-
Notifications
You must be signed in to change notification settings - Fork 719
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add the transport service DNS name to the CSR #2687
Conversation
We initially connect through the transport service to the remote cluster. This should ensure that the transport service is one of the trusted DNS names.
@@ -87,6 +87,8 @@ func buildGeneralNames( | |||
generalNames := []certificates.GeneralName{ | |||
{OtherName: *commonNameOtherName}, | |||
{DNSName: commonName}, | |||
// add the transport service name for remote cluster connections initially connecting through the service | |||
{DNSName: fmt.Sprintf("%s.%s.svc", esv1.TransportService(cluster.Name), cluster.Namespace)}, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We have GetServiceDNSName()
in pkg/util/k8s which might be better to use here, and also includes the name without .svc
(which also works)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It will not work unless we also change the seed hosts
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Makes sense, would a comment be helpful here to explain why we're not? It seems like a gotcha since the name resolves. Though to be fair, the fully qualified domain name with the default domain suffix (e.g. cluster.local) also resolves but would fail.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@@ -87,6 +87,8 @@ func buildGeneralNames( | |||
generalNames := []certificates.GeneralName{ | |||
{OtherName: *commonNameOtherName}, | |||
{DNSName: commonName}, | |||
// add the transport service name for remote cluster connections initially connecting through the service | |||
{DNSName: fmt.Sprintf("%s.%s.svc", esv1.TransportService(cluster.Name), cluster.Namespace)}, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It will not work unless we also change the seed hosts
We initially connect through the transport service to the remote
cluster. This should ensure that the transport service is one of the trusted
DNS names.
I ran into errors like this one when testing remote cluster connection setup