Use CommonName and AltNames fields on Certificate resource

2017-10-13 12:31:18 +01:00 · 2017-10-13 12:31:18 +01:00 · f8107e6fcc
commit f8107e6fcc
parent 37e53bdd4b
6 changed files with 19 additions and 16 deletions
--- a/pkg/apis/certmanager/v1alpha1/types.go
+++ b/pkg/apis/certmanager/v1alpha1/types.go
@ -222,9 +222,11 @@ type CertificateList struct {

 // CertificateSpec defines the desired state of Certificate
 type CertificateSpec struct {
-	// Domains is a list of domains to obtain a certificate for
-	Domains []string `json:"domains"`
-	// Secret is the name of the secret resource to store this secret in
+	// CommonName is a common name to be used on the Certificate
+	CommonName string `json:"commonName"`
+	// AltNames is a list of subject alt names to be used on the Certificate
+	AltNames []string `json:"altNames"`
+	// SecretName is the name of the secret resource to store this secret in
 	SecretName string `json:"secretName"`
 	// IssuerRef is a reference to the issuer for this certificate. If the
 	// namespace field is not set, it is assumed to be in the same namespace
--- a/pkg/controller/certificates/sync.go
+++ b/pkg/controller/certificates/sync.go
@ -121,7 +121,7 @@ func (c *Controller) Sync(ctx context.Context, crt *v1alpha1.Certificate) (err e

 	// if the certificate is valid for a list of domains other than those
 	// listed in the certificate spec, we should re-issue the certificate
-	if !util.EqualUnsorted(crt.Spec.Domains, cert.DNSNames) {
+	if !util.EqualUnsorted(crt.Spec.AltNames, cert.DNSNames) {
 		return c.issue(ctx, i, crt)
 	}

--- a/pkg/issuer/acme/issue.go
+++ b/pkg/issuer/acme/issue.go
@ -7,8 +7,8 @@ import (
 	"crypto/x509"
 	"encoding/pem"
 	"fmt"
-	"log"

+	"github.com/golang/glog"
 	k8sErrors "k8s.io/apimachinery/pkg/api/errors"

 	"github.com/jetstack-experimental/cert-manager/pkg/apis/certmanager/v1alpha1"
@ -27,9 +27,10 @@ const (
 )

 func (a *Acme) obtainCertificate(ctx context.Context, crt *v1alpha1.Certificate) ([]byte, []byte, error) {
-	domains := crt.Spec.Domains
-	if len(domains) == 0 {
-		return nil, nil, fmt.Errorf("no domains specified")
+	commonName := crt.Spec.CommonName
+	altNames := crt.Spec.AltNames
+	if len(commonName) == 0 || len(altNames) == 0 {
+		return nil, nil, fmt.Errorf("no domains specified on certificate")
 	}

 	cl, err := a.acmeClient()
@ -50,7 +51,7 @@ func (a *Acme) obtainCertificate(ctx context.Context, crt *v1alpha1.Certificate)
 	}

 	// generate a csr
-	template := pki.GenerateCSR(domains)
+	template := pki.GenerateCSR(commonName, altNames...)
 	csr, err := x509.CreateCertificateRequest(rand.Reader, template, key)
 	if err != nil {
 		return nil, nil, fmt.Errorf("error creating certificate request: %s", err)
@ -72,8 +73,8 @@ func (a *Acme) obtainCertificate(ctx context.Context, crt *v1alpha1.Certificate)
 	for _, cert := range certSlice {
 		pem.Encode(certBuffer, &pem.Block{Type: "CERTIFICATE", Bytes: cert})
 	}
-	log.Printf("successfully got certificate: domains=%+v url=%s", domains, certURL)

+	glog.V(2).Infof("successfully got certificate: cn=%q altNames=%+v url=%q", commonName, altNames, certURL)
 	// encode the private key and return
 	return pki.EncodePKCS1PrivateKey(key), certBuffer.Bytes(), nil
 }
--- a/pkg/issuer/acme/prepare.go
+++ b/pkg/issuer/acme/prepare.go
@ -217,7 +217,7 @@ func authorizationsToObtain(ctx context.Context, cl *acme.Client, crt v1alpha1.C
 			return false, nil
 		}
 		return checkAuthorization(ctx, cl, auth.URI)
-	}, crt.Spec.Domains...)
+	}, append(crt.Spec.AltNames, crt.Spec.CommonName)...)

 	domains := make([]string, len(toAuthorize))
 	for i, v := range toAuthorize {
--- a/pkg/issuer/ca/issue.go
+++ b/pkg/issuer/ca/issue.go
@ -100,13 +100,13 @@ func createCertificateTemplate(crt *v1alpha1.Certificate, publicKey interface{})
 		PublicKey:             publicKey,
 		Subject: pkix.Name{
 			Organization: []string{defaultOrganization},
-			CommonName:   crt.Spec.Domains[0],
+			CommonName:   crt.Spec.CommonName,
 		},
 		NotBefore: time.Now(),
 		NotAfter:  time.Now().Add(certificateDuration),
 		// see http://golang.org/pkg/crypto/x509/#KeyUsage
 		KeyUsage: x509.KeyUsageDigitalSignature,
-		DNSNames: crt.Spec.Domains,
+		DNSNames: crt.Spec.AltNames,
 	}
 	return cert, nil
 }
--- a/pkg/util/pki/csr.go
+++ b/pkg/util/pki/csr.go
@ -5,12 +5,12 @@ import (
 	"crypto/x509/pkix"
 )

-func GenerateCSR(domains []string) *x509.CertificateRequest {
+func GenerateCSR(commonName string, altNames ...string) *x509.CertificateRequest {
 	template := x509.CertificateRequest{
 		Subject: pkix.Name{
-			CommonName: domains[0],
+			CommonName: commonName,
 		},
-		DNSNames: domains,
+		DNSNames: altNames,
 	}
 	return &template
 }