From 883f318df42d13b6a7624831fd26a6b9eb269d05 Mon Sep 17 00:00:00 2001 From: QianChenglong Date: Fri, 3 Jul 2020 12:14:36 +0800 Subject: [PATCH] Fix duplicate altnames in cert --- cmd/kubeadm/app/util/pkiutil/BUILD | 1 + cmd/kubeadm/app/util/pkiutil/pki_helpers.go | 24 +++++++++ .../app/util/pkiutil/pki_helpers_test.go | 49 +++++++++++++++++++ 3 files changed, 74 insertions(+) diff --git a/cmd/kubeadm/app/util/pkiutil/BUILD b/cmd/kubeadm/app/util/pkiutil/BUILD index 09b28062edd..9c77a4e9c5e 100644 --- a/cmd/kubeadm/app/util/pkiutil/BUILD +++ b/cmd/kubeadm/app/util/pkiutil/BUILD @@ -25,6 +25,7 @@ go_library( "//cmd/kubeadm/app/constants:go_default_library", "//cmd/kubeadm/app/features:go_default_library", "//cmd/kubeadm/app/util:go_default_library", + "//staging/src/k8s.io/apimachinery/pkg/util/sets:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/util/validation:go_default_library", "//staging/src/k8s.io/client-go/util/cert:go_default_library", "//staging/src/k8s.io/client-go/util/keyutil:go_default_library", diff --git a/cmd/kubeadm/app/util/pkiutil/pki_helpers.go b/cmd/kubeadm/app/util/pkiutil/pki_helpers.go index dbcab85bf3f..a762e522145 100644 --- a/cmd/kubeadm/app/util/pkiutil/pki_helpers.go +++ b/cmd/kubeadm/app/util/pkiutil/pki_helpers.go @@ -36,6 +36,7 @@ import ( "github.com/pkg/errors" + "k8s.io/apimachinery/pkg/util/sets" "k8s.io/apimachinery/pkg/util/validation" certutil "k8s.io/client-go/util/cert" "k8s.io/client-go/util/keyutil" @@ -566,6 +567,8 @@ func NewSignedCert(cfg *CertConfig, key crypto.Signer, caCert *x509.Certificate, return nil, errors.New("must specify at least one ExtKeyUsage") } + RemoveDuplicateAltNames(&cfg.AltNames) + certTmpl := x509.Certificate{ Subject: pkix.Name{ CommonName: cfg.CommonName, @@ -585,3 +588,24 @@ func NewSignedCert(cfg *CertConfig, key crypto.Signer, caCert *x509.Certificate, } return x509.ParseCertificate(certDERBytes) } + +// RemoveDuplicateAltNames removes duplicate items in altNames. +func RemoveDuplicateAltNames(altNames *certutil.AltNames) { + if altNames == nil { + return + } + + if altNames.DNSNames != nil { + altNames.DNSNames = sets.NewString(altNames.DNSNames...).List() + } + + ipsKeys := make(map[string]struct{}) + var ips []net.IP + for _, one := range altNames.IPs { + if _, ok := ipsKeys[one.String()]; !ok { + ipsKeys[one.String()] = struct{}{} + ips = append(ips, one) + } + } + altNames.IPs = ips +} diff --git a/cmd/kubeadm/app/util/pkiutil/pki_helpers_test.go b/cmd/kubeadm/app/util/pkiutil/pki_helpers_test.go index 2c7832f73f9..ca411adf45f 100644 --- a/cmd/kubeadm/app/util/pkiutil/pki_helpers_test.go +++ b/cmd/kubeadm/app/util/pkiutil/pki_helpers_test.go @@ -26,6 +26,7 @@ import ( "io/ioutil" "net" "os" + "reflect" "testing" certutil "k8s.io/client-go/util/cert" @@ -755,3 +756,51 @@ func TestAppendSANsToAltNames(t *testing.T) { } } + +func TestRemoveDuplicateAltNames(t *testing.T) { + tests := []struct { + args *certutil.AltNames + want *certutil.AltNames + }{ + { + &certutil.AltNames{}, + &certutil.AltNames{}, + }, + { + &certutil.AltNames{ + DNSNames: []string{"a", "a"}, + IPs: []net.IP{{127, 0, 0, 1}}, + }, + &certutil.AltNames{ + DNSNames: []string{"a"}, + IPs: []net.IP{{127, 0, 0, 1}}, + }, + }, + { + &certutil.AltNames{ + DNSNames: []string{"a"}, + IPs: []net.IP{{127, 0, 0, 1}, {127, 0, 0, 1}}, + }, + &certutil.AltNames{ + DNSNames: []string{"a"}, + IPs: []net.IP{{127, 0, 0, 1}}, + }, + }, + { + &certutil.AltNames{ + DNSNames: []string{"a", "a"}, + IPs: []net.IP{{127, 0, 0, 1}, {127, 0, 0, 1}}, + }, + &certutil.AltNames{ + DNSNames: []string{"a"}, + IPs: []net.IP{{127, 0, 0, 1}}, + }, + }, + } + for _, tt := range tests { + RemoveDuplicateAltNames(tt.args) + if !reflect.DeepEqual(tt.args, tt.want) { + t.Errorf("Wanted %v, got %v", tt.want, tt.args) + } + } +}