github-personal/kamaji
1
0
Fork 0
mirror of https://github.com/outbackdingo/kamaji.git synced 2026-01-27 10:19:29 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(crypto): validating cp endpoint for api server cert (#737)

Browse Source 
Signed-off-by: Dario Tranchitella <dario@tranchitella.eu>
This commit is contained in:
Dario Tranchitella
2025-03-21 07:53:37 +01:00
committed by GitHub
parent 22a40409f2
commit c87d6ffc47
2 changed files with 11 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
internal/crypto/crypto.go
View File

@@ -40,10 +40,10 @@ func CheckPublicAndPrivateKeyValidity(publicKey []byte, privateKey []byte) (bool
return checkPublicKeys(pubKey, privKey), nil
}
// CheckCertificateSAN checks if the Kubernetes API Server certificate matches the SAN stored in the kubeadm:
// CheckCertificateNamesAndIPs checks if the Kubernetes API Server certificate matches the Control Plane Endpoint and SAN stored in the kubeadm:
// it must check both IPs and DNS names, and returns a false if the required entry isn't available.
// In case of removal of entries, this function returns true nevertheless to avoid reloading a Control Plane uselessly.
func CheckCertificateSAN(certificateBytes []byte, certSANs []string) (bool, error) {
func CheckCertificateNamesAndIPs(certificateBytes []byte, entries []string) (bool, error) {
crt, err := ParseCertificateBytes(certificateBytes)
if err != nil {
return false, err
@@ -56,7 +56,7 @@ func CheckCertificateSAN(certificateBytes []byte, certSANs []string) (bool, erro
dns := sets.New[string](crt.DNSNames...)
for _, e := range certSANs {
for _, e := range entries {
if ip := net.ParseIP(e); ip != nil {
if !ips.Has(ip.String()) {
return false, nil

9
internal/resources/api_server_certificate.go
View File

@@ -134,7 +134,14 @@ func (r *APIServerCertificate) mutate(ctx context.Context, tenantControlPlane *k
logger.Info(fmt.Sprintf("%s certificate-private_key pair is not valid: %s", kubeadmconstants.APIServerCertAndKeyBaseName, err.Error()))
}
dnsNamesMatches, dnsErr := crypto.CheckCertificateSAN(r.resource.Data[kubeadmconstants.APIServerCertName], config.InitConfiguration.APIServer.CertSANs)
commonNames := config.InitConfiguration.APIServer.CertSANs
if tenantControlPlane.Spec.ControlPlane.Ingress != nil {
address, _ := utilities.GetControlPlaneAddressAndPortFromHostname(tenantControlPlane.Spec.ControlPlane.Ingress.Hostname, 6443)
commonNames = append(commonNames, address)
}
dnsNamesMatches, dnsErr := crypto.CheckCertificateNamesAndIPs(r.resource.Data[kubeadmconstants.APIServerCertName], commonNames)
if dnsErr != nil {
logger.Info(fmt.Sprintf("%s SAN check returned an error: %s", kubeadmconstants.APIServerCertAndKeyBaseName, err.Error()))
}