mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-23 19:56:01 +00:00
Merge pull request #92753 from QianChenglong/fix/kubeadm-altnames
kubeadm: remove duplicate DNS names and IP addresses from generated certificates
This commit is contained in:
commit
82baa26905
@ -25,6 +25,7 @@ go_library(
|
||||
"//cmd/kubeadm/app/constants:go_default_library",
|
||||
"//cmd/kubeadm/app/features:go_default_library",
|
||||
"//cmd/kubeadm/app/util:go_default_library",
|
||||
"//staging/src/k8s.io/apimachinery/pkg/util/sets:go_default_library",
|
||||
"//staging/src/k8s.io/apimachinery/pkg/util/validation:go_default_library",
|
||||
"//staging/src/k8s.io/client-go/util/cert:go_default_library",
|
||||
"//staging/src/k8s.io/client-go/util/keyutil:go_default_library",
|
||||
|
@ -36,6 +36,7 @@ import (
|
||||
|
||||
"github.com/pkg/errors"
|
||||
|
||||
"k8s.io/apimachinery/pkg/util/sets"
|
||||
"k8s.io/apimachinery/pkg/util/validation"
|
||||
certutil "k8s.io/client-go/util/cert"
|
||||
"k8s.io/client-go/util/keyutil"
|
||||
@ -566,6 +567,8 @@ func NewSignedCert(cfg *CertConfig, key crypto.Signer, caCert *x509.Certificate,
|
||||
return nil, errors.New("must specify at least one ExtKeyUsage")
|
||||
}
|
||||
|
||||
RemoveDuplicateAltNames(&cfg.AltNames)
|
||||
|
||||
certTmpl := x509.Certificate{
|
||||
Subject: pkix.Name{
|
||||
CommonName: cfg.CommonName,
|
||||
@ -585,3 +588,24 @@ func NewSignedCert(cfg *CertConfig, key crypto.Signer, caCert *x509.Certificate,
|
||||
}
|
||||
return x509.ParseCertificate(certDERBytes)
|
||||
}
|
||||
|
||||
// RemoveDuplicateAltNames removes duplicate items in altNames.
|
||||
func RemoveDuplicateAltNames(altNames *certutil.AltNames) {
|
||||
if altNames == nil {
|
||||
return
|
||||
}
|
||||
|
||||
if altNames.DNSNames != nil {
|
||||
altNames.DNSNames = sets.NewString(altNames.DNSNames...).List()
|
||||
}
|
||||
|
||||
ipsKeys := make(map[string]struct{})
|
||||
var ips []net.IP
|
||||
for _, one := range altNames.IPs {
|
||||
if _, ok := ipsKeys[one.String()]; !ok {
|
||||
ipsKeys[one.String()] = struct{}{}
|
||||
ips = append(ips, one)
|
||||
}
|
||||
}
|
||||
altNames.IPs = ips
|
||||
}
|
||||
|
@ -26,6 +26,7 @@ import (
|
||||
"io/ioutil"
|
||||
"net"
|
||||
"os"
|
||||
"reflect"
|
||||
"testing"
|
||||
|
||||
certutil "k8s.io/client-go/util/cert"
|
||||
@ -755,3 +756,51 @@ func TestAppendSANsToAltNames(t *testing.T) {
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
func TestRemoveDuplicateAltNames(t *testing.T) {
|
||||
tests := []struct {
|
||||
args *certutil.AltNames
|
||||
want *certutil.AltNames
|
||||
}{
|
||||
{
|
||||
&certutil.AltNames{},
|
||||
&certutil.AltNames{},
|
||||
},
|
||||
{
|
||||
&certutil.AltNames{
|
||||
DNSNames: []string{"a", "a"},
|
||||
IPs: []net.IP{{127, 0, 0, 1}},
|
||||
},
|
||||
&certutil.AltNames{
|
||||
DNSNames: []string{"a"},
|
||||
IPs: []net.IP{{127, 0, 0, 1}},
|
||||
},
|
||||
},
|
||||
{
|
||||
&certutil.AltNames{
|
||||
DNSNames: []string{"a"},
|
||||
IPs: []net.IP{{127, 0, 0, 1}, {127, 0, 0, 1}},
|
||||
},
|
||||
&certutil.AltNames{
|
||||
DNSNames: []string{"a"},
|
||||
IPs: []net.IP{{127, 0, 0, 1}},
|
||||
},
|
||||
},
|
||||
{
|
||||
&certutil.AltNames{
|
||||
DNSNames: []string{"a", "a"},
|
||||
IPs: []net.IP{{127, 0, 0, 1}, {127, 0, 0, 1}},
|
||||
},
|
||||
&certutil.AltNames{
|
||||
DNSNames: []string{"a"},
|
||||
IPs: []net.IP{{127, 0, 0, 1}},
|
||||
},
|
||||
},
|
||||
}
|
||||
for _, tt := range tests {
|
||||
RemoveDuplicateAltNames(tt.args)
|
||||
if !reflect.DeepEqual(tt.args, tt.want) {
|
||||
t.Errorf("Wanted %v, got %v", tt.want, tt.args)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user