feat: only add non-FQDN variant of fully qualified domain names to SANs (#564)

dervoeti · web-flow · commit 95af4ac1bdfa · 2025-02-24T11:36:41.000Z
* feat: trim optional trailing dot of cluster domain to always get the non-FQDN variant

* chore: add tests / changelog entry

* fix: remove trailing dots from node names

* fix: move logic to tls module
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -18,6 +18,7 @@ All notable changes to this project will be documented in this file.
 ### Changed
 
 - Default to OCI for image metadata ([#544]).
+- [BREAKING] When using a fully qualified domain name, only the variant without the trailing dot is added to the SANs. This should only improve the behavior in scenarios where FQDNs are used and not affect anything else ([#564]).
 
 ### Fixed
 
@@ -29,6 +30,7 @@ All notable changes to this project will be documented in this file.
 [#548]: https://github.com/stackabletech/secret-operator/pull/548
 [#552]: https://github.com/stackabletech/secret-operator/pull/552
 [#563]: https://github.com/stackabletech/secret-operator/pull/563
+[#564]: https://github.com/stackabletech/secret-operator/pull/564
 
 ## [24.11.1] - 2025-01-10
 
diff --git a/docs/modules/secret-operator/pages/scope.adoc b/docs/modules/secret-operator/pages/scope.adoc
@@ -59,5 +59,5 @@ For example, a TLS certificate provisioned by the xref:secretclass.adoc#backend-
 xref:#node[] and xref:#pod[] would contain the following values in its `subjectAlternateName` (SAN) extension field:
 
 * The node's IP address
-* The node's fully qualified domain name (`my-node.example.com`)
-* The pod's fully qualified domain name (`my-pod.my-service.my-namespace.svc.cluster.local`)
+* The node's fully qualified domain name (`my-node.example.com`, without a trailing dot)
+* The pod's fully qualified domain name (`my-pod.my-service.my-namespace.svc.cluster.local`, without a trailing dot)
diff --git a/rust/operator-binary/src/backend/tls/mod.rs b/rust/operator-binary/src/backend/tls/mod.rs
@@ -252,6 +252,14 @@ impl SecretBackend for TlsGenerate {
                     .context(ScopeAddressesSnafu { scope })?,
             );
         }
+        for address in &mut addresses {
+            if let Address::Dns(dns) = address {
+                // Turn FQDNs into bare domain names by removing the trailing dot
+                if dns.ends_with('.') {
+                    dns.pop();
+                }
+            }
+        }
         let ca = self
             .ca_manager
             .find_certificate_authority_for_signing(not_after)
