buehler
[bug]: SAN in Certificate for Service is incorrect
Describe the bug
The first SAN in svc.pem does not seem to match name of service.
To reproduce
- In
examples\WebhookOperatordirectory KubeOps.Cli.exe gen operator namepassedin --out configkubectl kustomize config/ -o combined.yaml- The output is follows:
apiVersion: v1
kind: Service
metadata:
labels:
operator: namepassedin
name: namepassedin-operator
namespace: namepassedin-system
spec:
ports:
- name: https
port: 443
targetPort: https
selector:
operator: namepassedin
operator-deployment: kubernetes-operator
- The certificate
svc.pem, when viewed withopenssl:
X509v3 Subject Alternative Name:
DNS:namepassedin.namepassedin-system.svc, DNS:*.namepassedin-system.svc, DNS:*.svc
Expected behavior
I believe the first SAN should be namepassedin-operator.namepassedin-system.svc.
Also, I wonder if the other 2 are needed?
I think the second should cover the first, and the third may not be needed?
Screenshots
No response
Additional Context
Reproduced in: v9.1.1
Relevant Code: https://github.com/buehler/dotnet-operator-sdk/blob/v9.1.1/src/KubeOps.Cli/Commands/Generator/OperatorGenerator.cs#L82 https://github.com/buehler/dotnet-operator-sdk/blob/v9.1.1/src/KubeOps.Operator.Web/Certificates/CertificateGenerator.cs#L143-L145
@buehler, I checked the old Bouncy Castle generator + CLI command, and it looks like this issue would have been in there too. I think there is an inconsistency between the default name in the kustomization after generation vs the one given to the certificates during generation.
Hey @ian-buse and @YC
You are correct. This is an issue with the generated SAN. However the *.svc should actually cover the wrongly named one. Nonetheless it is an error and should be fixed.
