Merge pull request #54 from mattmoyer/add-dns-san

Make sure we have an explicit DNS SAN on our API serving certificate.
2020-08-12 12:44:43 -05:00 · 2020-08-12 12:44:43 -05:00 · ba0b997234
commit ba0b997234
parent e48d9faf27 864db74306
2 changed files with 6 additions and 3 deletions
--- a/internal/controller/apicerts/certs_manager.go
+++ b/internal/controller/apicerts/certs_manager.go
@ -91,9 +91,10 @@ func (c *certsManagerController) Sync(ctx controller.Context) error {
 	const serviceName = "placeholder-name-api"
 	// Using the CA from above, create a TLS server cert for the aggregated API server to use.
 	serviceEndpoint := serviceName + "." + c.namespace + ".svc"
 	aggregatedAPIServerTLSCert, err := aggregatedAPIServerCA.Issue(
-		pkix.Name{CommonName: serviceName + "." + c.namespace + ".svc"},
+		pkix.Name{CommonName: serviceEndpoint},
-		[]string{},
+		[]string{serviceEndpoint},
 		24*365*time.Hour,
 	)
 	if err != nil {
--- a/internal/controller/apicerts/certs_manager_test.go
+++ b/internal/controller/apicerts/certs_manager_test.go
@ -229,12 +229,14 @@ func TestManagerControllerSync(t *testing.T) {
 					r.NotNil(block)
 					parsedCert, err := x509.ParseCertificate(block.Bytes)
 					r.NoError(err)
 					serviceEndpoint := "placeholder-name-api." + installedInNamespace + ".svc"
 					opts := x509.VerifyOptions{
-						DNSName: "placeholder-name-api." + installedInNamespace + ".svc",
+						DNSName: serviceEndpoint,
 						Roots:   roots,
 					}
 					_, err = parsedCert.Verify(opts)
 					r.NoError(err)
 					r.Contains(parsedCert.DNSNames, serviceEndpoint, "expected an explicit DNS SAN, not just Common Name")
 					// Check the created cert's validity bounds
 					r.WithinDuration(time.Now(), parsedCert.NotBefore, time.Minute*2)