diff --git a/README.md b/README.md index e9582c73a..c384631f5 100644 --- a/README.md +++ b/README.md @@ -131,7 +131,7 @@ spec: issuerRef: name: letsencrypt-staging # A list of domains to include on the TLS certificate - domains: + dnsNames: - example.com - www.example.com - example2.com diff --git a/docs/examples/acme-cert.yaml b/docs/examples/acme-cert.yaml index a3af64d7a..02d582ae4 100644 --- a/docs/examples/acme-cert.yaml +++ b/docs/examples/acme-cert.yaml @@ -8,7 +8,7 @@ spec: secretName: cm-http-nginx-k8s-group issuerRef: name: letsencrypt-staging - domains: + dnsNames: - cm-http-nginx.k8s.group - cm-http-nginx2.k8s.group - cm-http-gce.k8s.group diff --git a/docs/examples/ca-cert.yaml b/docs/examples/ca-cert.yaml index a6fd9c8a6..e3a0de77b 100644 --- a/docs/examples/ca-cert.yaml +++ b/docs/examples/ca-cert.yaml @@ -11,5 +11,5 @@ spec: # We can reference ClusterIssuers by changing the kind here. # The default value is Issuer (i.e. a locally namespaced Issuer) kind: Issuer - domains: + dnsNames: - cert-manager.k8s.io diff --git a/pkg/apis/certmanager/v1alpha1/types.go b/pkg/apis/certmanager/v1alpha1/types.go index c1f02aa9e..f776e1eb9 100644 --- a/pkg/apis/certmanager/v1alpha1/types.go +++ b/pkg/apis/certmanager/v1alpha1/types.go @@ -224,8 +224,8 @@ type CertificateList struct { type CertificateSpec struct { // CommonName is a common name to be used on the Certificate CommonName string `json:"commonName"` - // AltNames is a list of subject alt names to be used on the Certificate - AltNames []string `json:"altNames"` + // DNSNames is a list of subject alt names to be used on the Certificate + DNSNames []string `json:"dnsNames"` // SecretName is the name of the secret resource to store this secret in SecretName string `json:"secretName"` // IssuerRef is a reference to the issuer for this certificate. If the diff --git a/pkg/apis/certmanager/v1alpha1/zz_generated.deepcopy.go b/pkg/apis/certmanager/v1alpha1/zz_generated.deepcopy.go index 538edd9f6..a3473a8ec 100644 --- a/pkg/apis/certmanager/v1alpha1/zz_generated.deepcopy.go +++ b/pkg/apis/certmanager/v1alpha1/zz_generated.deepcopy.go @@ -557,8 +557,8 @@ func (in *CertificateList) DeepCopyObject() runtime.Object { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *CertificateSpec) DeepCopyInto(out *CertificateSpec) { *out = *in - if in.AltNames != nil { - in, out := &in.AltNames, &out.AltNames + if in.DNSNames != nil { + in, out := &in.DNSNames, &out.DNSNames *out = make([]string, len(*in)) copy(*out, *in) } diff --git a/pkg/controller/certificates/sync.go b/pkg/controller/certificates/sync.go index 45a4e1045..49a099667 100644 --- a/pkg/controller/certificates/sync.go +++ b/pkg/controller/certificates/sync.go @@ -119,9 +119,15 @@ func (c *Controller) Sync(ctx context.Context, crt *v1alpha1.Certificate) (err e return c.issue(ctx, i, crt) } + expectedCN := crt.Spec.CommonName + if len(expectedCN) == 0 { + if len(crt.Spec.DNSNames) > 0 { + expectedCN = crt.Spec.DNSNames[0] + } + } // if the certificate is valid for a list of domains other than those // listed in the certificate spec, we should re-issue the certificate - if !util.EqualUnsorted(crt.Spec.AltNames, cert.DNSNames) { + if expectedCN != cert.Subject.CommonName || !util.EqualUnsorted(crt.Spec.DNSNames, cert.DNSNames) { return c.issue(ctx, i, crt) } diff --git a/pkg/issuer/acme/issue.go b/pkg/issuer/acme/issue.go index 0a9292afa..82788f5a9 100644 --- a/pkg/issuer/acme/issue.go +++ b/pkg/issuer/acme/issue.go @@ -28,7 +28,7 @@ const ( func (a *Acme) obtainCertificate(ctx context.Context, crt *v1alpha1.Certificate) ([]byte, []byte, error) { commonName := crt.Spec.CommonName - altNames := crt.Spec.AltNames + altNames := crt.Spec.DNSNames if len(commonName) == 0 && len(altNames) == 0 { return nil, nil, fmt.Errorf("no domains specified on certificate") } diff --git a/pkg/issuer/acme/prepare.go b/pkg/issuer/acme/prepare.go index 055a8d03b..54589f8f2 100644 --- a/pkg/issuer/acme/prepare.go +++ b/pkg/issuer/acme/prepare.go @@ -217,7 +217,7 @@ func authorizationsToObtain(ctx context.Context, cl *acme.Client, crt v1alpha1.C return false, nil } return checkAuthorization(ctx, cl, auth.URI) - }, append(crt.Spec.AltNames, crt.Spec.CommonName)...) + }, append(crt.Spec.DNSNames, crt.Spec.CommonName)...) domains := make([]string, len(toAuthorize)) for i, v := range toAuthorize { diff --git a/pkg/issuer/ca/issue.go b/pkg/issuer/ca/issue.go index 282859720..07e82d876 100644 --- a/pkg/issuer/ca/issue.go +++ b/pkg/issuer/ca/issue.go @@ -65,7 +65,7 @@ func (c *CA) Issue(ctx context.Context, crt *v1alpha1.Certificate) (v1alpha1.Cer func (c *CA) obtainCertificate(crt *v1alpha1.Certificate, signeeKey interface{}) ([]byte, error) { commonName := crt.Spec.CommonName - altNames := crt.Spec.AltNames + altNames := crt.Spec.DNSNames if len(commonName) == 0 && len(altNames) == 0 { return nil, fmt.Errorf("no domains specified on certificate") } @@ -121,7 +121,7 @@ func createCertificateTemplate(publicKey interface{}, commonName string, altName // publicKey is the public key of the signee, and signerKey is the private // key of the signer. func signCertificate(crt *v1alpha1.Certificate, issuerCert *x509.Certificate, publicKey interface{}, signerKey interface{}) ([]byte, *x509.Certificate, error) { - template, err := createCertificateTemplate(publicKey, crt.Spec.CommonName, crt.Spec.AltNames...) + template, err := createCertificateTemplate(publicKey, crt.Spec.CommonName, crt.Spec.DNSNames...) if err != nil { return nil, nil, fmt.Errorf("error creating x509 certificate template: %s", err.Error()) }