Merge pull request #64718 from liztio/kubeadm-downcase-fqdn

Automatic merge from submit-queue (batch tested with PRs 63322, 64718, 64708, 64775, 64777). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. kubeadm lowercases all domain names passed as additional SANs **What this PR does / why we need it**: Some domains, like ELBs, output a domain name with uppercase letters. To accept these, we lowercase all arguments passed to ----apiserver-cert-extra-sans **Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*: Fixes #[kubeadm/827](https://github.com/kubernetes/kubeadm/issues/827) ```release-note NONE ```
2018-06-05 14:31:09 -07:00 · 2018-06-05 14:31:09 -07:00 · 148458a6df
parent 2bb6fdc675 db52cd4cdb
commit 148458a6df
2 changed files with 62 additions and 0 deletions
--- a/cmd/kubeadm/app/util/config/masterconfig.go
+++ b/cmd/kubeadm/app/util/config/masterconfig.go
@ -20,6 +20,7 @@ import (
 	"fmt"
 	"io/ioutil"
 	"net"
+	"strings"

 	"github.com/golang/glog"

@ -64,6 +65,9 @@ func SetInitDynamicDefaults(cfg *kubeadmapi.MasterConfiguration) error {
 		return err
 	}

+	// Downcase SANs. Some domain names (like ELBs) have capitals in them.
+	LowercaseSANs(cfg.APIServerCertSANs)
+
 	// Populate the .Token field with a random value if unset
 	// We do this at this layer, and not the API defaulting layer
 	// because of possible security concerns, and more practically
@ -215,3 +219,14 @@ func NormalizeKubernetesVersion(cfg *kubeadmapi.MasterConfiguration) error {
 	}
 	return nil
 }
+
+// LowercaseSANs can be used to force all SANs to be lowercase so it passes IsDNS1123Subdomain
+func LowercaseSANs(sans []string) {
+	for i, san := range sans {
+		lowercase := strings.ToLower(san)
+		if lowercase != san {
+			glog.V(1).Infof("lowercasing SAN %q to %q", san, lowercase)
+			sans[i] = lowercase
+		}
+	}
+}
--- a/cmd/kubeadm/app/util/config/masterconfig_test.go
+++ b/cmd/kubeadm/app/util/config/masterconfig_test.go
@ -176,3 +176,50 @@ func TestUpgrade(t *testing.T) {
 		t.Errorf("v1alpha1 object after unmarshal, conversion and marshal didn't match expected value.\n\tdiff: \n%s\n", diff(afterExpected, afterActual))
 	}
 }
+
+func TestLowercaseSANs(t *testing.T) {
+	tests := []struct {
+		name string
+		in   []string
+		out  []string
+	}{
+		{
+			name: "empty struct",
+		},
+		{
+			name: "already lowercase",
+			in:   []string{"example.k8s.io"},
+			out:  []string{"example.k8s.io"},
+		},
+		{
+			name: "ip addresses and uppercase",
+			in:   []string{"EXAMPLE.k8s.io", "10.100.0.1"},
+			out:  []string{"example.k8s.io", "10.100.0.1"},
+		},
+		{
+			name: "punycode and uppercase",
+			in:   []string{"xn--7gq663byk9a.xn--fiqz9s", "ANOTHEREXAMPLE.k8s.io"},
+			out:  []string{"xn--7gq663byk9a.xn--fiqz9s", "anotherexample.k8s.io"},
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			cfg := &v1alpha2.MasterConfiguration{
+				APIServerCertSANs: test.in,
+			}
+
+			LowercaseSANs(cfg.APIServerCertSANs)
+
+			if len(cfg.APIServerCertSANs) != len(test.out) {
+				t.Fatalf("expected %d elements, got %d", len(test.out), len(cfg.APIServerCertSANs))
+			}
+
+			for i, expected := range test.out {
+				if cfg.APIServerCertSANs[i] != expected {
+					t.Errorf("expected element %d to be %q, got %q", i, expected, cfg.APIServerCertSANs[i])
+				}
+			}
+		})
+	}
+}