Skip to content

Commit

Permalink
Treat IP Address as an optional parameter (#117)
Browse files Browse the repository at this point in the history
* Treat IP Address as an optional parameter

* Fixed athenz-sia.env

* Removed unnecessary debug message

* Update pkg/config/config.go

Co-authored-by: t4niwa <114040262+t4niwa@users.noreply.github.com>
Signed-off-by: Tatsuya Yano <ctyano@duck.com>

---------

Signed-off-by: Tatsuya Yano <ctyano@duck.com>
Co-authored-by: Aaron Jeongwoo Kim <53258958+mlajkim@users.noreply.github.com>
Co-authored-by: t4niwa <114040262+t4niwa@users.noreply.github.com>
  • Loading branch information
3 people authored Apr 16, 2024
1 parent a7e7cee commit d9f8bd2
Show file tree
Hide file tree
Showing 4 changed files with 23 additions and 15 deletions.
2 changes: 1 addition & 1 deletion athenz-sia.env
Original file line number Diff line number Diff line change
Expand Up @@ -116,7 +116,7 @@ SA_TOKEN_FILE=
# POD_IP may be extracted from status.podIP in Kubernetes manifests
# Default value for binary: https://github.com/AthenZ/k8s-athenz-sia/blob/c8478297a9d228ffc0a6a1ea469ad0ef8a682dc8/pkg/config/default.go#L85
#
POD_IP=127.0.0.1
POD_IP=
#
# Kubernetes Pod UID
#
Expand Down
22 changes: 15 additions & 7 deletions pkg/certificate/identity.go
Original file line number Diff line number Diff line change
Expand Up @@ -381,14 +381,19 @@ func PrepareIdentityCsrOptions(idCfg *config.IdentityConfig, domain, service str
CommonName: fmt.Sprintf("%s.%s", domain, service),
}

return &util.CSROptions{
csrOptions := &util.CSROptions{
Subject: subject,
SANs: util.SubjectAlternateNames{
DNSNames: sans,
IPAddresses: []net.IP{idCfg.PodIP},
URIs: []url.URL{*spiffeURI},
DNSNames: sans,
URIs: []url.URL{*spiffeURI},
},
}, nil
}

if idCfg.PodIP != nil {
csrOptions.SANs.IPAddresses = []net.IP{idCfg.PodIP}
}

return csrOptions, nil
}

// PrepareRoleCsrOptions prepares csrOptions for an X.509 certificate
Expand Down Expand Up @@ -426,8 +431,7 @@ func PrepareRoleCsrOptions(idCfg *config.IdentityConfig, domain, service string)
roleCsrOption := util.CSROptions{
Subject: subject,
SANs: util.SubjectAlternateNames{
DNSNames: sans,
IPAddresses: []net.IP{idCfg.PodIP},
DNSNames: sans,
URIs: []url.URL{
*spiffeURI,
},
Expand All @@ -437,6 +441,10 @@ func PrepareRoleCsrOptions(idCfg *config.IdentityConfig, domain, service string)
},
}

if idCfg.PodIP != nil {
roleCsrOption.SANs.IPAddresses = []net.IP{idCfg.PodIP}
}

roleCsrOptions = append(roleCsrOptions, roleCsrOption)
}

Expand Down
9 changes: 5 additions & 4 deletions pkg/config/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -118,10 +118,11 @@ func (idCfg *IdentityConfig) loadFromENV() error {

// parse values
var err error
idCfg.PodIP = net.ParseIP(idCfg.rawPodIP)
if idCfg.PodIP == nil {
// PodIP should always be non-nil to issue role certificate
return fmt.Errorf("Invalid POD_IP [%q]", idCfg.rawPodIP)
if idCfg.rawPodIP != "" {
idCfg.PodIP = net.ParseIP(idCfg.rawPodIP)
if idCfg.PodIP == nil {
return fmt.Errorf("Invalid POD_IP [%q], %w", idCfg.rawPodIP, err)
}
}
idCfg.Refresh, err = time.ParseDuration(idCfg.rawRefresh)
if err != nil {
Expand Down
5 changes: 2 additions & 3 deletions pkg/config/default.go
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,6 @@ package config

import (
"fmt"
"net"
"strconv"
"time"
)
Expand Down Expand Up @@ -86,7 +85,7 @@ func DefaultIdentityConfig() *IdentityConfig {
AthenzSuffix: "",
ServiceAccount: "",
SaTokenFile: "",
PodIP: net.ParseIP("127.0.0.1"),
PodIP: nil,
PodUID: "",
PodName: "",
Reloader: nil,
Expand Down Expand Up @@ -118,7 +117,7 @@ func DefaultIdentityConfig() *IdentityConfig {
LogLevel: "INFO",

rawMode: "init",
rawPodIP: "127.0.0.1",
rawPodIP: "",
rawTargetDomainRoles: "",
rawRefresh: "24h",
rawDelayJitterSeconds: "0",
Expand Down

0 comments on commit d9f8bd2

Please sign in to comment.