Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

HPCC-31872 Allow alternate certificate domains #19315

Merged
merged 1 commit into from
Dec 17, 2024
Merged

HPCC-31872 Allow alternate certificate domains #19315

merged 1 commit into from
Dec 17, 2024
+106 −1

Conversation

asselitx
Copy link
Contributor

@asselitx asselitx commented Nov 26, 2024
edited
Loading

Type of change:

  • This change is a bug fix (non-breaking change which fixes an issue).
  • This change is a new feature (non-breaking change which adds functionality).
  • This change improves the code (refactor or other change that does not change the functionality)
  • This change fixes warnings (the fix does not alter the functionality or the generated code)
  • This change is a breaking change (fix or feature that will cause existing behavior to change).
  • This change alters the query API (existing queries will have to be recompiled)

Checklist:

  • My code follows the code style of this project.
    • My code does not create any new warnings from compiler, build system, or lint.
  • The commit message is properly formatted and free of typos.
    • The commit message title makes sense in a changelog, by itself.
    • The commit is signed.
  • My change requires a change to the documentation.
    • I have updated the documentation accordingly, or...
    • I have created a JIRA ticket to update the documentation.
    • Any new interfaces or exported functions are appropriately commented.
  • I have read the CONTRIBUTORS document.
  • The change has been fully tested:
    • I have added tests to cover my changes.
    • All new and existing tests passed.
    • I have checked that this change does not introduce memory leaks.
    • I have used Valgrind or similar tools to check for potential issues.
  • I have given due consideration to all of the following potential concerns:
    • Scalability
    • Performance
    • Security
    • Thread-safety
    • Cloud-compatibility
    • Premature optimization
    • Existing deployed queries will not be broken
    • This change fixes the problem, not just the symptom
    • The target branch of this pull request is appropriate for such a change.
  • There are no similar instances of the same problem that should be addressed
    • I have addressed them here
    • I have raised JIRA issues to address them separately
  • This is a user interface / front-end modification
    • I have tested my changes in multiple modern browsers
    • The component(s) render as expected

Smoketest:

  • Send notifications about my Pull Request position in Smoketest queue.
  • Test my draft Pull Request.

Testing:

@asselitx asselitx requested a review from afishbeck November 26, 2024 04:26
@asselitx
Copy link
Contributor Author

@afishbeck Could you please review? One question is if the alternate domains also need to be applied to the spiffe URIs? I didn't see any other cases where the current domain is used to generate dnsNames entries.

@asselitx asselitx force-pushed the certificate-domains-hpcc-31872 branch from 3cdc164 to 118df51 Compare December 11, 2024 15:43
@asselitx asselitx requested a review from ghalliday December 12, 2024 16:29
afishbeckln
afishbeckln reviewed Dec 12, 2024
View reviewed changes
helm/hpcc/templates/_helpers.tpl
@@ -1929,7 +1930,9 @@ spec:
{{- end }}
dnsNames:
{{- range $dnsName := $local.dnsNames }}
- {{ (printf "%s.%s" $dnsName $domain) | quote }}
{{- range $altDomain := $local.allDomains }}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If I were being super picky I would say the variable name "altDomain" is not right. $local.allDomains contains the primary domain and the alts. But hardly matters.

afishbeckln
afishbeckln approved these changes Dec 12, 2024
View reviewed changes
Copy link
Contributor

@afishbeckln afishbeckln left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@asselitx looks good.

@asselitx asselitx changed the title Certificate domains hpcc 31872 HPCC-31872 Allow alternate certificate domains Dec 12, 2024
@asselitx
HPCC-31872 Accept alternative domains in certificate config
63e2a98 
Accept an `alternativeDomains` configuration property in the certificates
issuers section. It is an array of domains other than `domain` that the
certificate will be valid for.

These values will be added to the helm manifest's Certificate resource's
`dnsNames` property, which corresponds to entries in the "Subject Alternative
Name" extension of the X.509 certificate.

The `domain` value is used in part to derive the `commonName`, and it is still
added to the list of `dnsNames` as before. Any ESP and roxie service names are
prepended to any of the `domain` and `alternativeDomains` values before adding
to the `dnsNames` list.

Signed-off-by: Terrence Asselin <[email protected]>
@asselitx asselitx force-pushed the certificate-domains-hpcc-31872 branch from 118df51 to 63e2a98 Compare December 12, 2024 19:39
@asselitx asselitx removed the request for review from afishbeck December 12, 2024 19:40
@asselitx
Copy link
Contributor Author

@ghalliday squashed and renamed PR to follow convention. The failing 'macos-14' check is happening across most PRs currently.

ghalliday
ghalliday reviewed Dec 17, 2024
View reviewed changes
helm/hpcc/templates/_helpers.tpl
@@ -1894,6 +1894,7 @@ args:
{{- end -}}
{{- end -}}
{{- $_ := set $local "dnsNames" (uniq $local.dnsNames ) -}}
{{- $_ := set $local "allDomains" (prepend (default list $issuer.alternativeDomains) $domain ) -}}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Minor: This the default operator is more normally written as

($issuer.alternativeDomains | default list)

(I had to read some documentation to check the semantics...)

@ghalliday ghalliday merged commit 2cd34ef into hpcc-systems:candidate-9.8.x Dec 17, 2024
48 of 49 checks passed
@github-actions GitHub Actions
Copy link

Jirabot Action Result:
Added fix version: 9.8.46
Workflow Transition: 'Resolve issue'

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ghalliday ghalliday ghalliday approved these changes

@afishbeckln afishbeckln afishbeckln approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@asselitx @ghalliday @afishbeckln