Linkerd2: Tap pod should consider subjectAltNames
When verifying for requestheader-allowed-names in the tap apiserver consider subjectAltNames for cases when there are multiple names.
balchua
All 7 comments
Could you explain a little more about the situation where there are multiple names in the SAN?
grampelberg
on 23 Sep 2019
Hi sorry didn't give a bit more info here.
For example i have othername in the SAN and i add it to the kube apiserver option requestheader-allowed-names=commonname,othername the tap pod doesn't recognize it.
Because it only checks for the allowed names in the CN.
balchua
on 23 Sep 2019
Hey there! Is anyone working on this? I'm interested in helping out.
drholmie
on 27 Sep 2019
@drholmie I think it's all yours!
wmorgan
on 28 Sep 2019
Awesome. Thanks for the go ahead!
drholmie
on 1 Oct 2019
Hope it's alright, but I noticed there hadn't been any movement on this issue for a while. Figured I could knock it out quickly, so I threw a PR together.
javaducky
on 18 Jan 2020
Thank you @javaducky!
grampelberg
on 21 Jan 2020
Related issues
adleong
路
4Comments
olix0r
路
3Comments
ihcsim
路
4Comments
alpeb
路
3Comments
klingerf
路
3Comments
Most helpful comment
Hi sorry didn't give a bit more info here.
For example i have
othernamein the SAN and i add it to the kube apiserver optionrequestheader-allowed-names=commonname,othernamethe tap pod doesn't recognize it.Because it only checks for the allowed names in the CN.
https://github.com/linkerd/linkerd2/blob/5e51208b5deea360932bd294337683f51a4571eb/controller/tap/apiserver.go#L98