Merge pull request #20 from ibuildthecloud/master

Add ability to limit the maximum number of SANs
2025-05-18 21:10:11 +00:00 · 2020-03-18 23:17:31 -07:00 · 2020-03-18 23:17:31 -07:00 · 763229ddcd
commit 763229ddcd
parent 1e67d402dc 171fcf6b79
2 changed files with 18 additions and 10 deletions
--- a/factory/gen.go
+++ b/factory/gen.go
@ -81,7 +81,7 @@ func (t *TLS) AddCN(secret *v1.Secret, cn ...string) (*v1.Secret, bool, error) {
 		err error
 	)

-	if !NeedsUpdate(secret, cn...) {
+	if !NeedsUpdate(0, secret, cn...) {
 		return secret, false, nil
 	}

@ -137,7 +137,7 @@ func populateCN(secret *v1.Secret, cn ...string) *v1.Secret {
 	return secret
 }

-func NeedsUpdate(secret *v1.Secret, cn ...string) bool {
+func NeedsUpdate(maxSANs int, secret *v1.Secret, cn ...string) bool {
 	if secret == nil {
 		return true
 	}
@ -148,6 +148,9 @@ func NeedsUpdate(secret *v1.Secret, cn ...string) bool {

 	for _, cn := range cn {
 		if secret.Annotations[cnPrefix+cn] == "" {
+			if maxSANs > 0 && len(cns(secret)) >= maxSANs {
+				return false
+			}
 			return true
 		}
 	}
--- a/listener.go
+++ b/listener.go
@ -52,6 +52,7 @@ func NewListener(l net.Listener, storage TLSStorage, caCert *x509.Certificate, c
 		Listener:  l,
 		storage:   &nonNil{storage: storage},
 		sans:      config.SANs,
+		maxSANs:   config.MaxSANs,
 		tlsConfig: config.TLSConfig,
 	}
 	if dynamicListener.tlsConfig == nil {
@ -60,6 +61,9 @@ func NewListener(l net.Listener, storage TLSStorage, caCert *x509.Certificate, c
 	dynamicListener.tlsConfig.GetCertificate = dynamicListener.getCertificate

 	if config.CloseConnOnCertChange {
+		if len(dynamicListener.tlsConfig.Certificates) == 0 {
+			dynamicListener.tlsConfig.NextProtos = []string{"http/1.1"}
+		}
 		dynamicListener.conns = map[int]*closeWrapper{}
 	}

@ -90,6 +94,7 @@ type Config struct {
 	Organization          []string
 	TLSConfig             *tls.Config
 	SANs                  []string
+	MaxSANs               int
 	ExpirationDaysCheck   int
 	CloseConnOnCertChange bool
 }
@ -108,6 +113,7 @@ type listener struct {
 	tlsConfig *tls.Config
 	cert      *tls.Certificate
 	sans      []string
+	maxSANs   int
 	init      sync.Once
 }

@ -261,7 +267,7 @@ func (l *listener) updateCert(cn ...string) error {
 		return err
 	}

-	if !factory.NeedsUpdate(secret, cn...) {
+	if !factory.NeedsUpdate(l.maxSANs, secret, cn...) {
 		return nil
 	}

@ -281,14 +287,13 @@ func (l *listener) updateCert(cn ...string) error {
 		}
 		// clear version to force cert reload
 		l.version = ""
-	}
-
-	if l.conns != nil {
-		l.connLock.Lock()
-		for _, conn := range l.conns {
-			_ = conn.close()
+		if l.conns != nil {
+			l.connLock.Lock()
+			for _, conn := range l.conns {
+				_ = conn.close()
+			}
+			l.connLock.Unlock()
 		}
-		l.connLock.Unlock()
 	}

 	return nil