[nova] use short service name for CommonName vencrypt cert

The CommonName has a max length of 64 bytes. From https://docs.openstack.org/nova/latest/admin/remote-console-access.html#vnc-proxy-security ~~~ An x509 certificate to be presented to the VNC server. While libvirt/QEMU will not currently do any validation of the CommonName field, future versions will allow for setting up access controls based on the CommonName. The CommonName field should match the primary hostname of the controller node. ~~~ Related: https://issues.redhat.com/browse/OSPRH-8652 Signed-off-by: Martin Schuppert <[email protected]>
stuggi · Jul 15, 2024 · c4e9617 · c4e9617
1 parent 65c922a
commit c4e9617
Showing 1 changed file with 6 additions and 1 deletion.
diff --git a/pkg/openstack/nova.go b/pkg/openstack/nova.go
@@ -270,10 +270,15 @@ func ReconcileNova(ctx context.Context, instance *corev1beta1.OpenStackControlPl
 				// create novncproxy vencrypt cert
 				if instance.Spec.TLS.PodLevel.Enabled {
 					serviceName := endpointDetails.EndpointDetails[service.EndpointPublic].Service.Spec.Name
+					hostname := fmt.Sprintf("%s.%s.svc", serviceName, instance.Namespace)
 					certRequest := certmanager.CertificateRequest{
 						IssuerName: instance.GetLibvirtIssuer(),
 						CertName:   nova.Name + "-novncproxy-" + cellName + "-vencrypt",
-						CommonName: ptr.To(fmt.Sprintf("%s.%s.svc", serviceName, instance.Namespace)),
+						CommonName: ptr.To(serviceName),
+						Hostnames: []string{
+							hostname,
+							fmt.Sprintf("%s.%s", hostname, ClusterInternalDomain),
+						},
 						Subject: &certmgrv1.X509Subject{
 							Organizations: []string{fmt.Sprintf("%s.%s", instance.Namespace, ClusterInternalDomain)},
 						},