From c4e961743bbb31472b2b79bb6a752119b197a07e Mon Sep 17 00:00:00 2001 From: Martin Schuppert Date: Mon, 15 Jul 2024 16:56:12 +0200 Subject: [PATCH] [nova] use short service name for CommonName vencrypt cert The CommonName has a max length of 64 bytes. From https://docs.openstack.org/nova/latest/admin/remote-console-access.html#vnc-proxy-security ~~~ An x509 certificate to be presented to the VNC server. While libvirt/QEMU will not currently do any validation of the CommonName field, future versions will allow for setting up access controls based on the CommonName. The CommonName field should match the primary hostname of the controller node. ~~~ Related: https://issues.redhat.com/browse/OSPRH-8652 Signed-off-by: Martin Schuppert --- pkg/openstack/nova.go | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/pkg/openstack/nova.go b/pkg/openstack/nova.go index ca2e561e7..4a3283abc 100644 --- a/pkg/openstack/nova.go +++ b/pkg/openstack/nova.go @@ -270,10 +270,15 @@ func ReconcileNova(ctx context.Context, instance *corev1beta1.OpenStackControlPl // create novncproxy vencrypt cert if instance.Spec.TLS.PodLevel.Enabled { serviceName := endpointDetails.EndpointDetails[service.EndpointPublic].Service.Spec.Name + hostname := fmt.Sprintf("%s.%s.svc", serviceName, instance.Namespace) certRequest := certmanager.CertificateRequest{ IssuerName: instance.GetLibvirtIssuer(), CertName: nova.Name + "-novncproxy-" + cellName + "-vencrypt", - CommonName: ptr.To(fmt.Sprintf("%s.%s.svc", serviceName, instance.Namespace)), + CommonName: ptr.To(serviceName), + Hostnames: []string{ + hostname, + fmt.Sprintf("%s.%s", hostname, ClusterInternalDomain), + }, Subject: &certmgrv1.X509Subject{ Organizations: []string{fmt.Sprintf("%s.%s", instance.Namespace, ClusterInternalDomain)}, },