Merge pull request #54 from mattmoyer/add-dns-san

Make sure we have an explicit DNS SAN on our API serving certificate.
This commit is contained in:
Matt Moyer 2020-08-12 12:44:43 -05:00 committed by GitHub
commit ba0b997234
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 6 additions and 3 deletions

View File

@ -91,9 +91,10 @@ func (c *certsManagerController) Sync(ctx controller.Context) error {
const serviceName = "placeholder-name-api"
// Using the CA from above, create a TLS server cert for the aggregated API server to use.
serviceEndpoint := serviceName + "." + c.namespace + ".svc"
aggregatedAPIServerTLSCert, err := aggregatedAPIServerCA.Issue(
pkix.Name{CommonName: serviceName + "." + c.namespace + ".svc"},
[]string{},
pkix.Name{CommonName: serviceEndpoint},
[]string{serviceEndpoint},
24*365*time.Hour,
)
if err != nil {

View File

@ -229,12 +229,14 @@ func TestManagerControllerSync(t *testing.T) {
r.NotNil(block)
parsedCert, err := x509.ParseCertificate(block.Bytes)
r.NoError(err)
serviceEndpoint := "placeholder-name-api." + installedInNamespace + ".svc"
opts := x509.VerifyOptions{
DNSName: "placeholder-name-api." + installedInNamespace + ".svc",
DNSName: serviceEndpoint,
Roots: roots,
}
_, err = parsedCert.Verify(opts)
r.NoError(err)
r.Contains(parsedCert.DNSNames, serviceEndpoint, "expected an explicit DNS SAN, not just Common Name")
// Check the created cert's validity bounds
r.WithinDuration(time.Now(), parsedCert.NotBefore, time.Minute*2)