From 0c7d8722bfcf6a06336421d1f33d2d0a94651f40 Mon Sep 17 00:00:00 2001 From: Sempr Date: Tue, 23 Apr 2019 10:20:51 +0800 Subject: [PATCH 1/2] MOD: support Wildcard DNS for apiserver certSANs --- .../app/apis/kubeadm/validation/validation.go | 6 ++-- .../kubeadm/validation/validation_test.go | 5 ++++ cmd/kubeadm/app/util/pkiutil/pki_helpers.go | 3 ++ .../app/util/pkiutil/pki_helpers_test.go | 28 +++++++++++++++++++ 4 files changed, 40 insertions(+), 2 deletions(-) diff --git a/cmd/kubeadm/app/apis/kubeadm/validation/validation.go b/cmd/kubeadm/app/apis/kubeadm/validation/validation.go index f8331e42bbf..bf1407d7b50 100644 --- a/cmd/kubeadm/app/apis/kubeadm/validation/validation.go +++ b/cmd/kubeadm/app/apis/kubeadm/validation/validation.go @@ -308,8 +308,10 @@ func ValidateCertSANs(altnames []string, fldPath *field.Path) field.ErrorList { allErrs := field.ErrorList{} for _, altname := range altnames { if errs := validation.IsDNS1123Subdomain(altname); len(errs) != 0 { - if net.ParseIP(altname) == nil { - allErrs = append(allErrs, field.Invalid(fldPath, altname, fmt.Sprintf("altname is not a valid IP address or DNS label: %s", strings.Join(errs, "; ")))) + if errs2 := validation.IsWildcardDNS1123Subdomain(altname); len(errs2) != 0 { + if net.ParseIP(altname) == nil { + allErrs = append(allErrs, field.Invalid(fldPath, altname, fmt.Sprintf("altname is not a valid IP address or DNS label or Wildcard DNS label: %s; %s", strings.Join(errs, "; "), strings.Join(errs2, "; ")))) + } } } } diff --git a/cmd/kubeadm/app/apis/kubeadm/validation/validation_test.go b/cmd/kubeadm/app/apis/kubeadm/validation/validation_test.go index 790ebb956dd..7763552cc4d 100644 --- a/cmd/kubeadm/app/apis/kubeadm/validation/validation_test.go +++ b/cmd/kubeadm/app/apis/kubeadm/validation/validation_test.go @@ -144,6 +144,11 @@ func TestValidateCertSANs(t *testing.T) { {[]string{"my-hostname2", "my.other.subdomain", "10.0.0.10"}, true}, // supported {[]string{"my-hostname", "my.subdomain", "2001:db8::4"}, true}, // supported {[]string{"my-hostname2", "my.other.subdomain", "2001:db8::10"}, true}, // supported + {[]string{"*.my-hostname2", "*.my.other.subdomain"}, true}, // supported Wildcard DNS label + {[]string{"**.my-hostname2", "my.other.subdomain"}, false}, // not a Wildcard DNS label + {[]string{"*.*.my-hostname2", "my.other.subdomain"}, false}, // not a Wildcard DNS label + {[]string{"a.*.my-hostname2", "my.other.subdomain"}, false}, // not a Wildcard DNS label + {[]string{"*", "my.other.subdomain", "2001:db8::10"}, false}, // not a Wildcard DNS label } for _, rt := range tests { actual := ValidateCertSANs(rt.sans, nil) diff --git a/cmd/kubeadm/app/util/pkiutil/pki_helpers.go b/cmd/kubeadm/app/util/pkiutil/pki_helpers.go index 6f68a01cbc8..7c0d9ea1737 100644 --- a/cmd/kubeadm/app/util/pkiutil/pki_helpers.go +++ b/cmd/kubeadm/app/util/pkiutil/pki_helpers.go @@ -443,6 +443,7 @@ func getAltNames(cfg *kubeadmapi.InitConfiguration, certName string) (*certutil. // altNames is passed in with a pointer, and the struct is modified // valid IP address strings are parsed and added to altNames.IPs as net.IP's // RFC-1123 compliant DNS strings are added to altNames.DNSNames as strings +// RFC-1123 compliant wildcard DNS strings are added to altNames.DNSNames as strings // certNames is used to print user facing warnings and should be the name of the cert the altNames will be used for func appendSANsToAltNames(altNames *certutil.AltNames, SANs []string, certName string) { for _, altname := range SANs { @@ -450,6 +451,8 @@ func appendSANsToAltNames(altNames *certutil.AltNames, SANs []string, certName s altNames.IPs = append(altNames.IPs, ip) } else if len(validation.IsDNS1123Subdomain(altname)) == 0 { altNames.DNSNames = append(altNames.DNSNames, altname) + } else if len(validation.IsWildcardDNS1123Subdomain(altname)) == 0 { + altNames.DNSNames = append(altNames.DNSNames, altname) } else { fmt.Printf( "[certificates] WARNING: '%s' was not added to the '%s' SAN, because it is not a valid IP or RFC-1123 compliant DNS entry\n", diff --git a/cmd/kubeadm/app/util/pkiutil/pki_helpers_test.go b/cmd/kubeadm/app/util/pkiutil/pki_helpers_test.go index b4542a2ecc6..f988c6db0d3 100644 --- a/cmd/kubeadm/app/util/pkiutil/pki_helpers_test.go +++ b/cmd/kubeadm/app/util/pkiutil/pki_helpers_test.go @@ -673,3 +673,31 @@ func TestGetEtcdPeerAltNames(t *testing.T) { }) } } + +func TestAppendSANsToAltNames(t *testing.T) { + var tests = []struct { + sans []string + expected int + }{ + {[]string{}, 0}, + {[]string{"abc"}, 1}, + {[]string{"*.abc"}, 1}, + {[]string{"**.abc"}, 0}, + {[]string{"a.*.bc"}, 0}, + {[]string{"a.*.bc", "abc.def"}, 1}, + {[]string{"a*.bc", "abc.def"}, 1}, + } + for _, rt := range tests { + altNames := certutil.AltNames{} + appendSANsToAltNames(&altNames, rt.sans, "foo") + actual := len(altNames.DNSNames) + if actual != rt.expected { + t.Errorf( + "failed AppendSANsToAltNames Numbers:\n\texpected: %d\n\t actual: %d", + rt.expected, + actual, + ) + } + } + +} From 81e896e16fce762c5e3652c04aa54df726c8edfd Mon Sep 17 00:00:00 2001 From: Sempr Date: Fri, 26 Apr 2019 09:13:11 +0800 Subject: [PATCH 2/2] MOD: minor comment update for error message --- cmd/kubeadm/app/apis/kubeadm/validation/validation.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cmd/kubeadm/app/apis/kubeadm/validation/validation.go b/cmd/kubeadm/app/apis/kubeadm/validation/validation.go index bf1407d7b50..3748385866f 100644 --- a/cmd/kubeadm/app/apis/kubeadm/validation/validation.go +++ b/cmd/kubeadm/app/apis/kubeadm/validation/validation.go @@ -310,7 +310,7 @@ func ValidateCertSANs(altnames []string, fldPath *field.Path) field.ErrorList { if errs := validation.IsDNS1123Subdomain(altname); len(errs) != 0 { if errs2 := validation.IsWildcardDNS1123Subdomain(altname); len(errs2) != 0 { if net.ParseIP(altname) == nil { - allErrs = append(allErrs, field.Invalid(fldPath, altname, fmt.Sprintf("altname is not a valid IP address or DNS label or Wildcard DNS label: %s; %s", strings.Join(errs, "; "), strings.Join(errs2, "; ")))) + allErrs = append(allErrs, field.Invalid(fldPath, altname, fmt.Sprintf("altname is not a valid IP address, DNS label or a DNS label with subdomain wildcards: %s; %s", strings.Join(errs, "; "), strings.Join(errs2, "; ")))) } } }