Tom Lebreux 02e46989f2 dynamiclistener: add PruneExistingCN to Config (#301)
Add PruneExistingCN bool to Config (alongside the existing FilterCN).
When true, FilterCN is also applied to the set of CNs already recorded
on the secret via its listener.cattle.io/cn-* annotations at every
operation that reads or merges that set: AddCN, Merge, Renew,
Regenerate, and certificate generation.

Any existing CN that FilterCN would reject is dropped from the
certificate the next time it is written. This gives callers a way to
keep the stored CN set trimmed to a known-valid subset — for example,
pruning IP addresses that are no longer valid endpoints after a rolling
restart — without requiring an explicit delete-and-regenerate cycle.

false (the default) preserves all existing CNs as before (backwards
compatible). No separate filter callback is needed: the same FilterCN
that gates new additions also governs what is kept when
PruneExistingCN is true.

Merge is updated to call generateCert instead of returning an existing
cert unchanged when the cert contains CNs that FilterCN would remove,
ensuring stale entries are pruned on the next storage sync rather than
silently propagated.

The pruneAnnotations call inside generateCert is moved to after
populateCN so the cert and its annotation set stay in sync.

PruneExistingCN is wired through NewListenerWithChain; SANs pre-seeded
in Config.SANs are always preserved via allowDefaultSANs regardless of
the filter.

Add unit tests covering hasStaleCNs, pruneAnnotations, Merge (stale in
target, stale in additional, no stale, PruneExistingCN=false, static
target), Renew, Regenerate, and AddCN.
2026-06-19 15:07:13 -04:00
2025-08-07 10:58:07 -07:00
2020-11-09 21:52:17 -07:00
2019-05-09 12:36:03 -07:00
2024-11-15 09:36:48 -05:00
2020-02-07 14:20:45 -07:00

dynamiclistener

DynamicListener allows you to setup a server with automatically generated (and re-generated) TLS certs with kubernetes secrets integration.

This README is a work in progress; aimed towards providing information for navigating the contents of this repository.

Changing the Expiration Days for Newly Signed Certificates

By default, a newly signed certificate is set to expire 365 days (1 year) after its creation time and date. You can use the CATTLE_NEW_SIGNED_CERT_EXPIRATION_DAYS environment variable to change this value.

Please note: the value for the aforementioned variable must be a string representing an unsigned integer corresponding to the number of days until expiration (i.e. X509 "NotAfter" value).

Versioning

See VERSION.md.

Description
No description provided
Readme 4.7 MiB
Languages
Go 100%