search

patrickeasters / ipa-cert-operator

Operator for managing FreeIPA-issued certs in OpenShift
2 stars 1 forks source link

Operator does not support more than 1 SAN #6

Open bjpritch opened 5 years ago

bjpritch commented 5 years ago

Either by design or bug, the current version of the operator does not support multiple SANs attached to a certificate. To replicate:

  1. Create an IpaCert object with multiple SANs in "AdditionalNames" field:
kind: IpaCert
apiVersion: cert.patrickeasters.com/v1alpha1
metadata:
  name: mongo-cert
spec:
  cn: mongo1.apps.example.com
  type: host
  AdditionalNames:
  - mongo1.apps.example.com
  - mongo2.apps.example.com
  - mongo3.apps.example.com
  - mongo
  - mongo.benstest
  - mongo.benstest.svc.cluster.local
  1. Review the generated certificate, and notice only 1 SAN attached: 
    $ cat test.crt | base64 --decode | openssl x509 -noout -text | grep -A 2 Alternative
        X509v3 Subject Alternative Name: 
            DNS:mongo1.apps.example.com
Signature Algorithm: sha256WithRSAEncryption

I'd expect that any SANs put into the IpaCert object would appropriately get attached to the generated certificate.

patrickeasters commented 5 years ago

I think the problem here stems from the fact that FreeIPA won't add a SAN unless a matching host principal exists.

I just added some logic last week to create host principals if they don't exist for the common name, but it omitted SANs. I pushed up a fix for that just now.

Try pulling down the latest changes from master. If you don't already, set the HOST_AUTO_CREATE ENV var to true (see updated config).