Backport of connect: strip port from DNS SANs for ingress gateway leaf cert into release/1.14.x (#15354)

This pull request was automerged via backport-assistant
2 years ago · 904aaf742d
parent a6f4893f5a
commit 904aaf742d
3 changed files with 58 additions and 1 deletions
--- a/.changelog/15320.txt
+++ b/.changelog/15320.txt
@ -0,0 +1,3 @@
+```release-note:bug
+connect: strip port from DNS SANs for ingress gateway leaf certificate to avoid an invalid hostname error when using the Vault provider.
+```
--- a/agent/connect/csr.go
+++ b/agent/connect/csr.go
@ -12,6 +12,7 @@ import (
 	"fmt"
 	"net"
 	"net/url"
+	"strings"
 )

 // SigAlgoForKey returns the preferred x509.SignatureAlgorithm for a given key
@ -47,11 +48,28 @@ func SigAlgoForKeyType(keyType string) x509.SignatureAlgorithm {
 // along with the PEM-encoded private key for this certificate.
 func CreateCSR(uri CertURI, privateKey crypto.Signer,
 	dnsNames []string, ipAddresses []net.IP, extensions ...pkix.Extension) (string, error) {
+
+	// Drop everything after the ':' from the name when constructing the DNS SANs.
+	uniqueNames := make(map[string]struct{})
+	formattedDNSNames := make([]string, 0)
+	for _, host := range dnsNames {
+		hostSegments := strings.Split(host, ":")
+		if len(hostSegments) == 0 || hostSegments[0] == "" {
+			continue
+		}
+
+		formattedHost := hostSegments[0]
+		if _, ok := uniqueNames[formattedHost]; !ok {
+			formattedDNSNames = append(formattedDNSNames, formattedHost)
+			uniqueNames[formattedHost] = struct{}{}
+		}
+	}
+
 	template := &x509.CertificateRequest{
 		URIs:               []*url.URL{uri.URI()},
 		SignatureAlgorithm: SigAlgoForKey(privateKey),
 		ExtraExtensions:    extensions,
-		DNSNames:           dnsNames,
+		DNSNames:           formattedDNSNames,
 		IPAddresses:        ipAddresses,
 	}
 	HackSANExtensionForCSR(template)
--- a/agent/connect/csr_test.go
+++ b/agent/connect/csr_test.go
@ -0,0 +1,36 @@
+package connect
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestCreateCSR_FormatDNSSANs(t *testing.T) {
+	pk, _, err := GeneratePrivateKey()
+	require.NoError(t, err)
+	spiffeID := &SpiffeIDService{
+		Host:       "7528f42f-92e5-4db4-b84c-3405c3ca91e6",
+		Service:    "srv1",
+		Datacenter: "dc1",
+	}
+	csr, err := CreateCSR(spiffeID, pk, []string{
+		"foo.example.com",
+		"foo.example.com:8080",
+		"bar.example.com",
+		"*.example.com",
+		":8080",
+		"",
+	}, nil)
+	require.NoError(t, err)
+
+	req, err := ParseCSR(csr)
+	require.NoError(t, err)
+	require.Len(t, req.URIs, 1)
+	require.Equal(t, spiffeID.URI(), req.URIs[0])
+	require.Equal(t, []string{
+		"foo.example.com",
+		"bar.example.com",
+		"*.example.com",
+	}, req.DNSNames)
+}