Use full service domain for the CN

EKS is not adding the Subject Alternative Name (SAN) when signing the CSR. This means that we cannot use service name without specifying the namespace and `.svc` suffix. As you can see from the apiserver error message, the TLS certificate validation is checking only the CN. x509: certificate is valid for newrelic-metadata-injection-svc, not newrelic-metadata-injection-svc.default.svc This is a known issue in EKS: awslabs/amazon-eks-ami#341 This changes revert to using {service}.{namespace}.svc for the CN but check the length to be withing the limit of 64 characters defined on the x509 specification.
newrelic · Apr 8, 2020 · 311d000 · 311d000
1 parent 01b8d85
commit 311d000
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 4 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,6 +4,12 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## 1.2.2
+- Revert to using the full service name for the CN. There is an open issue in 
+  EKS in which the SAN is not added to the signed certificates, making the 
+  TLS requests from the apiserver to the webhook fail.
+  https://github.com/awslabs/amazon-eks-ami/issues/341
+
 ## 1.2.0
 
 - Use a much shorter common name for the certificate (only the Service's name)

diff --git a/generate_certificate.sh b/generate_certificate.sh
@@ -51,8 +51,20 @@ done
 [ -z "${secret}" ] && echo "ERROR: --secret flag is required" && exit 1
 [ -z "${namespace}" ] && echo "ERROR: --namespace flag is required" && exit 1
 
+fullServiceDomain="${service}.${namespace}.svc"
+
+# THE CN has a limit of 64 characters. We could remove the namespace and svc
+# and rely on the Subject Alternative Name (SAN), but there is a bug in EKS
+# that discards the SAN when signing the certificates.
+#
+# https://github.com/awslabs/amazon-eks-ami/issues/341
+if [ ${#fullServiceDomain} -gt 64 ] ; then
+  echo "ERROR: common name exceeds the 64 character limit: ${fullServiceDomain}"
+  exit 1
+fi
+
 if [ ! -x "$(command -v openssl)" ]; then
-  echo "openssl not found"
+  echo "ERROR: openssl not found"
   exit 1
 fi
 
@@ -73,15 +85,15 @@ subjectAltName = @alt_names
 [alt_names]
 DNS.1 = ${service}
 DNS.2 = ${service}.${namespace}
-DNS.3 = ${service}.${namespace}.svc
+DNS.3 = ${fullServiceDomain}
 EOF
 
 openssl genrsa -out "${tmpdir}/server-key.pem" 2048
-openssl req -new -key "${tmpdir}/server-key.pem" -subj "/CN=${service}" -out "${tmpdir}/server.csr" -config "${tmpdir}/csr.conf"
+openssl req -new -key "${tmpdir}/server-key.pem" -subj "/CN=${fullServiceDomain}" -out "${tmpdir}/server.csr" -config "${tmpdir}/csr.conf"
 
 set +e
 # clean-up any previously created CSR for our service. Ignore errors if not present.
-if kubectl delete csr "${csrName}"; then 
+if kubectl delete csr "${csrName}"; then
     echo "WARN: Previous CSR was found and removed."
 fi
 set -e