Use full service domain for the CN (#22)

EKS is not adding the Subject Alternative Name (SAN) when signing the CSR. This means that we cannot use service name without specifying the namespace and `.svc` suffix. As you can see from the apiserver error message, the TLS certificate validation is checking only the CN. x509: certificate is valid for newrelic-metadata-injection-svc, not newrelic-metadata-injection-svc.default.svc This is a known issue in EKS: awslabs/amazon-eks-ami#341 This changes revert to using {service}.{namespace}.svc for the CN but check the length to be withing the limit of 64 characters defined on the x509 specification.
newrelic · Apr 9, 2020 · ece5e3a · ece5e3a
1 parent 4bbc78d
commit ece5e3a
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 4 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,6 +4,12 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## 1.2.2
+- Revert to using the full service name for the CN. There is an open issue in 
+  EKS in which the SAN is not added to the signed certificates, making the 
+  TLS requests from the apiserver to the webhook fail.
+  https://github.com/awslabs/amazon-eks-ami/issues/341
+
 ## 1.2.0
 
 - Use a much shorter common name for the certificate (only the Service's name)

diff --git a/generate_certificate.sh b/generate_certificate.sh
@@ -58,8 +58,20 @@ done
 [ -z "${secret}" ] && echo "ERROR: --secret flag is required" && exit 1
 [ -z "${namespace}" ] && echo "ERROR: --namespace flag is required" && exit 1
 
+fullServiceDomain="${service}.${namespace}.svc"
+
+# THE CN has a limit of 64 characters. We could remove the namespace and svc
+# and rely on the Subject Alternative Name (SAN), but there is a bug in EKS
+# that discards the SAN when signing the certificates.
+#
+# https://github.com/awslabs/amazon-eks-ami/issues/341
+if [ ${#fullServiceDomain} -gt 64 ] ; then
+  echo "ERROR: common name exceeds the 64 character limit: ${fullServiceDomain}"
+  exit 1
+fi
+
 if [ ! -x "$(command -v openssl)" ]; then
-  echo "openssl not found"
+  echo "ERROR: openssl not found"
   exit 1
 fi
 
@@ -80,15 +92,15 @@ subjectAltName = @alt_names
 [alt_names]
 DNS.1 = ${service}
 DNS.2 = ${service}.${namespace}
-DNS.3 = ${service}.${namespace}.svc
+DNS.3 = ${fullServiceDomain}
 EOF
 
 openssl genrsa -out "${tmpdir}/server-key.pem" 2048
-openssl req -new -key "${tmpdir}/server-key.pem" -subj "/CN=${service}" -out "${tmpdir}/server.csr" -config "${tmpdir}/csr.conf"
+openssl req -new -key "${tmpdir}/server-key.pem" -subj "/CN=${fullServiceDomain}" -out "${tmpdir}/server.csr" -config "${tmpdir}/csr.conf"
 
 set +e
 # clean-up any previously created CSR for our service. Ignore errors if not present.
-if kubectl delete csr "${csrName}"; then 
+if kubectl delete csr "${csrName}"; then
     echo "WARN: Previous CSR was found and removed."
 fi
 set -e