[TLS] Don't set commonName and only use subjectAltNames

commonName has a max length of 64 chars, which easy can be reached in route DNS names scheme. From [1] ~~~ On the technical side, the SAN extension was introduced to integrate the common name. Since HTTPS was first introduced in 2000 (and defined by the RFC 2818), the use of the commonName field has been considered deprecated, because it’s ambiguous and untyped. ~~~ Lets not set the commonName an just use the subjectAltNames for our certs. [1] https://support.dnsimple.com/articles/what-is-common-name/#common-name-vs-subject-alternative-name
stuggi · Oct 23, 2023 · 3938706 · 3938706
1 parent f3aa3d0
commit 3938706
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 5 deletions.
diff --git a/modules/certmanager/certificate.go b/modules/certmanager/certificate.go
@@ -57,9 +57,7 @@ func NewCertificate(
 // minimal spec should be:
 // Spec:
 //
-//	commonName: keystone-public-openstack.apps-crc.testing
 //	dnsNames:
-//	- keystone-public-openstack
 //	- keystone-public-openstack.apps-crc.testing
 //	issuerRef:
 //	   kind: Issuer
@@ -166,8 +164,7 @@ func EnsureCert(
 		namespace,
 		labels,
 		certmgrv1.CertificateSpec{
-			CommonName: hostnames[0],
-			DNSNames:   hostnames,
+			DNSNames: hostnames,
 			Duration: &metav1.Duration{
 				Duration: *duration,
 			},

diff --git a/modules/certmanager/issuer.go b/modules/certmanager/issuer.go
@@ -127,7 +127,7 @@ func (i *Issuer) CreateOrPatch(
 		return ctrl.Result{}, err
 	}
 	if op != controllerutil.OperationResultNone {
-		h.GetLogger().Info(fmt.Sprintf("Route %s - %s", issuer.Name, op))
+		h.GetLogger().Info(fmt.Sprintf("Issuer %s - %s", issuer.Name, op))
 	}
 
 	return ctrl.Result{}, nil