 24*365*time.Hour, ) if err != nil { diff --git a/internal/controller/apicerts/certs_manager_test.go b/internal/controller/apicerts/certs_manager_test.go index 00b6a70b..6e2fe36c 100644 --- a/internal/controller/apicerts/certs_manager_test.go +++ b/internal/controller/apicerts/certs_manager_test.go @@ -229,12 +229,14 @@ func TestManagerControllerSync(t *testing.T) { r.NotNil(block) parsedCert, err := x509.ParseCertificate(block.Bytes) r.NoError(err) + serviceEndpoint := "placeholder-name-api." + installedInNamespace + ".svc" opts := x509.VerifyOptions{ - DNSName: "placeholder-name-api." + installedInNamespace + ".svc", + DNSName: serviceEndpoint, Roots: roots, } _, err = parsedCert.Verify(opts) r.NoError(err) + r.Contains(parsedCert.DNSNames, serviceEndpoint, "expected an explicit DNS SAN, not just Common Name") // Check the created cert's validity bounds r.WithinDuration(time.Now(), parsedCert.NotBefore, time.Minute*2)