Skip to content

🐛 Fix testing kube-apiserver serving certificate using wrong SANs #3284

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Aug 18, 2025
Merged

🐛 Fix testing kube-apiserver serving certificate using wrong SANs #3284

merged 2 commits into from
Aug 18, 2025

Conversation

solidDoWant
Copy link
Contributor

When configuring the kube-apiserver for a test by setting a serving address, the certificate generated for the API server does not include the serving value. In other words, if a test environment is configured like this:

testEnv = &envtest.Environment{
	ControlPlane: envtest.ControlPlane{
		APIServer: &envtest.APIServer{
			SecureServing: envtest.SecureServing{
				ListenAddr: envtest.ListenAddr{
					Address: myTestAddress,
					Port:    strconv.Itoa(6443),
				},
			},
		},
	},
}

Then when testEnv.Start() is called, the healthcheck will fail because the produced apiserver.crt serving certificate is only valid for localhost, and addresses that localhost resolves to.

This fixes the issue by providing the SecureServing and InsecureServing listening address to the cert generator function.

@linux-foundation-easycla Linux Foundation: EasyCLA
Copy link

linux-foundation-easycla bot commented Aug 18, 2025
edited
Loading

CLA Signed

The committers listed above are authorized under a signed CLA.

@k8s-ci-robot k8s-ci-robot added the cncf-cla: no Indicates the PR's author has not signed the CNCF CLA. label Aug 18, 2025
@k8s-ci-robot
Copy link
Contributor

Welcome @solidDoWant!

It looks like this is your first PR to kubernetes-sigs/controller-runtime 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes-sigs/controller-runtime has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

@k8s-ci-robot k8s-ci-robot added the needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. label Aug 18, 2025
@k8s-ci-robot
Copy link
Contributor

Hi @solidDoWant. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@k8s-ci-robot k8s-ci-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. and removed cncf-cla: no Indicates the PR's author has not signed the CNCF CLA. labels Aug 18, 2025
@sbueringer
Copy link
Member

/ok-to-test

@k8s-ci-robot k8s-ci-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Aug 18, 2025
sbueringer
sbueringer reviewed Aug 18, 2025
View reviewed changes
sbueringer
sbueringer reviewed Aug 18, 2025
View reviewed changes
@solidDoWant
Address PR feedback
24176f6 
Signed-off-by: solidDoWant <[email protected]>
@k8s-ci-robot k8s-ci-robot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. and removed size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Aug 18, 2025
@solidDoWant solidDoWant requested a review from sbueringer August 18, 2025 16:41
@sbueringer sbueringer added the tide/merge-method-squash Denotes a PR that should be squashed by tide when it merges. label Aug 18, 2025
@sbueringer
Copy link
Member

Thx!

/lgtm
/assign @alvaroaleman

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Aug 18, 2025
@k8s-ci-robot
Copy link
Contributor

LGTM label has been added.

Git tree hash: e82d5ffa6cb6e3300e28cb0b08b6122a7ba1e5ae

alvaroaleman
alvaroaleman reviewed Aug 18, 2025
View reviewed changes
pkg/internal/testing/controlplane/apiserver_test.go
It("should have the host in the certificate altnames", func() {
cert := getCertificate()

Expect(cert.Subject.CommonName).To(Equal("localhost"))
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I might be missing it, but where do we test that there is actually a SAN injected? The tests here all seem to only check for localhost being there

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The following two Expect statements verify that the DNS SAN extension contains localhost, and that the IP SAN extension contains 127.0.0.1 and 1.2.3.4.

There isn't really an easy way to verify that the DNS SAN extension will contain an additional entry if SecureServing.Address is a hostname instead of an IP address. This is because the current logic (that is outside the scope of this PR) for determining SAN extension values depends on the test host's DNS resolver. If I were to add say example.com, then the underlying business logic would perform a DNS lookup for example.com, who's value would be host-dependent. The localhost value only works here because localhost typically resolves to 127.0.0.1 via the hosts file.

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: alvaroaleman, solidDoWant

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Aug 18, 2025
@k8s-ci-robot k8s-ci-robot merged commit 28871a1 into kubernetes-sigs:main Aug 18, 2025
12 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@alvaroaleman alvaroaleman alvaroaleman approved these changes

@joelanford joelanford Awaiting requested review from joelanford

@sbueringer sbueringer Awaiting requested review from sbueringer

Assignees

@sbueringer sbueringer

@alvaroaleman alvaroaleman

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. tide/merge-method-squash Denotes a PR that should be squashed by tide when it merges.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@solidDoWant @k8s-ci-robot @sbueringer @alvaroaleman