From ad99b65e47e8181cafb1e36f71f0ca57bc29806e Mon Sep 17 00:00:00 2001 From: Yang Le Date: Tue, 13 Apr 2021 18:46:41 +0800 Subject: [PATCH] Support DNS names of client cert Signed-off-by: Yang Le --- pkg/clientcert/cert_controller.go | 21 +++------------------ pkg/clientcert/controller_test.go | 17 +---------------- pkg/spoke/addon/registration_controller.go | 1 + 3 files changed, 5 insertions(+), 34 deletions(-) diff --git a/pkg/clientcert/cert_controller.go b/pkg/clientcert/cert_controller.go index cad4f3ae4..f3b22d4dc 100644 --- a/pkg/clientcert/cert_controller.go +++ b/pkg/clientcert/cert_controller.go @@ -6,7 +6,6 @@ import ( "crypto/x509/pkix" "fmt" "math/rand" - "reflect" "time" "github.com/openshift/library-go/pkg/controller/factory" @@ -43,7 +42,6 @@ const ( ClusterNameLabel = "open-cluster-management.io/cluster-name" AddonNameLabel = "open-cluster-management.io/addon-name" - SignerNameLabel = "open-cluster-management.io/signer-name" ) // ControllerResyncInterval is exposed so that integration tests can crank up the constroller sync speed. @@ -56,6 +54,8 @@ type CSROption struct { ObjectMeta metav1.ObjectMeta // Subject represents the subject of the client certificate used to create csrs Subject *pkix.Name + // DNSNames represents DNS names used to create the client certificate + DNSNames []string // SignerName is the name of the signer specified in the created csrs SignerName string @@ -183,21 +183,6 @@ func (c *clientCertificateController) sync(ctx context.Context, syncCtx factory. return nil } - // add additional data into client certificate secret - newSecretConfig := map[string][]byte{} - for k, v := range secret.Data { - newSecretConfig[k] = v - } - for k, v := range c.AdditonalSecretData { - newSecretConfig[k] = v - } - if !reflect.DeepEqual(newSecretConfig, secret.Data) { - secret.Data = newSecretConfig - if err := c.saveSecret(secret); err != nil { - return err - } - } - // create a csr to request new client certificate if // a. there is no valid client certificate issued for the current cluster/agent // b. client certificate exists and has less than a random percentage range from 20% to 25% of its life remaining @@ -296,7 +281,7 @@ func (c *clientCertificateController) createCSR(ctx context.Context) (string, er if err != nil { return "", fmt.Errorf("invalid private key for certificate request: %w", err) } - csrData, err := certutil.MakeCSR(privateKey, c.Subject, nil, nil) + csrData, err := certutil.MakeCSR(privateKey, c.Subject, c.DNSNames, nil) if err != nil { return "", fmt.Errorf("unable to generate certificate request: %w", err) } diff --git a/pkg/clientcert/controller_test.go b/pkg/clientcert/controller_test.go index 00fbc800a..be49ecba9 100644 --- a/pkg/clientcert/controller_test.go +++ b/pkg/clientcert/controller_test.go @@ -4,7 +4,6 @@ import ( "context" "crypto/x509/pkix" "fmt" - "reflect" "testing" "time" @@ -56,21 +55,7 @@ func TestSync(t *testing.T) { t.Errorf("expected csr was created, but failed") } - expectedSecret := &corev1.Secret{ - ObjectMeta: metav1.ObjectMeta{ - Namespace: testNamespace, - Name: testSecretName, - }, - Data: map[string][]byte{ - ClusterNameFile: []byte(testinghelpers.TestManagedClusterName), - AgentNameFile: []byte(testAgentName), - }, - } - testinghelpers.AssertActions(t, agentActions, "get", "create") - actualSecret := agentActions[1].(clienttesting.CreateActionImpl).Object - if !reflect.DeepEqual(expectedSecret, actualSecret) { - t.Errorf("expected secret %v, but got %v", expectedSecret, actualSecret) - } + testinghelpers.AssertActions(t, agentActions, "get") }, }, diff --git a/pkg/spoke/addon/registration_controller.go b/pkg/spoke/addon/registration_controller.go index 6c087ce35..592facc24 100644 --- a/pkg/spoke/addon/registration_controller.go +++ b/pkg/spoke/addon/registration_controller.go @@ -165,6 +165,7 @@ func (c *addOnRegistrationController) startRegistration(ctx context.Context, con }, }, Subject: config.x509Subject(c.clusterName, c.agentName), + DNSNames: []string{fmt.Sprintf("%s.addon.open-cluster-management.io", config.addOnName)}, SignerName: config.registration.SignerName, EventFilterFunc: createCSREventFilterFunc(c.clusterName, config.addOnName, config.registration.SignerName), }