salt: Make check of the CN optional

We now only check the CN in the kubeconfig certificate if the `expected_cn` is not None. This is needed in order to avoid checking the CN in the kubeconfig beacon which will rely on this method. Refs: #1887
scality · Dec 15, 2020 · 7f2e67a · 7f2e67a
1 parent a28a5f6
commit 7f2e67a
Showing 1 changed file with 8 additions and 7 deletions.
diff --git a/salt/_modules/metalk8s_kubeconfig.py b/salt/_modules/metalk8s_kubeconfig.py
@@ -17,7 +17,7 @@ def __virtual__():
 def validate(filename,
              expected_ca_data,
              expected_api_server,
-             expected_cn,
+             expected_cn=None,
              days_remaining=90):
     """Validate a kubeconfig filename.
 
@@ -77,13 +77,14 @@ def validate(filename,
     client_cert_detail = __salt__['x509.read_certificate'](client_cert)
 
     # Verify client cn
-    try:
-        current_cn = client_cert_detail['Subject']['CN']
-    except KeyError:
-        return False
-    else:
-        if current_cn != expected_cn:
+    if expected_cn is not None:
+        try:
+            current_cn = client_cert_detail['Subject']['CN']
+        except KeyError:
             return False
+        else:
+            if current_cn != expected_cn:
+                return False
 
     # Verify client client cert expiration date is > 30days
     try: