Closed knoppiks closed 1 year ago
brandond
commented
1 year ago This looks good structurally, however I don't think we can change the call signatures of existing exported functions in order to avoid breaking users of this library. We'd probably need to modify this PR to include new functions that return []x509.Certificate, use those to load the cert, instead of simply changing the existing ones.
knoppiks
commented
1 year ago @brandond Please have a look. I tried my best with the naming, maybe you have better suggestions.
knoppiks
commented
1 year ago Any news here? I'd really like to tackle the k3s portion of this fix.
caroline-suse-rancher
commented
1 year ago Hey @knoppiks we're in code freeze at the moment for July releases, but after that we'll be looking for one more reviewer/approver for this PR. I will bring it up with the team after freeze is lifted!
brandond
commented
1 year ago We can get it approved and merged here, and then hold off on updating anything in K3s until after the freeze is over. This repo is not subject to code freeze.
This PR tries to enable the dynamiclistener to hand out not only the first signing certificate it finds in the CA chain.
I stumbled on this discussion while searching for the exact problem in k3s, where @brandond pointed to this repository.
Maybe it would be good to add tests but being not a go expert I struggle to comprehend the tests conducted on the listener.