Merge pull request #36068 from sttts/sttts-old-self-signed-cn

Automatic merge from submit-queue

Restore old apiserver cert CN

This patch got lost during rebase of https://github.com/kubernetes/kubernetes/pull/35109:

- set `host@<unix-timestamp>` as CN in self-signed apiserver certs
- skip non-domain CN in getNamedCertificateMap

pkg/genericapiserver/BUILD

@@ -65,6 +65,7 @@ go_library(
         "//pkg/util/net:go_default_library",
         "//pkg/util/runtime:go_default_library",
         "//pkg/util/sets:go_default_library",
+        "//pkg/util/validation:go_default_library",
         "//pkg/util/wait:go_default_library",
         "//pkg/version:go_default_library",
         "//vendor:github.com/coreos/go-systemd/daemon",

pkg/genericapiserver/serve.go

@@ -22,11 +22,13 @@ import (
 	"fmt"
 	"net"
 	"net/http"
+	"strings"
 	"sync"
 	"time"
 
 	certutil "k8s.io/kubernetes/pkg/util/cert"
 	utilruntime "k8s.io/kubernetes/pkg/util/runtime"
+	"k8s.io/kubernetes/pkg/util/validation"
 
 	"github.com/golang/glog"
 	"github.com/pkg/errors"
@@ -220,8 +222,9 @@ func getNamedCertificateMap(namedCertKeys []NamedCertKey) (map[string]*tls.Certi
 		if err != nil {
 			return nil, fmt.Errorf("parse error for certificate in %q: %v", nkc.CertFile, err)
 		}
-		if len(x509Cert.Subject.CommonName) > 0 {
+		cn := x509Cert.Subject.CommonName
-			tlsCertsByName[x509Cert.Subject.CommonName] = cert
+		if cn == "*" || len(validation.IsDNS1123Subdomain(strings.TrimPrefix(cn, "*."))) == 0 {
+			tlsCertsByName[cn] = cert
 		}
 		for _, san := range x509Cert.DNSNames {
 			tlsCertsByName[san] = cert

pkg/util/cert/cert.go

@@ -138,7 +138,7 @@ func GenerateSelfSignedCertKey(host string, alternateIPs []net.IP, alternateDNS
 	template := x509.Certificate{
 		SerialNumber: big.NewInt(1),
 		Subject: pkix.Name{
-			CommonName: host,
+			CommonName: fmt.Sprintf("%s@%d", host, time.Now().Unix()),
 		},
 		NotBefore: time.Now(),
 		NotAfter:  time.Now().Add(time.Hour * 24 * 365),