Add ability to limit the maximum number of SANs

2020-03-18 23:15:44 -07:00 · 2020-03-18 23:15:44 -07:00 · 05d7922a86
commit 05d7922a86
parent 1e67d402dc
2 changed files with 9 additions and 3 deletions
--- a/factory/gen.go
+++ b/factory/gen.go
@ -81,7 +81,7 @@ func (t *TLS) AddCN(secret *v1.Secret, cn ...string) (*v1.Secret, bool, error) {
 		err error
 	)

-	if !NeedsUpdate(secret, cn...) {
+	if !NeedsUpdate(0, secret, cn...) {
 		return secret, false, nil
 	}

@ -137,7 +137,7 @@ func populateCN(secret *v1.Secret, cn ...string) *v1.Secret {
 	return secret
 }

-func NeedsUpdate(secret *v1.Secret, cn ...string) bool {
+func NeedsUpdate(maxSANs int, secret *v1.Secret, cn ...string) bool {
 	if secret == nil {
 		return true
 	}
@ -148,6 +148,9 @@ func NeedsUpdate(secret *v1.Secret, cn ...string) bool {

 	for _, cn := range cn {
 		if secret.Annotations[cnPrefix+cn] == "" {
+			if maxSANs > 0 && len(cns(secret)) >= maxSANs {
+				return false
+			}
 			return true
 		}
 	}
--- a/listener.go
+++ b/listener.go
@ -52,6 +52,7 @@ func NewListener(l net.Listener, storage TLSStorage, caCert *x509.Certificate, c
 		Listener:  l,
 		storage:   &nonNil{storage: storage},
 		sans:      config.SANs,
+		maxSANs:   config.MaxSANs,
 		tlsConfig: config.TLSConfig,
 	}
 	if dynamicListener.tlsConfig == nil {
@ -90,6 +91,7 @@ type Config struct {
 	Organization          []string
 	TLSConfig             *tls.Config
 	SANs                  []string
+	MaxSANs               int
 	ExpirationDaysCheck   int
 	CloseConnOnCertChange bool
 }
@ -108,6 +110,7 @@ type listener struct {
 	tlsConfig *tls.Config
 	cert      *tls.Certificate
 	sans      []string
+	maxSANs   int
 	init      sync.Once
 }

@ -261,7 +264,7 @@ func (l *listener) updateCert(cn ...string) error {
 		return err
 	}

-	if !factory.NeedsUpdate(secret, cn...) {
+	if !factory.NeedsUpdate(l.maxSANs, secret, cn...) {
 		return nil
 	}