support URI SANs in local signer

pkg/controller/certificates/approver/sarapprove.go

@@ -173,7 +173,7 @@ func isNodeClientCert(csr *capi.CertificateSigningRequest, x509cr *x509.Certific
 	if !reflect.DeepEqual([]string{"system:nodes"}, x509cr.Subject.Organization) {
 		return false
 	}
-	if (len(x509cr.DNSNames) > 0) || (len(x509cr.EmailAddresses) > 0) || (len(x509cr.IPAddresses) > 0) {
+	if len(x509cr.DNSNames) > 0 || len(x509cr.EmailAddresses) > 0 || len(x509cr.IPAddresses) > 0 || len(x509cr.URIs) > 0 {
 		return false
 	}
 	if !hasExactUsages(csr, kubeletClientUsages) {

pkg/controller/certificates/authority/authority.go

@@ -68,6 +68,7 @@ func (ca *CertificateAuthority) Sign(crDER []byte, policy SigningPolicy) ([]byte
 		DNSNames:           cr.DNSNames,
 		IPAddresses:        cr.IPAddresses,
 		EmailAddresses:     cr.EmailAddresses,
+		URIs:               cr.URIs,
 		PublicKeyAlgorithm: cr.PublicKeyAlgorithm,
 		PublicKey:          cr.PublicKey,
 		Extensions:         cr.Extensions,

pkg/controller/certificates/authority/authority_test.go

@@ -23,6 +23,7 @@ import (
 	"crypto/x509"
 	"crypto/x509/pkix"
 	"math/big"
+	"net/url"
 	"testing"
 	"time"
 
@@ -59,6 +60,11 @@ func TestCertificateAuthority(t *testing.T) {
 		t.Fatal(err)
 	}
 
+	uri, err := url.Parse("help://me@what:8080/where/when?why=true")
+	if err != nil {
+		t.Fatal(err)
+	}
+
 	tests := []struct {
 		name     string
 		cr       x509.CertificateRequest
@@ -118,6 +124,19 @@ func TestCertificateAuthority(t *testing.T) {
 				BasicConstraintsValid: true,
 			},
 		},
+		{
+			name:   "uri sans",
+			policy: PermissiveSigningPolicy{TTL: time.Hour},
+			cr: x509.CertificateRequest{
+				URIs: []*url.URL{uri},
+			},
+			want: x509.Certificate{
+				URIs:                  []*url.URL{uri},
+				NotBefore:             now,
+				NotAfter:              now.Add(1 * time.Hour),
+				BasicConstraintsValid: true,
+			},
+		},
 	}
 
 	crKey, err := ecdsa.GenerateKey(elliptic.P224(), rand.Reader)
@@ -168,6 +187,9 @@ func TestCertificateAuthority(t *testing.T) {
 				cmp.Transformer("RoundTime", func(x time.Time) time.Time {
 					return x.Truncate(time.Second)
 				}),
+				cmp.Comparer(func(x, y *url.URL) bool {
+					return ((x == nil) && (y == nil)) || x.String() == y.String()
+				}),
 			}
 			if !cmp.Equal(*cert, test.want, opts) {
 				t.Errorf("unexpected diff: %v", cmp.Diff(*cert, test.want, opts))

staging/src/k8s.io/kubectl/pkg/describe/versioned/describe.go

@@ -3261,10 +3261,15 @@ func describeCertificateSigningRequest(csr *certificatesv1beta1.CertificateSigni
 		printListHelper(w, "\t", "StreetAddress", cr.Subject.StreetAddress)
 		printListHelper(w, "\t", "PostalCode", cr.Subject.PostalCode)
 
-		if len(cr.DNSNames)+len(cr.EmailAddresses)+len(cr.IPAddresses) > 0 {
+		if len(cr.DNSNames)+len(cr.EmailAddresses)+len(cr.IPAddresses)+len(cr.URIs) > 0 {
 			w.Write(LEVEL_0, "Subject Alternative Names:\n")
 			printListHelper(w, "\t", "DNS Names", cr.DNSNames)
 			printListHelper(w, "\t", "Email Addresses", cr.EmailAddresses)
+			var uris []string
+			for _, uri := range cr.URIs {
+				uris = append(uris, uri.String())
+			}
+			printListHelper(w, "\t", "URIs", uris)
 			var ipaddrs []string
 			for _, ipaddr := range cr.IPAddresses {
 				ipaddrs = append(ipaddrs, ipaddr.String())