fix(RHOAIENG-38319): update tls CA subject and DNS names

kryanbeane · kryanbeane · commit ef830120d55b · 2025-11-07T17:18:40.000Z
diff --git a/src/codeflare_sdk/common/utils/generate_cert.py b/src/codeflare_sdk/common/utils/generate_cert.py
@@ -16,8 +16,10 @@
 import os
 from cryptography.hazmat.primitives import serialization, hashes
 from cryptography.hazmat.primitives.asymmetric import rsa
+from cryptography.hazmat.backends import default_backend
 from cryptography import x509
 from cryptography.x509.oid import NameOID
+import ipaddress
 import datetime
 from ..kubernetes_cluster.auth import (
     config_check,
@@ -163,8 +165,29 @@ def generate_tls_cert(cluster_name, namespace, days=30):
     ca_cert = secret.get("ca.crt")
     ca_key = secret.get("tls.key")
 
+    if not ca_cert:
+        raise ValueError(
+            f"CA certificate (ca.crt or tls.crt) not found in secret {secret_name}. "
+            f"Available keys: {list(secret.keys())}"
+        )
+    if not ca_key:
+        raise ValueError(
+            f"CA private key (tls.key) not found in secret {secret_name}. "
+            f"Available keys: {list(secret.keys())}"
+        )
+
+    # Decode and write CA certificate
+    ca_cert_pem = base64.b64decode(ca_cert).decode("utf-8")
     with open(os.path.join(tls_dir, "ca.crt"), "w") as f:
-        f.write(base64.b64decode(ca_cert).decode("utf-8"))
+        f.write(ca_cert_pem)
+
+    # Load the CA certificate to get its subject name (which will be the issuer for client cert)
+    # This ensures the client certificate's issuer matches the CA's subject
+    # Previously, we hardcoded "root-ca" which doesn't match the actual CA subject
+    ca_cert_obj = x509.load_pem_x509_certificate(
+        ca_cert_pem.encode("utf-8"), default_backend()
+    )
+    ca_subject = ca_cert_obj.subject
 
     # Generate tls.key and signed tls.cert locally for ray client
     # Similar to running these commands:
@@ -191,16 +214,22 @@ def generate_tls_cert(cluster_name, namespace, days=30):
     with open(os.path.join(tls_dir, "tls.key"), "w") as f:
         f.write(tls_key.decode("utf-8"))
 
+    head_svc_name = f"{cluster_name}-head-svc"
+    service_dns = f"{head_svc_name}.{namespace}.svc"
+    service_dns_cluster_local = f"{head_svc_name}.{namespace}.svc.cluster.local"
+
+    san_list = [
+        x509.DNSName("localhost"),
+        x509.IPAddress(ipaddress.IPv4Address("127.0.0.1")),
+        x509.DNSName(head_svc_name),
+        x509.DNSName(service_dns),
+        x509.DNSName(service_dns_cluster_local),
+    ]
+
     one_day = datetime.timedelta(1, 0, 0)
     tls_cert = (
         x509.CertificateBuilder()
-        .issuer_name(
-            x509.Name(
-                [
-                    x509.NameAttribute(NameOID.COMMON_NAME, "root-ca"),
-                ]
-            )
-        )
+        .issuer_name(ca_subject)  # Use the actual CA certificate's subject as issuer
         .subject_name(
             x509.Name(
                 [
@@ -213,9 +242,7 @@ def generate_tls_cert(cluster_name, namespace, days=30):
         .not_valid_after(datetime.datetime.today() + (one_day * days))
         .serial_number(x509.random_serial_number())
         .add_extension(
-            x509.SubjectAlternativeName(
-                [x509.DNSName("localhost"), x509.DNSName("127.0.0.1")]
-            ),
+            x509.SubjectAlternativeName(san_list),
             False,
         )
         .sign(
