New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
kubeadm: remove duplicate DNS names and IP addresses from generated certificates #92753
kubeadm: remove duplicate DNS names and IP addresses from generated certificates #92753
Conversation
Hi @QianChenglong. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
63c22e6
to
9c138c4
Compare
9c138c4
to
a950038
Compare
/kind bug |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @QianChenglong !
Add some comments.
@@ -427,8 +431,13 @@ func getAltNames(cfg *kubeadmapi.InitConfiguration, certName string) (*certutil. | |||
|
|||
// create AltNames with defaults DNSNames/IPs | |||
altNames := &certutil.AltNames{ | |||
DNSNames: []string{cfg.NodeRegistration.Name, "localhost"}, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"localhost" lost?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for pointing out the error, leave it as it is.
return | ||
} | ||
|
||
dnsNamesKeys := make(map[string]struct{}) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
FYI: https://github.com/kubernetes/apimachinery/blob/master/pkg/util/sets
There are some utils you can consider to use.
sets.NewString(altNames.DNSNames...).List()
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ok
@@ -21,7 +21,6 @@ import ( | |||
"crypto/x509" | |||
|
|||
"github.com/pkg/errors" | |||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why delete the blank line? We prefer to use a blank line to distinguish different import blocks.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry for bringing our programming style, I would like to ask what tool is used here to automatically control imports?
@@ -383,6 +381,12 @@ func GetAPIServerAltNames(cfg *kubeadmapi.InitConfiguration) (*certutil.AltNames | |||
advertiseAddress, | |||
}, | |||
} | |||
// cfg.NodeRegistration.Name may use ip! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
thank you for the PR,
i don't think i agree with this change and the similar one in getAltNames() . the comment that "node names can be IPs" is wrong.
the Node name is supposed to be a string "that can be used as a DNS subdomain name as defined in RFC 1123"
https://kubernetes.io/docs/concepts/overview/working-with-objects/names/
for _, err := range validation.IsDNS1123Subdomain(nro.Name) { |
however, this function is not perfectly following RFC 1123 and it allows the strings to start with a number, which is wrong.
the node name should be a hostname, not an IP address and we should not parse it as an IP address.
if you want to add the same IP address in altNames you should do so explicitly using the extraSANs kubeadm feature.
/hold
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for pointing out the error, leave it as it is.
@@ -427,8 +431,13 @@ func getAltNames(cfg *kubeadmapi.InitConfiguration, certName string) (*certutil. | |||
|
|||
// create AltNames with defaults DNSNames/IPs | |||
altNames := &certutil.AltNames{ | |||
DNSNames: []string{cfg.NodeRegistration.Name, "localhost"}, | |||
IPs: []net.IP{advertiseAddress, net.IPv4(127, 0, 0, 1), net.IPv6loopback}, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
losing the above two lines is a regression.
@@ -53,6 +53,33 @@ type AltNames struct { | |||
IPs []net.IP | |||
} | |||
|
|||
// CleanAltNames cleans duplicate items in DNSNames and IPs. | |||
func CleanAltNames(altNames *AltNames) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
in general i like the idea of cleaning up duplicate entries in the altNames.
but please name this function RemoveDuplicateAltNames
.
also kubeadm supports wildcards such as 127.0.*.*
do we care to remove 127.0.0.1
if 127.0.*.*
is in the list already?
possibly not.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
RemoveDuplicateAltNames is indeed more clear.
For the time being, only the repetition of the character form is removed, and logical repetition may be necessary under observation.
a950038
to
f57a1f9
Compare
/retest |
this looks fine to me. do we have comments by others? cc @kubernetes/sig-cluster-lifecycle-pr-reviews |
/retest |
@QianChenglong please instead of
|
ok |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
/approve |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: neolit123, QianChenglong The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/retest Review the full test history for this PR. Silence the bot with an |
/retitle kubeadm: remove duplicate DNS names and IP addresses from generated certificates |
/retest |
/retest Review the full test history for this PR. Silence the bot with an |
2 similar comments
/retest Review the full test history for this PR. Silence the bot with an |
/retest Review the full test history for this PR. Silence the bot with an |
/test all |
/retest Review the full test history for this PR. Silence the bot with an |
2 similar comments
/retest Review the full test history for this PR. Silence the bot with an |
/retest Review the full test history for this PR. Silence the bot with an |
What type of PR is this?
/kind bug
What this PR does / why we need it:
fix duplicate altnames in cert
Which issue(s) this PR fixes:
Fixes #92751
Special notes for your reviewer:
Does this PR introduce a user-facing change?:
Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:
Release note: