search

F5Networks / k8s-bigip-ctlr

Repository for F5 Container Ingress Services for Kubernetes & OpenShift.
Apache License 2.0
357 stars 195 forks source link

RFE: improve logs when checking certificate´s SAN #3267

Closed alonsocamaro closed 7 months ago

alonsocamaro commented 8 months ago

Title

RFE: improve logs when checking certificate´s SAN

Description

At present checking of certificate's SAN is done in DEBUG level and ideally it should be in WARNING level.

The current behaviour is right now because it helps avoid showing these logs excessively, until we remove the unnecessary repeated checks for a given Route, ie:

2024/02/02 10:51:44 [DEBUG] Error: SAN is empty on the certificate. So skipping Hostname validation on cert
2024/02/02 10:51:44 [DEBUG] Error: Hostname in virtualserver does not match with certificate hostname: x509: certificate is valid for nginx-app1-passthrough.xxx.f5-udf.com, not nginx-app1.xxx.f5-udf.com
2024/02/02 10:51:44 [DEBUG] Error: SAN is empty on the certificate. So skipping Hostname validation on cert
2024/02/02 10:51:44 [DEBUG] Error: Hostname in virtualserver does not match with certificate hostname: x509: certificate is valid for nginx-app1-passthrough.xxx.f5-udf.com, not nginx-app1.xxx.f5-udf.com
2024/02/02 10:51:44 [DEBUG] Error: SAN is empty on the certificate. So skipping Hostname validation on cert
2024/02/02 10:51:44 [DEBUG] Error: Hostname in virtualserver does not match with certificate hostname: x509: certificate is valid for nginx-app1-passthrough.xxx.f5-udf.com, not nginx-app1.xxx.f5-udf.com
2024/02/02 10:51:44 [DEBUG] Error: SAN is empty on the certificate. So skipping Hostname validation on cert
2024/02/02 10:51:44 [DEBUG] Error: Hostname in virtualserver does not match with certificate hostname: x509: certificate is valid for nginx-app1-passthrough.xxx.f5-udf.com, not nginx-app1.xxx.f5-udf.com
2024/02/02 10:51:44 [DEBUG] Error: SAN is empty on the certificate. So skipping Hostname validation on cert
2024/02/02 10:51:44 [DEBUG] Error: Hostname in virtualserver does not match with certificate hostname: x509: certificate is valid for nginx-app1-passthrough.xxx.f5-udf.com, not nginx-app1.xxx.f5-udf.com
2024/02/02 10:51:44 [DEBUG] Error: SAN is empty on the certificate. So skipping Hostname validation on cert
2024/02/02 10:51:44 [DEBUG] Error: Hostname in virtualserver does not match with certificate hostname: x509: certificate is valid for nginx-app1-passthrough.xxx.f5-udf.com, not nginx-app1.xxx.f5-udf.com
2024/02/02 10:51:44 [DEBUG] Error: SAN is empty on the certificate. So skipping Hostname validation on cert
2024/02/02 10:51:44 [DEBUG] Error: Hostname in virtualserver does not match with certificate hostname: x509: certificate is valid for nginx-app1-passthrough.xxx.f5-udf.com, not nginx-app1.xxx.f5-udf.com
2024/02/02 10:51:44 [DEBUG] Error: SAN is empty on the certificate. So skipping Hostname validation on cert
2024/02/02 10:51:44 [DEBUG] Error: Hostname in virtualserver does not match with certificate hostname: x509: certificate is valid for nginx-app1-passthrough.xxx.f5-udf.com, not nginx-app1.xxx.f5-udf.com
2024/02/02 10:51:44 [DEBUG] Error: SAN is empty on the certificate. So skipping Hostname validation on cert
2024/02/02 10:51:44 [DEBUG] Error: Hostname in virtualserver does not match with certificate hostname: x509: certificate is valid for nginx-app1-passthrough.xxx.f5-udf.com, not nginx-app1.xxx.f5-udf.com
2024/02/02 10:51:44 [DEBUG] Error: SAN is empty on the certificate. So skipping Hostname validation on cert
2024/02/02 10:51:44 [DEBUG] Error: Hostname in virtualserver does not match with certificate hostname: x509: certificate is valid for nginx-app1-passthrough.xxx.f5-udf.com, not nginx-app1.xxx.f5-udf.com
2024/02/02 10:51:44 [DEBUG] Error: SAN is empty on the certificate. So skipping Hostname validation on cert
2024/02/02 10:51:44 [DEBUG] Error: Hostname in virtualserver does not match with certificate hostname: x509: certificate is valid for nginx-app1-passthrough.xxx.f5-udf.com, not nginx-app1.xxx.f5-udf.com

This maybe highlighting some unnecessary code

alonsocamaro commented 8 months ago

also applies to this log message:

2024/02/02 10:25:43 [DEBUG] Error: SAN is empty on the certificate. So skipping Hostname validation on cert
alonsocamaro commented 8 months ago

Please also indicate the name of the Route with the offending certificate

trinaths commented 8 months ago

Created [CONTCNTR-4552] for internal tracking.

vklohiya commented 7 months ago

Please verify the fix with quay.io/f5networks/k8s-bigip-ctlr-devel:c1ee5caf193f2dda22cf6eb08c44ef1616a8b22f