support URI SANs in local signer

2025-09-20 09:33:52 +00:00 · 2019-11-04 08:08:59 -08:00
parent fe51712288
commit 6a004d0c18
4 changed files with 30 additions and 2 deletions
--- a/pkg/controller/certificates/approver/sarapprove.go
+++ b/pkg/controller/certificates/approver/sarapprove.go
@@ -173,7 +173,7 @@ func isNodeClientCert(csr *capi.CertificateSigningRequest, x509cr *x509.Certific
 	if !reflect.DeepEqual([]string{"system:nodes"}, x509cr.Subject.Organization) {
 		return false
 	}
-	if (len(x509cr.DNSNames) > 0) || (len(x509cr.EmailAddresses) > 0) || (len(x509cr.IPAddresses) > 0) {
+	if len(x509cr.DNSNames) > 0 || len(x509cr.EmailAddresses) > 0 || len(x509cr.IPAddresses) > 0 || len(x509cr.URIs) > 0 {
 		return false
 	}
 	if !hasExactUsages(csr, kubeletClientUsages) {
--- a/pkg/controller/certificates/authority/authority.go
+++ b/pkg/controller/certificates/authority/authority.go
@@ -68,6 +68,7 @@ func (ca *CertificateAuthority) Sign(crDER []byte, policy SigningPolicy) ([]byte
 		DNSNames:           cr.DNSNames,
 		IPAddresses:        cr.IPAddresses,
 		EmailAddresses:     cr.EmailAddresses,
+		URIs:               cr.URIs,
 		PublicKeyAlgorithm: cr.PublicKeyAlgorithm,
 		PublicKey:          cr.PublicKey,
 		Extensions:         cr.Extensions,
--- a/pkg/controller/certificates/authority/authority_test.go
+++ b/pkg/controller/certificates/authority/authority_test.go
@@ -23,6 +23,7 @@ import (
 	"crypto/x509"
 	"crypto/x509/pkix"
 	"math/big"
+	"net/url"
 	"testing"
 	"time"

@@ -59,6 +60,11 @@ func TestCertificateAuthority(t *testing.T) {
 		t.Fatal(err)
 	}

+	uri, err := url.Parse("help://me@what:8080/where/when?why=true")
+	if err != nil {
+		t.Fatal(err)
+	}
+
 	tests := []struct {
 		name     string
 		cr       x509.CertificateRequest
@@ -118,6 +124,19 @@ func TestCertificateAuthority(t *testing.T) {
 				BasicConstraintsValid: true,
 			},
 		},
+		{
+			name:   "uri sans",
+			policy: PermissiveSigningPolicy{TTL: time.Hour},
+			cr: x509.CertificateRequest{
+				URIs: []*url.URL{uri},
+			},
+			want: x509.Certificate{
+				URIs:                  []*url.URL{uri},
+				NotBefore:             now,
+				NotAfter:              now.Add(1 * time.Hour),
+				BasicConstraintsValid: true,
+			},
+		},
 	}

 	crKey, err := ecdsa.GenerateKey(elliptic.P224(), rand.Reader)
@@ -168,6 +187,9 @@ func TestCertificateAuthority(t *testing.T) {
 				cmp.Transformer("RoundTime", func(x time.Time) time.Time {
 					return x.Truncate(time.Second)
 				}),
+				cmp.Comparer(func(x, y *url.URL) bool {
+					return ((x == nil) && (y == nil)) || x.String() == y.String()
+				}),
 			}
 			if !cmp.Equal(*cert, test.want, opts) {
 				t.Errorf("unexpected diff: %v", cmp.Diff(*cert, test.want, opts))