diff --git a/pkg/controller/certificates/approver/sarapprove.go b/pkg/controller/certificates/approver/sarapprove.go index af8fe29d8ab..f07953fab27 100644 --- a/pkg/controller/certificates/approver/sarapprove.go +++ b/pkg/controller/certificates/approver/sarapprove.go @@ -173,7 +173,7 @@ func isNodeClientCert(csr *capi.CertificateSigningRequest, x509cr *x509.Certific if !reflect.DeepEqual([]string{"system:nodes"}, x509cr.Subject.Organization) { return false } - if (len(x509cr.DNSNames) > 0) || (len(x509cr.EmailAddresses) > 0) || (len(x509cr.IPAddresses) > 0) { + if len(x509cr.DNSNames) > 0 || len(x509cr.EmailAddresses) > 0 || len(x509cr.IPAddresses) > 0 || len(x509cr.URIs) > 0 { return false } if !hasExactUsages(csr, kubeletClientUsages) { diff --git a/pkg/controller/certificates/authority/authority.go b/pkg/controller/certificates/authority/authority.go index a02833625b6..9120c4bfb93 100644 --- a/pkg/controller/certificates/authority/authority.go +++ b/pkg/controller/certificates/authority/authority.go @@ -68,6 +68,7 @@ func (ca *CertificateAuthority) Sign(crDER []byte, policy SigningPolicy) ([]byte DNSNames: cr.DNSNames, IPAddresses: cr.IPAddresses, EmailAddresses: cr.EmailAddresses, + URIs: cr.URIs, PublicKeyAlgorithm: cr.PublicKeyAlgorithm, PublicKey: cr.PublicKey, Extensions: cr.Extensions, diff --git a/pkg/controller/certificates/authority/authority_test.go b/pkg/controller/certificates/authority/authority_test.go index f2891aec9ff..daf5698c3e8 100644 --- a/pkg/controller/certificates/authority/authority_test.go +++ b/pkg/controller/certificates/authority/authority_test.go @@ -23,6 +23,7 @@ import ( "crypto/x509" "crypto/x509/pkix" "math/big" + "net/url" "testing" "time" @@ -59,6 +60,11 @@ func TestCertificateAuthority(t *testing.T) { t.Fatal(err) } + uri, err := url.Parse("help://me@what:8080/where/when?why=true") + if err != nil { + t.Fatal(err) + } + tests := []struct { name string cr x509.CertificateRequest @@ -118,6 +124,19 @@ func TestCertificateAuthority(t *testing.T) { BasicConstraintsValid: true, }, }, + { + name: "uri sans", + policy: PermissiveSigningPolicy{TTL: time.Hour}, + cr: x509.CertificateRequest{ + URIs: []*url.URL{uri}, + }, + want: x509.Certificate{ + URIs: []*url.URL{uri}, + NotBefore: now, + NotAfter: now.Add(1 * time.Hour), + BasicConstraintsValid: true, + }, + }, } crKey, err := ecdsa.GenerateKey(elliptic.P224(), rand.Reader) @@ -168,6 +187,9 @@ func TestCertificateAuthority(t *testing.T) { cmp.Transformer("RoundTime", func(x time.Time) time.Time { return x.Truncate(time.Second) }), + cmp.Comparer(func(x, y *url.URL) bool { + return ((x == nil) && (y == nil)) || x.String() == y.String() + }), } if !cmp.Equal(*cert, test.want, opts) { t.Errorf("unexpected diff: %v", cmp.Diff(*cert, test.want, opts)) diff --git a/staging/src/k8s.io/kubectl/pkg/describe/versioned/describe.go b/staging/src/k8s.io/kubectl/pkg/describe/versioned/describe.go index bc1d039b824..c6f0e69411c 100644 --- a/staging/src/k8s.io/kubectl/pkg/describe/versioned/describe.go +++ b/staging/src/k8s.io/kubectl/pkg/describe/versioned/describe.go @@ -3261,10 +3261,15 @@ func describeCertificateSigningRequest(csr *certificatesv1beta1.CertificateSigni printListHelper(w, "\t", "StreetAddress", cr.Subject.StreetAddress) printListHelper(w, "\t", "PostalCode", cr.Subject.PostalCode) - if len(cr.DNSNames)+len(cr.EmailAddresses)+len(cr.IPAddresses) > 0 { + if len(cr.DNSNames)+len(cr.EmailAddresses)+len(cr.IPAddresses)+len(cr.URIs) > 0 { w.Write(LEVEL_0, "Subject Alternative Names:\n") printListHelper(w, "\t", "DNS Names", cr.DNSNames) printListHelper(w, "\t", "Email Addresses", cr.EmailAddresses) + var uris []string + for _, uri := range cr.URIs { + uris = append(uris, uri.String()) + } + printListHelper(w, "\t", "URIs", uris) var ipaddrs []string for _, ipaddr := range cr.IPAddresses { ipaddrs = append(ipaddrs, ipaddr.String())