Skip to content

Commit

Permalink
feat: bypass hostname check
Browse files Browse the repository at this point in the history
relates to #76
[skip ci]
  • Loading branch information
clementnuss committed Aug 23, 2022
1 parent 1eeede6 commit de7764d
Show file tree
Hide file tree
Showing 2 changed files with 4 additions and 2 deletions.
3 changes: 2 additions & 1 deletion internal/controller/csr_controller.go
Original file line number Diff line number Diff line change
Expand Up @@ -56,6 +56,7 @@ type Config struct {
BypassDNSResolution bool
IgnoreNonSystemNodeCsr bool
AllowedDNSNames int
BypassHostnameCheck bool
}

// CertificateSigningRequestReconciler reconciles a CertificateSigningRequest object
Expand All @@ -73,7 +74,7 @@ type CertificateSigningRequestReconciler struct {
// Reconcile will perform a series of checks before deciding whether the CSR should be approved or denied
// cyclomatic complexity is high (over 15), but this improves
// readibility for the programmer, therefore we ignore the linting error
//nolint: gocyclo
// nolint: gocyclo
func (r *CertificateSigningRequestReconciler) Reconcile(ctx context.Context, req ctrl.Request) (res ctrl.Result, returnErr error) {
l := log.FromContext(ctx)

Expand Down
3 changes: 2 additions & 1 deletion internal/controller/regex_ip_checks.go
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@ import (
// DNSCheck is a function checking that the DNS name:
// complies with the provider-specific regex
// is resolvable (this check can be opted out with a parameter)
// nolint: gocyclo
func (r *CertificateSigningRequestReconciler) DNSCheck(ctx context.Context, csr *certificatesv1.CertificateSigningRequest, x509cr *x509.CertificateRequest) (valid bool, reason string, err error) {
if valid = (len(x509cr.DNSNames) <= r.AllowedDNSNames); !valid {
reason = "The x509 Cert Request contains more DNS names than allowed through the config flag"
Expand All @@ -41,7 +42,7 @@ func (r *CertificateSigningRequestReconciler) DNSCheck(ctx context.Context, csr
for _, sanDNSName := range x509cr.DNSNames {
hostname := strings.TrimPrefix(csr.Spec.Username, "system:node:")

if valid = strings.HasPrefix(sanDNSName, hostname); !valid {
if valid = strings.HasPrefix(sanDNSName, hostname); !valid && !r.BypassHostnameCheck {
reason = "The SAN DNS Name in the x509 CSR is not prefixed by the node name (hostname)"
return
}
Expand Down

0 comments on commit de7764d

Please sign in to comment.