Merge pull request #92753 from QianChenglong/fix/kubeadm-altnames

kubeadm: remove duplicate DNS names and IP addresses from generated certificates
This commit is contained in:
Kubernetes Prow Robot 2020-07-09 09:10:20 -07:00 committed by GitHub
commit 82baa26905
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 74 additions and 0 deletions

View File

@ -25,6 +25,7 @@ go_library(
"//cmd/kubeadm/app/constants:go_default_library",
"//cmd/kubeadm/app/features:go_default_library",
"//cmd/kubeadm/app/util:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/util/sets:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/util/validation:go_default_library",
"//staging/src/k8s.io/client-go/util/cert:go_default_library",
"//staging/src/k8s.io/client-go/util/keyutil:go_default_library",

View File

@ -36,6 +36,7 @@ import (
"github.com/pkg/errors"
"k8s.io/apimachinery/pkg/util/sets"
"k8s.io/apimachinery/pkg/util/validation"
certutil "k8s.io/client-go/util/cert"
"k8s.io/client-go/util/keyutil"
@ -566,6 +567,8 @@ func NewSignedCert(cfg *CertConfig, key crypto.Signer, caCert *x509.Certificate,
return nil, errors.New("must specify at least one ExtKeyUsage")
}
RemoveDuplicateAltNames(&cfg.AltNames)
certTmpl := x509.Certificate{
Subject: pkix.Name{
CommonName: cfg.CommonName,
@ -585,3 +588,24 @@ func NewSignedCert(cfg *CertConfig, key crypto.Signer, caCert *x509.Certificate,
}
return x509.ParseCertificate(certDERBytes)
}
// RemoveDuplicateAltNames removes duplicate items in altNames.
func RemoveDuplicateAltNames(altNames *certutil.AltNames) {
if altNames == nil {
return
}
if altNames.DNSNames != nil {
altNames.DNSNames = sets.NewString(altNames.DNSNames...).List()
}
ipsKeys := make(map[string]struct{})
var ips []net.IP
for _, one := range altNames.IPs {
if _, ok := ipsKeys[one.String()]; !ok {
ipsKeys[one.String()] = struct{}{}
ips = append(ips, one)
}
}
altNames.IPs = ips
}

View File

@ -26,6 +26,7 @@ import (
"io/ioutil"
"net"
"os"
"reflect"
"testing"
certutil "k8s.io/client-go/util/cert"
@ -755,3 +756,51 @@ func TestAppendSANsToAltNames(t *testing.T) {
}
}
func TestRemoveDuplicateAltNames(t *testing.T) {
tests := []struct {
args *certutil.AltNames
want *certutil.AltNames
}{
{
&certutil.AltNames{},
&certutil.AltNames{},
},
{
&certutil.AltNames{
DNSNames: []string{"a", "a"},
IPs: []net.IP{{127, 0, 0, 1}},
},
&certutil.AltNames{
DNSNames: []string{"a"},
IPs: []net.IP{{127, 0, 0, 1}},
},
},
{
&certutil.AltNames{
DNSNames: []string{"a"},
IPs: []net.IP{{127, 0, 0, 1}, {127, 0, 0, 1}},
},
&certutil.AltNames{
DNSNames: []string{"a"},
IPs: []net.IP{{127, 0, 0, 1}},
},
},
{
&certutil.AltNames{
DNSNames: []string{"a", "a"},
IPs: []net.IP{{127, 0, 0, 1}, {127, 0, 0, 1}},
},
&certutil.AltNames{
DNSNames: []string{"a"},
IPs: []net.IP{{127, 0, 0, 1}},
},
},
}
for _, tt := range tests {
RemoveDuplicateAltNames(tt.args)
if !reflect.DeepEqual(tt.args, tt.want) {
t.Errorf("Wanted %v, got %v", tt.want, tt.args)
}
}
}