k2d: introduce cert alt name support via K2D_ALT_NAMES

portainer · Nov 9, 2024 · f98cd1c · f98cd1c
1 parent 7dd8270
commit f98cd1c
Show file tree

Hide file tree

Showing 4 changed files with 8 additions and 3 deletions.
diff --git a/cmd/k2d.go b/cmd/k2d.go
@@ -96,7 +96,7 @@ func main() {
 		logger.Fatalf("unable to get advertise IP address: %s", err)
 	}
 
-	err = ssl.EnsureTLSCertificatesExist(ctx, cfg.DataPath, ip)
+	err = ssl.EnsureTLSCertificatesExist(ctx, cfg.DataPath, ip, cfg.AltNames)
 	if err != nil {
 		logger.Fatalf("unable to setup TLS certificates: %s", err)
 	}

diff --git a/internal/config/config.go b/internal/config/config.go
@@ -10,6 +10,9 @@ type Config struct {
 	// It is expected to be provided through an environment variable named K2D_ADVERTISE_ADDR.
 	AdvertiseAddr string `env:"K2D_ADVERTISE_ADDR"`
 
+	// AltNames represents optional alternative names for the TLS certificate.
+	AltNames []string `env:"K2D_ALT_NAMES"`
+
 	// DataPath represents the path for application data storage.
 	// If not provided through an environment variable named K2D_DATA_PATH,
 	// the default value is set to /var/lib/k2d.

diff --git a/internal/ssl/ssl.go b/internal/ssl/ssl.go
@@ -58,7 +58,7 @@ func SSLKeyPath(dataPath string) string {
 // The generated certificates have a validity period of 25 years.
 //
 // This function depends on the ssl.GenerateTLSCertificatesForIPAddr and filesystem.CreateDir functions.
-func EnsureTLSCertificatesExist(ctx context.Context, dataPath string, ipAddr net.IP) error {
+func EnsureTLSCertificatesExist(ctx context.Context, dataPath string, ipAddr net.IP, altNames []string) error {
 	certPath := path.Join(dataPath, SSL_FOLDER)
 
 	err := filesystem.CreateDir(certPath)
@@ -77,6 +77,7 @@ func EnsureTLSCertificatesExist(ctx context.Context, dataPath string, ipAddr net
 		CAFilename:   CA_FILENAME,
 		CertFilename: CERT_FILENAME,
 		KeyFilename:  KEY_FILENAME,
+		AltNames:     altNames,
 	}
 
 	tlsFilesExist, err := areTLSCertificatesPresent(cfg)

diff --git a/pkg/ssl/ssl.go b/pkg/ssl/ssl.go
@@ -37,6 +37,7 @@ type CertConfig struct {
 	CAFilename   string
 	CertFilename string
 	KeyFilename  string
+	AltNames     []string
 }
 
 // GenerateTLSCertificatesForIPAddr generates a CA certificate, a TLS certificate, and a private key
@@ -106,7 +107,7 @@ func GenerateTLSCertificatesForIPAddr(cfg CertConfig) error {
 			Locality:     []string{cfg.Locality},
 		},
 		IPAddresses:  []net.IP{cfg.IpAddr, net.IPv6loopback},
-		DNSNames:     []string{"kubernetes.default.svc"},
+		DNSNames:     append([]string{"kubernetes.default.svc"}, cfg.AltNames...),
 		NotBefore:    time.Now(),
 		NotAfter:     time.Now().Add(cfg.Validity),
 		SubjectKeyId: []byte{1, 2, 3, 4, 6},