Limit CommonName in Certificate to 64 bytes (#641)

* Don't try to create certificates with CN>64bytes These are rejected by certmanager as they are not allowed in the spec * Add unit tests
application-stacks · Jul 11, 2024 · f7c2247 · f7c2247
1 parent 5bf3499
commit f7c2247
Show file tree

Hide file tree

Showing 2 changed files with 34 additions and 1 deletion.
diff --git a/utils/reconciler.go b/utils/reconciler.go
@@ -571,7 +571,7 @@ func (r *ReconcilerBase) GenerateSvcCertSecret(ba common.BaseComponent, prefix s
 				}
 			}
 
-			svcCert.Spec.CommonName = bao.GetName() + "." + bao.GetNamespace() + ".svc"
+			svcCert.Spec.CommonName = trimCommonName(bao.GetName(), bao.GetNamespace())
 			svcCert.Spec.DNSNames = make([]string, 2)
 			svcCert.Spec.DNSNames[0] = bao.GetName() + "." + bao.GetNamespace() + ".svc"
 			svcCert.Spec.DNSNames[1] = bao.GetName() + "." + bao.GetNamespace() + ".svc.cluster.local"
@@ -655,3 +655,24 @@ func (r *ReconcilerBase) GetIngressInfo(ba common.BaseComponent) (host string, p
 	}
 	return host, path, protocol
 }
+
+// Create a common name for a certificate that is no longer
+// that 64 bytes
+func trimCommonName(compName string, ns string) (cn string) {
+
+	commonName := compName + "." + ns + ".svc"
+	if len(commonName) > 64 {
+		// Try removing '.svc'
+		commonName = compName + "." + ns
+	}
+	if len(commonName) > 64 {
+		// Try removing the namespace
+		commonName = compName
+	}
+	if len(commonName) > 64 {
+		// Just have to truncate
+		commonName = commonName[:64]
+	}
+
+	return commonName
+}
diff --git a/utils/reconciler_test.go b/utils/reconciler_test.go
@@ -496,6 +496,18 @@ func TestAddStatusWarnings(t *testing.T) {
 	verifyTests(testData, t)
 }
 
+func TestTrimCommonName(t *testing.T) {
+	//cn := trimCommonName("my-app", "my-ns")
+	testData := []Test{
+		{"common name should not have been trimmed", "my-app.my-ns.svc", trimCommonName("my-app", "my-ns")},
+		{"common name should have svc trimmed.", "123456789-123456789-123456789-123456789-123456789-123456.my-ns", trimCommonName("123456789-123456789-123456789-123456789-123456789-123456", "my-ns")},
+		{"common name should have svc and ns trimmed.", "123456789-123456789-123456789-123456789-123456789-123456789-", trimCommonName("123456789-123456789-123456789-123456789-123456789-123456789-", "my-ns")},
+		{"common name should be truncated.", "123456789-123456789-123456789-123456789-123456789-123456789-1234", trimCommonName("123456789-123456789-123456789-123456789-123456789-123456789-1234-all-of-this-should-go", "my-ns")},
+	}
+	verifyTests(testData, t)
+
+}
+
 func createFakeDiscoveryClient() discovery.DiscoveryInterface {
 	fakeDiscoveryClient := &fakediscovery.FakeDiscovery{Fake: &coretesting.Fake{}}
 	fakeDiscoveryClient.Resources = []*metav1.APIResourceList{