Fix duplicate altnames in cert

Author: QianChenglong

cmd/kubeadm/app/util/pkiutil/BUILD

@@ -25,6 +25,7 @@ go_library(
         "//cmd/kubeadm/app/constants:go_default_library",
         "//cmd/kubeadm/app/features:go_default_library",
         "//cmd/kubeadm/app/util:go_default_library",
+        "//staging/src/k8s.io/apimachinery/pkg/util/sets:go_default_library",
         "//staging/src/k8s.io/apimachinery/pkg/util/validation:go_default_library",
         "//staging/src/k8s.io/client-go/util/cert:go_default_library",
         "//staging/src/k8s.io/client-go/util/keyutil:go_default_library",

cmd/kubeadm/app/util/pkiutil/pki_helpers.go

@@ -36,6 +36,7 @@ import (
 
 	"github.com/pkg/errors"
 
+	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/apimachinery/pkg/util/validation"
 	certutil "k8s.io/client-go/util/cert"
 	"k8s.io/client-go/util/keyutil"
@@ -566,6 +567,8 @@ func NewSignedCert(cfg *CertConfig, key crypto.Signer, caCert *x509.Certificate,
 		return nil, errors.New("must specify at least one ExtKeyUsage")
 	}
 
+	RemoveDuplicateAltNames(&cfg.AltNames)
+
 	certTmpl := x509.Certificate{
 		Subject: pkix.Name{
 			CommonName:   cfg.CommonName,
@@ -585,3 +588,24 @@ func NewSignedCert(cfg *CertConfig, key crypto.Signer, caCert *x509.Certificate,
 	}
 	return x509.ParseCertificate(certDERBytes)
 }
+
+// RemoveDuplicateAltNames removes duplicate items in altNames.
+func RemoveDuplicateAltNames(altNames *certutil.AltNames) {
+	if altNames == nil {
+		return
+	}
+
+	if altNames.DNSNames != nil {
+		altNames.DNSNames = sets.NewString(altNames.DNSNames...).List()
+	}
+
+	ipsKeys := make(map[string]struct{})
+	var ips []net.IP
+	for _, one := range altNames.IPs {
+		if _, ok := ipsKeys[one.String()]; !ok {
+			ipsKeys[one.String()] = struct{}{}
+			ips = append(ips, one)
+		}
+	}
+	altNames.IPs = ips
+}

cmd/kubeadm/app/util/pkiutil/pki_helpers_test.go

@@ -26,6 +26,7 @@ import (
 	"io/ioutil"
 	"net"
 	"os"
+	"reflect"
 	"testing"
 
 	certutil "k8s.io/client-go/util/cert"
@@ -755,3 +756,51 @@ func TestAppendSANsToAltNames(t *testing.T) {
 	}
 
 }
+
+func TestRemoveDuplicateAltNames(t *testing.T) {
+	tests := []struct {
+		args *certutil.AltNames
+		want *certutil.AltNames
+	}{
+		{
+			&certutil.AltNames{},
+			&certutil.AltNames{},
+		},
+		{
+			&certutil.AltNames{
+				DNSNames: []string{"a", "a"},
+				IPs:      []net.IP{{127, 0, 0, 1}},
+			},
+			&certutil.AltNames{
+				DNSNames: []string{"a"},
+				IPs:      []net.IP{{127, 0, 0, 1}},
+			},
+		},
+		{
+			&certutil.AltNames{
+				DNSNames: []string{"a"},
+				IPs:      []net.IP{{127, 0, 0, 1}, {127, 0, 0, 1}},
+			},
+			&certutil.AltNames{
+				DNSNames: []string{"a"},
+				IPs:      []net.IP{{127, 0, 0, 1}},
+			},
+		},
+		{
+			&certutil.AltNames{
+				DNSNames: []string{"a", "a"},
+				IPs:      []net.IP{{127, 0, 0, 1}, {127, 0, 0, 1}},
+			},
+			&certutil.AltNames{
+				DNSNames: []string{"a"},
+				IPs:      []net.IP{{127, 0, 0, 1}},
+			},
+		},
+	}
+	for _, tt := range tests {
+		RemoveDuplicateAltNames(tt.args)
+		if !reflect.DeepEqual(tt.args, tt.want) {
+			t.Errorf("Wanted %v, got %v", tt.want, tt.args)
+		}
+	}
+}