Add ability to confirm adding new CNs

2025-06-26 22:56:53 +00:00 · 2020-04-02 22:08:36 -07:00 · 2020-04-02 22:08:36 -07:00 · 4bac3f291f
commit 4bac3f291f
parent c992ce309c
1 changed files with 8 additions and 0 deletions
--- a/listener.go
+++ b/listener.go
@ -25,6 +25,7 @@ type TLSFactory interface {
 	Refresh(secret *v1.Secret) (*v1.Secret, error)
 	AddCN(secret *v1.Secret, cn ...string) (*v1.Secret, bool, error)
 	Merge(target *v1.Secret, additional *v1.Secret) (*v1.Secret, bool, error)
+	Filter(cn ...string) []string
 }

 type SetFactory interface {
@ -48,6 +49,7 @@ func NewListener(l net.Listener, storage TLSStorage, caCert *x509.Certificate, c
 			CAKey:        caKey,
 			CN:           config.CN,
 			Organization: config.Organization,
+			FilterCN:     config.FilterCN,
 		},
 		Listener:  l,
 		storage:   &nonNil{storage: storage},
@ -97,6 +99,7 @@ type Config struct {
 	MaxSANs               int
 	ExpirationDaysCheck   int
 	CloseConnOnCertChange bool
+	FilterCN              func(...string) []string
 }

 type listener struct {
@ -259,6 +262,11 @@ func (l *listener) getCertificate(hello *tls.ClientHelloInfo) (*tls.Certificate,
 }

 func (l *listener) updateCert(cn ...string) error {
+	cn = l.factory.Filter(cn...)
+	if len(cn) == 0 {
+		return nil
+	}
+
 	l.RLock()
 	defer l.RUnlock()