Support DNS names of client cert

Signed-off-by: Yang Le <yangle@redhat.com>

pkg/clientcert/cert_controller.go

@@ -6,7 +6,6 @@ import (
 	"crypto/x509/pkix"
 	"fmt"
 	"math/rand"
-	"reflect"
 	"time"
 
 	"github.com/openshift/library-go/pkg/controller/factory"
@@ -43,7 +42,6 @@ const (
 
 	ClusterNameLabel = "open-cluster-management.io/cluster-name"
 	AddonNameLabel   = "open-cluster-management.io/addon-name"
-	SignerNameLabel  = "open-cluster-management.io/signer-name"
 )
 
 // ControllerResyncInterval is exposed so that integration tests can crank up the constroller sync speed.
@@ -56,6 +54,8 @@ type CSROption struct {
 	ObjectMeta metav1.ObjectMeta
 	// Subject represents the subject of the client certificate used to create csrs
 	Subject *pkix.Name
+	// DNSNames represents DNS names used to create the client certificate
+	DNSNames []string
 	// SignerName is the name of the signer specified in the created csrs
 	SignerName string
 
@@ -183,21 +183,6 @@ func (c *clientCertificateController) sync(ctx context.Context, syncCtx factory.
 		return nil
 	}
 
-	// add additional data into client certificate secret
-	newSecretConfig := map[string][]byte{}
-	for k, v := range secret.Data {
-		newSecretConfig[k] = v
-	}
-	for k, v := range c.AdditonalSecretData {
-		newSecretConfig[k] = v
-	}
-	if !reflect.DeepEqual(newSecretConfig, secret.Data) {
-		secret.Data = newSecretConfig
-		if err := c.saveSecret(secret); err != nil {
-			return err
-		}
-	}
-
 	// create a csr to request new client certificate if
 	// a. there is no valid client certificate issued for the current cluster/agent
 	// b. client certificate exists and has less than a random percentage range from 20% to 25% of its life remaining
@@ -296,7 +281,7 @@ func (c *clientCertificateController) createCSR(ctx context.Context) (string, er
 	if err != nil {
 		return "", fmt.Errorf("invalid private key for certificate request: %w", err)
 	}
-	csrData, err := certutil.MakeCSR(privateKey, c.Subject, nil, nil)
+	csrData, err := certutil.MakeCSR(privateKey, c.Subject, c.DNSNames, nil)
 	if err != nil {
 		return "", fmt.Errorf("unable to generate certificate request: %w", err)
 	}

pkg/clientcert/controller_test.go

@@ -4,7 +4,6 @@ import (
 	"context"
 	"crypto/x509/pkix"
 	"fmt"
-	"reflect"
 	"testing"
 	"time"
 
@@ -56,21 +55,7 @@ func TestSync(t *testing.T) {
 					t.Errorf("expected csr was created, but failed")
 				}
 
-				expectedSecret := &corev1.Secret{
-					ObjectMeta: metav1.ObjectMeta{
-						Namespace: testNamespace,
-						Name:      testSecretName,
-					},
-					Data: map[string][]byte{
-						ClusterNameFile: []byte(testinghelpers.TestManagedClusterName),
-						AgentNameFile:   []byte(testAgentName),
-					},
-				}
-				testinghelpers.AssertActions(t, agentActions, "get", "create")
-				actualSecret := agentActions[1].(clienttesting.CreateActionImpl).Object
-				if !reflect.DeepEqual(expectedSecret, actualSecret) {
-					t.Errorf("expected secret %v, but got %v", expectedSecret, actualSecret)
-				}
+				testinghelpers.AssertActions(t, agentActions, "get")
 			},
 		},
 

pkg/spoke/addon/registration_controller.go

@@ -165,6 +165,7 @@ func (c *addOnRegistrationController) startRegistration(ctx context.Context, con
 			},
 		},
 		Subject:         config.x509Subject(c.clusterName, c.agentName),
+		DNSNames:        []string{fmt.Sprintf("%s.addon.open-cluster-management.io", config.addOnName)},
 		SignerName:      config.registration.SignerName,
 		EventFilterFunc: createCSREventFilterFunc(c.clusterName, config.addOnName, config.registration.SignerName),
 	}