DevFW-CICD/ingress-nginx-helm
6
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Improve best-cert guessing with empty tls.hosts

Browse source
This commit is contained in:
Antoine Cotten 2018-06-24 23:34:25 +02:00
parent 315679ce39
commit 02219bdfb8
No known key found for this signature in database
GPG key ID: 94637E68D4A79DD0
2 changed files with 62 additions and 19 deletions
Download patch file Download diff file Expand all files Collapse all files

11
internal/ingress/controller/controller.go
View file

@ -1063,7 +1063,7 @@ func extractTLSSecretName(host string, ing *extensions.Ingress,
}
}
// no TLS host matching host name, try each TLS host for matching CN
// no TLS host matching host name, try each TLS host for matching SAN or CN
for _, tls := range ing.Spec.TLS {
key := fmt.Sprintf("%v/%v", ing.Namespace, tls.SecretName)
cert, err := getLocalSSLCert(key)
@ -1072,13 +1072,16 @@ func extractTLSSecretName(host string, ing *extensions.Ingress,
continue
}
if cert == nil {
if cert == nil { // for tests
continue
}
if sets.NewString(cert.CN...).Has(host) {
return tls.SecretName
err = cert.Certificate.VerifyHostname(host)
if err != nil {
continue
}
glog.V(3).Infof("Found SSL certificate matching host %q: %q", host, key)
return tls.SecretName
}
return ""