Skip to content

🐛 Fix testing kube-apiserver serving certificate using wrong SANs #3284

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Aug 18, 2025
+71 −1
Merged

🐛 Fix testing kube-apiserver serving certificate using wrong SANs #3284

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
9d597fd
Fix testing kube-apiserver serving certificate using wrong SANs
solidDoWant Aug 18, 2025
24176f6
Address PR feedback
solidDoWant Aug 18, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 6 additions & 1 deletion pkg/internal/testing/controlplane/apiserver.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -374,7 +374,12 @@ func (s *APIServer) populateAPIServerCerts() error {
return err
}

servingCerts, err := ca.NewServingCert()
servingAddresses := []string{"localhost", s.SecureServing.ListenAddr.Address}
if s.InsecureServing != nil {
servingAddresses = append(servingAddresses, s.InsecureServing.Address)
}

servingCerts, err := ca.NewServingCert(servingAddresses...)
if err != nil {
return err
}
Expand Down
100 changes: 100 additions & 0 deletions pkg/internal/testing/controlplane/apiserver_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,8 +17,13 @@ limitations under the License.
package controlplane_test

import (
"crypto/x509"
"encoding/pem"
"errors"
"net"
"net/url"
"os"
"path"

. "github.com/onsi/ginkgo/v2"
. "github.com/onsi/gomega"
Expand Down Expand Up @@ -191,6 +196,101 @@ var _ = Describe("APIServer", func() {
})
})

// These tests assume that 'localhost' resolves to 127.0.0.1. It can resolve
// to other addresses as well (e.g. ::1 on IPv6), but it must always resolve
// to 127.0.0.1.
Describe(("generated certificates"), func() {
getCertificate := func() *x509.Certificate {
// Read the cert file
certFile := path.Join(server.CertDir, "apiserver.crt")
certBytes, err := os.ReadFile(certFile)
Expect(err).NotTo(HaveOccurred(), "should be able to read the cert file")

// Decode and parse it
block, remainder := pem.Decode(certBytes)
Expect(block).NotTo(BeNil(), "should be able to decode the cert file")
Expect(remainder).To(BeEmpty(), "should not have any extra data in the cert file")
Expect(block.Type).To(Equal("CERTIFICATE"), "should be a certificate block")

cert, err := x509.ParseCertificate(block.Bytes)
Expect(err).NotTo(HaveOccurred(), "should be able to parse the cert file")

return cert
}

Context("when SecureServing host & port are set", func() {
BeforeEach(func() {
server.SecureServing = SecureServing{
ListenAddr: process.ListenAddr{
Address: "1.2.3.4",
Port: "5678",
},
}
})

It("should have the host in the certificate altnames", func() {
cert := getCertificate()

Expect(cert.Subject.CommonName).To(Equal("localhost"))
Expect(cert.DNSNames).To(ConsistOf("localhost"))
expectedIPAddresses := []net.IP{
net.ParseIP("127.0.0.1").To4(),
net.ParseIP(server.SecureServing.ListenAddr.Address).To4(),
}
Expect(cert.IPAddresses).To(ContainElements(expectedIPAddresses))
})
})

Context("when InsecureServing host & port are set", func() {
BeforeEach(func() {
server.InsecureServing = &process.ListenAddr{
Address: "1.2.3.4",
Port: "5678",
}
})

It("should have the host in the certificate altnames", func() {
cert := getCertificate()

Expect(cert.Subject.CommonName).To(Equal("localhost"))
Expect(cert.DNSNames).To(ConsistOf("localhost"))
expectedIPAddresses := []net.IP{
net.ParseIP("127.0.0.1").To4(),
net.ParseIP(server.InsecureServing.Address).To4(),
}
Expect(cert.IPAddresses).To(ContainElements(expectedIPAddresses))
})
})

Context("when SecureServing and InsecureServing host & port are set", func() {
BeforeEach(func() {
server.SecureServing = SecureServing{
ListenAddr: process.ListenAddr{
Address: "1.2.3.4",
Port: "5678",
},
}
server.InsecureServing = &process.ListenAddr{
Address: "5.6.7.8",
Port: "1234",
}
})

It("should have the host in the certificate altnames", func() {
cert := getCertificate()

Expect(cert.Subject.CommonName).To(Equal("localhost"))
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I might be missing it, but where do we test that there is actually a SAN injected? The tests here all seem to only check for localhost being there

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The following two Expect statements verify that the DNS SAN extension contains localhost, and that the IP SAN extension contains 127.0.0.1 and 1.2.3.4.

There isn't really an easy way to verify that the DNS SAN extension will contain an additional entry if SecureServing.Address is a hostname instead of an IP address. This is because the current logic (that is outside the scope of this PR) for determining SAN extension values depends on the test host's DNS resolver. If I were to add say example.com, then the underlying business logic would perform a DNS lookup for example.com, who's value would be host-dependent. The localhost value only works here because localhost typically resolves to 127.0.0.1 via the hosts file.

Expect(cert.DNSNames).To(ConsistOf("localhost"))
expectedIPAddresses := []net.IP{
net.ParseIP("127.0.0.1").To4(),
net.ParseIP(server.SecureServing.ListenAddr.Address).To4(),
net.ParseIP(server.InsecureServing.Address).To4(),
}
Expect(cert.IPAddresses).To(ContainElements(expectedIPAddresses))
})
})
})

Describe("setting up auth", func() {
var auth *fakeAuthn
BeforeEach(func() {
Expand Down