From 998b012f6b64a376639e27a9701370c8fb7a99bc Mon Sep 17 00:00:00 2001
From: Julius Kriukas <julius@kriukas.lt>
Date: Thu, 26 Nov 2020 09:52:27 +0200
Subject: [PATCH] Support host names in TLS certificates

This commit updates TLS certificate generator to detect if IP address or
host name was used as host value. If host name is detected field `DNSNames`
of x509 SAN extenstion is used instead of `IPAddresses`.

* https://en.wikipedia.org/wiki/Subject_Alternative_Name
* https://tools.ietf.org/html/rfc5280#section-4.2.1.6

This contributes towards fixing #337.
---
 pkg/cluster/task/tls.go | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/pkg/cluster/task/tls.go b/pkg/cluster/task/tls.go
index 7a0634ccaa..326235de60 100644
--- a/pkg/cluster/task/tls.go
+++ b/pkg/cluster/task/tls.go
@@ -16,6 +16,7 @@ package task
 import (
 	"encoding/pem"
 	"fmt"
+	"net"
 	"path/filepath"
 
 	"github.com/pingcap/errors"
@@ -38,8 +39,13 @@ func (c *TLSCert) Execute(ctx *Context) error {
 	if err != nil {
 		return err
 	}
-	// we don't support hostname yet, only iplist is used
-	csr, err := privKey.CSR(c.inst.Role(), c.inst.ComponentName(), []string{}, []string{c.inst.GetHost()})
+
+	hosts := []string{c.inst.GetHost()}
+	ips := []string{}
+	if net.ParseIP(c.inst.GetHost()) != nil {
+		hosts, ips = ips, hosts
+	}
+	csr, err := privKey.CSR(c.inst.Role(), c.inst.ComponentName(), hosts, ips)
 	if err != nil {
 		return err
 	}