Support host names in TLS certificates

This commit updates TLS certificate generator to detect if IP address or host name was used as host value. If host name is detected field `DNSNames` of x509 SAN extenstion is used instead of `IPAddresses`. * https://en.wikipedia.org/wiki/Subject_Alternative_Name * https://tools.ietf.org/html/rfc5280#section-4.2.1.6 This contributes towards fixing #337.
pingcap · Nov 30, 2020 · 998b012 · 998b012
1 parent 299b364
commit 998b012
Showing 1 changed file with 8 additions and 2 deletions.
diff --git a/pkg/cluster/task/tls.go b/pkg/cluster/task/tls.go
@@ -16,6 +16,7 @@ package task
 import (
 	"encoding/pem"
 	"fmt"
+	"net"
 	"path/filepath"
 
 	"github.com/pingcap/errors"
@@ -38,8 +39,13 @@ func (c *TLSCert) Execute(ctx *Context) error {
 	if err != nil {
 		return err
 	}
-	// we don't support hostname yet, only iplist is used
-	csr, err := privKey.CSR(c.inst.Role(), c.inst.ComponentName(), []string{}, []string{c.inst.GetHost()})
+
+	hosts := []string{c.inst.GetHost()}
+	ips := []string{}
+	if net.ParseIP(c.inst.GetHost()) != nil {
+		hosts, ips = ips, hosts
+	}
+	csr, err := privKey.CSR(c.inst.Role(), c.inst.ComponentName(), hosts, ips)
 	if err != nil {
 		return err
 	}