From 05d7922a864853a8da233cc806f8bb14b7a534c3 Mon Sep 17 00:00:00 2001
From: Darren Shepherd <darren@rancher.com>
Date: Wed, 18 Mar 2020 23:15:44 -0700
Subject: [PATCH 1/2] Add ability to limit the maximum number of SANs

---
 factory/gen.go | 7 +++++--
 listener.go    | 5 ++++-
 2 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/factory/gen.go b/factory/gen.go
index bd47fc6..7256693 100644
--- a/factory/gen.go
+++ b/factory/gen.go
@@ -81,7 +81,7 @@ func (t *TLS) AddCN(secret *v1.Secret, cn ...string) (*v1.Secret, bool, error) {
 		err error
 	)
 
-	if !NeedsUpdate(secret, cn...) {
+	if !NeedsUpdate(0, secret, cn...) {
 		return secret, false, nil
 	}
 
@@ -137,7 +137,7 @@ func populateCN(secret *v1.Secret, cn ...string) *v1.Secret {
 	return secret
 }
 
-func NeedsUpdate(secret *v1.Secret, cn ...string) bool {
+func NeedsUpdate(maxSANs int, secret *v1.Secret, cn ...string) bool {
 	if secret == nil {
 		return true
 	}
@@ -148,6 +148,9 @@ func NeedsUpdate(secret *v1.Secret, cn ...string) bool {
 
 	for _, cn := range cn {
 		if secret.Annotations[cnPrefix+cn] == "" {
+			if maxSANs > 0 && len(cns(secret)) >= maxSANs {
+				return false
+			}
 			return true
 		}
 	}
diff --git a/listener.go b/listener.go
index 5142e61..27b0c5b 100644
--- a/listener.go
+++ b/listener.go
@@ -52,6 +52,7 @@ func NewListener(l net.Listener, storage TLSStorage, caCert *x509.Certificate, c
 		Listener:  l,
 		storage:   &nonNil{storage: storage},
 		sans:      config.SANs,
+		maxSANs:   config.MaxSANs,
 		tlsConfig: config.TLSConfig,
 	}
 	if dynamicListener.tlsConfig == nil {
@@ -90,6 +91,7 @@ type Config struct {
 	Organization          []string
 	TLSConfig             *tls.Config
 	SANs                  []string
+	MaxSANs               int
 	ExpirationDaysCheck   int
 	CloseConnOnCertChange bool
 }
@@ -108,6 +110,7 @@ type listener struct {
 	tlsConfig *tls.Config
 	cert      *tls.Certificate
 	sans      []string
+	maxSANs   int
 	init      sync.Once
 }
 
@@ -261,7 +264,7 @@ func (l *listener) updateCert(cn ...string) error {
 		return err
 	}
 
-	if !factory.NeedsUpdate(secret, cn...) {
+	if !factory.NeedsUpdate(l.maxSANs, secret, cn...) {
 		return nil
 	}
 

From 171fcf6b79f8f43db9eebd2ddbe030f7100d3eb9 Mon Sep 17 00:00:00 2001
From: Darren Shepherd <darren@rancher.com>
Date: Wed, 18 Mar 2020 23:16:11 -0700
Subject: [PATCH 2/2] If connection closing is enabled then don't support
 HTTP/2

---
 listener.go | 16 +++++++++-------
 1 file changed, 9 insertions(+), 7 deletions(-)

diff --git a/listener.go b/listener.go
index 27b0c5b..2d61de4 100644
--- a/listener.go
+++ b/listener.go
@@ -61,6 +61,9 @@ func NewListener(l net.Listener, storage TLSStorage, caCert *x509.Certificate, c
 	dynamicListener.tlsConfig.GetCertificate = dynamicListener.getCertificate
 
 	if config.CloseConnOnCertChange {
+		if len(dynamicListener.tlsConfig.Certificates) == 0 {
+			dynamicListener.tlsConfig.NextProtos = []string{"http/1.1"}
+		}
 		dynamicListener.conns = map[int]*closeWrapper{}
 	}
 
@@ -284,14 +287,13 @@ func (l *listener) updateCert(cn ...string) error {
 		}
 		// clear version to force cert reload
 		l.version = ""
-	}
-
-	if l.conns != nil {
-		l.connLock.Lock()
-		for _, conn := range l.conns {
-			_ = conn.close()
+		if l.conns != nil {
+			l.connLock.Lock()
+			for _, conn := range l.conns {
+				_ = conn.close()
+			}
+			l.connLock.Unlock()
 		}
-		l.connLock.Unlock()
 	}
 
 	return nil