github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-09-12 20:57:20 +00:00
Code Issues Projects Releases Wiki Activity

MOD: support Wildcard DNS for apiserver certSANs

Browse Source
This commit is contained in:
Sempr
2019-04-23 10:20:51 +08:00
parent 33f907a4df
commit 0c7d8722bf
4 changed files with 40 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
cmd/kubeadm/app/util/pkiutil/pki_helpers.go
View File

@@ -443,6 +443,7 @@ func getAltNames(cfg *kubeadmapi.InitConfiguration, certName string) (*certutil.
// altNames is passed in with a pointer, and the struct is modified
// valid IP address strings are parsed and added to altNames.IPs as net.IP's
// RFC-1123 compliant DNS strings are added to altNames.DNSNames as strings
// RFC-1123 compliant wildcard DNS strings are added to altNames.DNSNames as strings
// certNames is used to print user facing warnings and should be the name of the cert the altNames will be used for
func appendSANsToAltNames(altNames *certutil.AltNames, SANs []string, certName string) {
for _, altname := range SANs {
@@ -450,6 +451,8 @@ func appendSANsToAltNames(altNames *certutil.AltNames, SANs []string, certName s
altNames.IPs = append(altNames.IPs, ip)
} else if len(validation.IsDNS1123Subdomain(altname)) == 0 {
altNames.DNSNames = append(altNames.DNSNames, altname)
} else if len(validation.IsWildcardDNS1123Subdomain(altname)) == 0 {
altNames.DNSNames = append(altNames.DNSNames, altname)
} else {
fmt.Printf(
"[certificates] WARNING: '%s' was not added to the '%s' SAN, because it is not a valid IP or RFC-1123 compliant DNS entry\n",

28
cmd/kubeadm/app/util/pkiutil/pki_helpers_test.go
View File

@@ -673,3 +673,31 @@ func TestGetEtcdPeerAltNames(t *testing.T) {
})
}
}
func TestAppendSANsToAltNames(t *testing.T) {
var tests = []struct {
sans []string
expected int
}{
{[]string{}, 0},
{[]string{"abc"}, 1},
{[]string{"*.abc"}, 1},
{[]string{"**.abc"}, 0},
{[]string{"a.*.bc"}, 0},
{[]string{"a.*.bc", "abc.def"}, 1},
{[]string{"a*.bc", "abc.def"}, 1},
}
for _, rt := range tests {
altNames := certutil.AltNames{}
appendSANsToAltNames(&altNames, rt.sans, "foo")
actual := len(altNames.DNSNames)
if actual != rt.expected {
t.Errorf(
"failed AppendSANsToAltNames Numbers:\n\texpected: %d\n\t actual: %d",
rt.expected,
actual,
)
}
}
}