diff --git a/pkg/genericapiserver/BUILD b/pkg/genericapiserver/BUILD index 985ab477c41..02050febe24 100644 --- a/pkg/genericapiserver/BUILD +++ b/pkg/genericapiserver/BUILD @@ -65,6 +65,7 @@ go_library( "//pkg/util/net:go_default_library", "//pkg/util/runtime:go_default_library", "//pkg/util/sets:go_default_library", + "//pkg/util/validation:go_default_library", "//pkg/util/wait:go_default_library", "//pkg/version:go_default_library", "//vendor:github.com/coreos/go-systemd/daemon", diff --git a/pkg/genericapiserver/serve.go b/pkg/genericapiserver/serve.go index ec120b72bd3..bcdf1921288 100644 --- a/pkg/genericapiserver/serve.go +++ b/pkg/genericapiserver/serve.go @@ -22,11 +22,13 @@ import ( "fmt" "net" "net/http" + "strings" "sync" "time" certutil "k8s.io/kubernetes/pkg/util/cert" utilruntime "k8s.io/kubernetes/pkg/util/runtime" + "k8s.io/kubernetes/pkg/util/validation" "github.com/golang/glog" "github.com/pkg/errors" @@ -220,8 +222,9 @@ func getNamedCertificateMap(namedCertKeys []NamedCertKey) (map[string]*tls.Certi if err != nil { return nil, fmt.Errorf("parse error for certificate in %q: %v", nkc.CertFile, err) } - if len(x509Cert.Subject.CommonName) > 0 { - tlsCertsByName[x509Cert.Subject.CommonName] = cert + cn := x509Cert.Subject.CommonName + if cn == "*" || len(validation.IsDNS1123Subdomain(strings.TrimPrefix(cn, "*."))) == 0 { + tlsCertsByName[cn] = cert } for _, san := range x509Cert.DNSNames { tlsCertsByName[san] = cert diff --git a/pkg/util/cert/cert.go b/pkg/util/cert/cert.go index ee071e9b612..fff5b38d634 100644 --- a/pkg/util/cert/cert.go +++ b/pkg/util/cert/cert.go @@ -138,7 +138,7 @@ func GenerateSelfSignedCertKey(host string, alternateIPs []net.IP, alternateDNS template := x509.Certificate{ SerialNumber: big.NewInt(1), Subject: pkix.Name{ - CommonName: host, + CommonName: fmt.Sprintf("%s@%d", host, time.Now().Unix()), }, NotBefore: time.Now(), NotAfter: time.Now().Add(time.Hour * 24 * 365),