kubeadm: remove duplicate DNS names and IP addresses from generated certificates #92753
Conversation
k8s-ci-robot
added
do-not-merge/invalid-commit-message
|
Hi @QianChenglong. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
k8s-ci-robot
added
needs-sig
k8s-ci-robot
added
area/kubeadm
sig/api-machinery
QianChenglong
force-pushed
the
fix/kubeadm-altnames
branch
from
63c22e6
to
9c138c4
Compare
k8s-ci-robot
removed
the
do-not-merge/invalid-commit-message
QianChenglong
force-pushed
the
fix/kubeadm-altnames
branch
from
9c138c4
to
a950038
Compare
|
/kind bug |
k8s-ci-robot
added
kind/bug
| @@ -427,8 +431,13 @@ func getAltNames(cfg *kubeadmapi.InitConfiguration, certName string) (*certutil. | |||
|
|
|||
| // create AltNames with defaults DNSNames/IPs | |||
| altNames := &certutil.AltNames{ | |||
| DNSNames: []string{cfg.NodeRegistration.Name, "localhost"}, | |||
There was a problem hiding this comment.
Thanks for pointing out the error, leave it as it is.
| return | ||
| } | ||
|
|
||
| dnsNamesKeys := make(map[string]struct{}) |
There was a problem hiding this comment.
FYI: https://github.com/kubernetes/apimachinery/blob/master/pkg/util/sets
There are some utils you can consider to use.
sets.NewString(altNames.DNSNames...).List()| @@ -21,7 +21,6 @@ import ( | |||
| "crypto/x509" | |||
|
|
|||
| "github.com/pkg/errors" | |||
|
|
|||
There was a problem hiding this comment.
Why delete the blank line? We prefer to use a blank line to distinguish different import blocks.
There was a problem hiding this comment.
Sorry for bringing our programming style, I would like to ask what tool is used here to automatically control imports?
| @@ -383,6 +381,12 @@ func GetAPIServerAltNames(cfg *kubeadmapi.InitConfiguration) (*certutil.AltNames | |||
| advertiseAddress, | |||
| }, | |||
| } | |||
| // cfg.NodeRegistration.Name may use ip! | |||
There was a problem hiding this comment.
thank you for the PR,
i don't think i agree with this change and the similar one in getAltNames() . the comment that "node names can be IPs" is wrong.
the Node name is supposed to be a string "that can be used as a DNS subdomain name as defined in RFC 1123"
https://kubernetes.io/docs/concepts/overview/working-with-objects/names/
however, this function is not perfectly following RFC 1123 and it allows the strings to start with a number, which is wrong.
the node name should be a hostname, not an IP address and we should not parse it as an IP address.
if you want to add the same IP address in altNames you should do so explicitly using the extraSANs kubeadm feature.
/hold
There was a problem hiding this comment.
Thanks for pointing out the error, leave it as it is.
| @@ -427,8 +431,13 @@ func getAltNames(cfg *kubeadmapi.InitConfiguration, certName string) (*certutil. | |||
|
|
|||
| // create AltNames with defaults DNSNames/IPs | |||
| altNames := &certutil.AltNames{ | |||
| DNSNames: []string{cfg.NodeRegistration.Name, "localhost"}, | |||
| IPs: []net.IP{advertiseAddress, net.IPv4(127, 0, 0, 1), net.IPv6loopback}, | |||
There was a problem hiding this comment.
losing the above two lines is a regression.
| @@ -53,6 +53,33 @@ type AltNames struct { | |||
| IPs []net.IP | |||
| } | |||
|
|
|||
| // CleanAltNames cleans duplicate items in DNSNames and IPs. | |||
| func CleanAltNames(altNames *AltNames) { | |||
There was a problem hiding this comment.
in general i like the idea of cleaning up duplicate entries in the altNames.
but please name this function RemoveDuplicateAltNames.
also kubeadm supports wildcards such as 127.0.*.* do we care to remove 127.0.0.1 if 127.0.*.* is in the list already?
possibly not.
There was a problem hiding this comment.
RemoveDuplicateAltNames is indeed more clear.
For the time being, only the repetition of the character form is removed, and logical repetition may be necessary under observation.
k8s-ci-robot
added
the
do-not-merge/hold
QianChenglong
force-pushed
the
fix/kubeadm-altnames
branch
from
a950038
to
f57a1f9
Compare
k8s-ci-robot
added
size/S
|
/retest |
|
this looks fine to me. do we have comments by others? cc @kubernetes/sig-cluster-lifecycle-pr-reviews |
|
/retest |
|
@QianChenglong please instead of
|
k8s-ci-robot
added
release-note
ok |
k8s-ci-robot
added
the
lgtm
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: neolit123, QianChenglong The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
|
/retest Review the full test history for this PR. Silence the bot with an |
|
/retitle kubeadm: remove duplicate DNS names and IP addresses from generated certificates |
k8s-ci-robot
changed the title
|
/retest |
|
/retest Review the full test history for this PR. Silence the bot with an |
2 similar comments
|
/retest Review the full test history for this PR. Silence the bot with an |
|
/retest Review the full test history for this PR. Silence the bot with an |
|
/test all |
|
/retest Review the full test history for this PR. Silence the bot with an |
2 similar comments
|
/retest Review the full test history for this PR. Silence the bot with an |
|
/retest Review the full test history for this PR. Silence the bot with an |
What type of PR is this?
/kind bug
What this PR does / why we need it:
fix duplicate altnames in cert
Which issue(s) this PR fixes:
Fixes #92751
Special notes for your reviewer:
Does this PR introduce a user-facing change?:
Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:
Release note: