Merge pull request #76920 from sempr/master

MOD: support wildcard DNS for apiserver certSANs

cmd/kubeadm/app/apis/kubeadm/validation/validation.go

@@ -308,8 +308,10 @@ func ValidateCertSANs(altnames []string, fldPath *field.Path) field.ErrorList {
 	allErrs := field.ErrorList{}
 	for _, altname := range altnames {
 		if errs := validation.IsDNS1123Subdomain(altname); len(errs) != 0 {
-			if net.ParseIP(altname) == nil {
+			if errs2 := validation.IsWildcardDNS1123Subdomain(altname); len(errs2) != 0 {
-				allErrs = append(allErrs, field.Invalid(fldPath, altname, fmt.Sprintf("altname is not a valid IP address or DNS label: %s", strings.Join(errs, "; "))))
+				if net.ParseIP(altname) == nil {
+					allErrs = append(allErrs, field.Invalid(fldPath, altname, fmt.Sprintf("altname is not a valid IP address, DNS label or a DNS label with subdomain wildcards: %s; %s", strings.Join(errs, "; "), strings.Join(errs2, "; "))))
+				}
 			}
 		}
 	}

cmd/kubeadm/app/apis/kubeadm/validation/validation_test.go

@@ -144,6 +144,11 @@ func TestValidateCertSANs(t *testing.T) {
 		{[]string{"my-hostname2", "my.other.subdomain", "10.0.0.10"}, true},    // supported
 		{[]string{"my-hostname", "my.subdomain", "2001:db8::4"}, true},         // supported
 		{[]string{"my-hostname2", "my.other.subdomain", "2001:db8::10"}, true}, // supported
+		{[]string{"*.my-hostname2", "*.my.other.subdomain"}, true},             // supported Wildcard DNS label
+		{[]string{"**.my-hostname2", "my.other.subdomain"}, false},             // not a Wildcard DNS label
+		{[]string{"*.*.my-hostname2", "my.other.subdomain"}, false},            // not a Wildcard DNS label
+		{[]string{"a.*.my-hostname2", "my.other.subdomain"}, false},            // not a Wildcard DNS label
+		{[]string{"*", "my.other.subdomain", "2001:db8::10"}, false},           // not a Wildcard DNS label
 	}
 	for _, rt := range tests {
 		actual := ValidateCertSANs(rt.sans, nil)

cmd/kubeadm/app/util/pkiutil/pki_helpers.go

@@ -446,6 +446,7 @@ func getAltNames(cfg *kubeadmapi.InitConfiguration, certName string) (*certutil.
 // altNames is passed in with a pointer, and the struct is modified
 // valid IP address strings are parsed and added to altNames.IPs as net.IP's
 // RFC-1123 compliant DNS strings are added to altNames.DNSNames as strings
+// RFC-1123 compliant wildcard DNS strings are added to altNames.DNSNames as strings
 // certNames is used to print user facing warnings and should be the name of the cert the altNames will be used for
 func appendSANsToAltNames(altNames *certutil.AltNames, SANs []string, certName string) {
 	for _, altname := range SANs {
@@ -453,6 +454,8 @@ func appendSANsToAltNames(altNames *certutil.AltNames, SANs []string, certName s
 			altNames.IPs = append(altNames.IPs, ip)
 		} else if len(validation.IsDNS1123Subdomain(altname)) == 0 {
 			altNames.DNSNames = append(altNames.DNSNames, altname)
+		} else if len(validation.IsWildcardDNS1123Subdomain(altname)) == 0 {
+			altNames.DNSNames = append(altNames.DNSNames, altname)
 		} else {
 			fmt.Printf(
 				"[certificates] WARNING: '%s' was not added to the '%s' SAN, because it is not a valid IP or RFC-1123 compliant DNS entry\n",

cmd/kubeadm/app/util/pkiutil/pki_helpers_test.go

@@ -704,3 +704,31 @@ func TestGetEtcdPeerAltNames(t *testing.T) {
 		})
 	}
 }
+
+func TestAppendSANsToAltNames(t *testing.T) {
+	var tests = []struct {
+		sans     []string
+		expected int
+	}{
+		{[]string{}, 0},
+		{[]string{"abc"}, 1},
+		{[]string{"*.abc"}, 1},
+		{[]string{"**.abc"}, 0},
+		{[]string{"a.*.bc"}, 0},
+		{[]string{"a.*.bc", "abc.def"}, 1},
+		{[]string{"a*.bc", "abc.def"}, 1},
+	}
+	for _, rt := range tests {
+		altNames := certutil.AltNames{}
+		appendSANsToAltNames(&altNames, rt.sans, "foo")
+		actual := len(altNames.DNSNames)
+		if actual != rt.expected {
+			t.Errorf(
+				"failed AppendSANsToAltNames Numbers:\n\texpected: %d\n\t  actual: %d",
+				rt.expected,
+				actual,
+			)
+		}
+	}
+
+}