Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Provide a list of alternate DNS names for the genSignedCert function #86

Merged
merged 1 commit into from
Mar 1, 2021
Merged

Provide a list of alternate DNS names for the genSignedCert function #86

merged 1 commit into from
Mar 1, 2021

Conversation

ToxicWar
Copy link
Contributor

Small fix for the issue in k8s 1.19+

x509: certificate relies on legacy Common Name field, use SANs or temporarily enable Common Name matching with GODEBUG=x509ignoreCN=0

Issue related to new Go version: https://v1-19.docs.kubernetes.io/docs/setup/release/notes/

The deprecated, legacy behavior of treating the CommonName field on X.509 serving certificates as a host name when no Subject Alternative Names are present is now disabled by default. It can be temporarily re-enabled by adding the value x509ignoreCN=0 to the GODEBUG environment variable. (#93264, @justaugustus) [SIG API Machinery, Auth, CLI, Cloud Provider, Cluster Lifecycle, Instrumentation, Network, Node, Release, Scalability, Storage and Testing]

Before:
image

After:
image

@ToxicWar
Provide list of alternate DNS names
aa80db2 
Signed-off-by: Anton Larkin <toxicwar94@yandex.ru>
@ToxicWar ToxicWar force-pushed the feature/cert-san-fix branch from 9fec293 to aa80db2 Compare February 26, 2021 11:40
@tsandall tsandall requested a review from angelbarrera92 March 1, 2021 16:14
@tsandall
Copy link
Member

tsandall commented Mar 1, 2021

@angelbarrera92 can you PTAL? Thanks!

@angelbarrera92
Copy link
Contributor

Yep, it looks good to me.
Reference at the helm docs: https://helm.sh/docs/chart_template_guide/function_list/#gensignedcert

@angelbarrera92 angelbarrera92 requested a review from phisco March 1, 2021 16:21
@angelbarrera92
Copy link
Contributor

Maybe @phisco wants to review it too?

phisco
phisco approved these changes Mar 1, 2021
View reviewed changes
Copy link
Contributor

@phisco phisco left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@angelbarrera92 angelbarrera92 merged commit 971b2a6 into open-policy-agent:master Mar 1, 2021
@ToxicWar ToxicWar deleted the feature/cert-san-fix branch March 2, 2021 06:40
@edify42 edify42 mentioned this pull request Mar 18, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@angelbarrera92 angelbarrera92 angelbarrera92 approved these changes

@phisco phisco phisco approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@ToxicWar @tsandall @angelbarrera92 @phisco