Extend client-go csr package to invalidate CSRs based on signerName

Kubernetes-commit: c2367bd5da68112ad3031dd33933859dacf8db58
2025-09-22 19:47:08 +00:00 · 2020-03-03 13:14:04 +00:00
parent 133860aa50
commit 0c19a3c0da
2 changed files with 149 additions and 0 deletions
--- a/util/certificate/csr/csr.go
+++ b/util/certificate/csr/csr.go
@@ -150,6 +150,9 @@ func ensureCompatible(new, orig *certificates.CertificateSigningRequest, private
 	if !reflect.DeepEqual(newCSR.Subject, origCSR.Subject) {
 		return fmt.Errorf("csr subjects differ: new: %#v, orig: %#v", newCSR.Subject, origCSR.Subject)
 	}
+	if new.Spec.SignerName != nil && orig.Spec.SignerName != nil && *new.Spec.SignerName != *orig.Spec.SignerName {
+		return fmt.Errorf("csr signerNames differ: new %q, orig: %q", *new.Spec.SignerName, *orig.Spec.SignerName)
+	}
 	signer, ok := privateKey.(crypto.Signer)
 	if !ok {
 		return fmt.Errorf("privateKey is not a signer")