Additional SubjectName in the CertificateRequest

This patch adds a way to check the appropriate annotation within a SVC
and look for additional SNs that should be added to the
CertificateRequest. Glance needs this mechanism because for each SVC
(public, internal), we have an associated headless service, and it is
used to resolve each replica Pod worker_self_reference_url.
This allows to proxy Pod2Pod requests via HTTPS.

Signed-off-by: Francesco Pantano <[email protected]>

Author: fmount

pkg/openstack/common.go

@@ -298,6 +298,11 @@ func EnsureEndpointConfig(
 						Labels:      util.MergeMaps(ed.Labels, map[string]string{serviceCertSelector: ""}),
 						Usages:      nil,
 					}
+
+					addSubjNames := util.GetStringListFromMap(svc.Annotations, tls.AdditionalSubjectNamesKey)
+					if len(addSubjNames) > 0 {
+						certRequest.Hostnames = append(certRequest.Hostnames, addSubjNames...)
+					}
 					if instance.Spec.TLS.Ingress.Cert.Duration != nil {
 						certRequest.Duration = &instance.Spec.TLS.Ingress.Cert.Duration.Duration
 					}
@@ -343,6 +348,11 @@ func EnsureEndpointConfig(
 					Labels:      util.MergeMaps(ed.Labels, map[string]string{serviceCertSelector: ""}),
 					Usages:      nil,
 				}
+
+				addSubjNames := util.GetStringListFromMap(svc.Annotations, tls.AdditionalSubjectNamesKey)
+				if len(addSubjNames) > 0 {
+					certRequest.Hostnames = append(certRequest.Hostnames, addSubjNames...)
+				}
 				if instance.Spec.TLS.PodLevel.Internal.Cert.Duration != nil {
 					certRequest.Duration = &instance.Spec.TLS.PodLevel.Internal.Cert.Duration.Duration
 				}