From 2006b2e77af6f8a7c0d628a84968dccf5bb8ad50 Mon Sep 17 00:00:00 2001
From: Julius Kriukas <julius@kriukas.lt>
Date: Thu, 26 Nov 2020 09:52:27 +0200
Subject: [PATCH] Support host names in TLS certificates

This commit updates TLS certificate generator to detect if IP address or
host name was used as host value. If host name is detected field `DNSNames`
of x509 SAN extenstion is used instead of `IPAddresses`.

* https://en.wikipedia.org/wiki/Subject_Alternative_Name
* https://tools.ietf.org/html/rfc5280#section-4.2.1.6

This contributes towards fixing #337.
---
 pkg/cluster/task/tls.go | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/pkg/cluster/task/tls.go b/pkg/cluster/task/tls.go
index 7a0634ccaa..326235de60 100644
--- a/pkg/cluster/task/tls.go
+++ b/pkg/cluster/task/tls.go
@@ -16,6 +16,7 @@ package task
 import (
 	"encoding/pem"
 	"fmt"
+	"net"
 	"path/filepath"
 
 	"github.com/pingcap/errors"
@@ -38,8 +39,13 @@ func (c *TLSCert) Execute(ctx *Context) error {
 	if err != nil {
 		return err
 	}
-	// we don't support hostname yet, only iplist is used
-	csr, err := privKey.CSR(c.inst.Role(), c.inst.ComponentName(), []string{}, []string{c.inst.GetHost()})
+
+	hosts := []string{c.inst.GetHost()}
+	ips := []string{}
+	if net.ParseIP(c.inst.GetHost()) != nil {
+		hosts, ips = ips, hosts
+	}
+	csr, err := privKey.CSR(c.inst.Role(), c.inst.ComponentName(), hosts, ips)
 	if err != nil {
 		return err
 	}