From 4d2bbac674cdfce65e825b5bdc9e127b6189e5e6 Mon Sep 17 00:00:00 2001
From: Ryan Richard <richardry@vmware.com>
Date: Thu, 10 Oct 2024 14:44:14 -0700
Subject: [PATCH] use .cluster.local address for LUA (squid cannot resolve .svc
 addresses)

---
 hack/prepare-for-integration-tests.sh              | 4 ++--
 hack/prepare-impersonator-on-kind.sh               | 4 ++--
 internal/controller/apicerts/certs_manager.go      | 3 ++-
 internal/controller/apicerts/certs_manager_test.go | 3 ++-
 4 files changed, 8 insertions(+), 6 deletions(-)

diff --git a/hack/prepare-for-integration-tests.sh b/hack/prepare-for-integration-tests.sh
index 88e95c0d8..0f8f7c045 100755
--- a/hack/prepare-for-integration-tests.sh
+++ b/hack/prepare-for-integration-tests.sh
@@ -347,7 +347,7 @@ manifest=/tmp/pinniped-concierge.yaml
 data_values_file=/tmp/concierge-values.yml
 concierge_app_name="pinniped-concierge"
 concierge_namespace="concierge"
-webhook_url="https://local-user-authenticator.local-user-authenticator.svc/authenticate"
+webhook_url="https://local-user-authenticator.local-user-authenticator.svc.cluster.local/authenticate"
 discovery_url="$(TERM=dumb kubectl cluster-info | awk '/master|control plane/ {print $NF}')"
 concierge_custom_labels="{myConciergeCustomLabelName: myConciergeCustomLabelValue}"
 log_level="debug"
@@ -366,7 +366,7 @@ EOF
 if [[ "${FIREWALL_IDPS:-no}" == "yes" ]]; then
   # Configure the web proxy on the Concierge pods. Note that .svc and .cluster.local are not included,
   # so requests for things like pinniped-supervisor-clusterip.supervisor.svc.cluster.local and
-  # local-user-authenticator.local-user-authenticator.svc will go through the web proxy.
+  # local-user-authenticator.local-user-authenticator.svc.cluster.local will go through the web proxy.
   cat <<EOF >>"$data_values_file"
 https_proxy: "http://proxy.tools.svc.cluster.local:3128"
 no_proxy: "\$(KUBERNETES_SERVICE_HOST),169.254.169.254,127.0.0.1,localhost"
diff --git a/hack/prepare-impersonator-on-kind.sh b/hack/prepare-impersonator-on-kind.sh
index df0355747..1dc1d13ff 100755
--- a/hack/prepare-impersonator-on-kind.sh
+++ b/hack/prepare-impersonator-on-kind.sh
@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
 
-# Copyright 2021-2023 the Pinniped contributors. All Rights Reserved.
+# Copyright 2021-2024 the Pinniped contributors. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0
 
 #
@@ -50,7 +50,7 @@ kind: WebhookAuthenticator
 metadata:
   name: local-user-authenticator
 spec:
-  endpoint: https://local-user-authenticator.local-user-authenticator.svc/authenticate
+  endpoint: https://local-user-authenticator.local-user-authenticator.svc.cluster.local/authenticate
   tls:
     certificateAuthorityData: $LOCAL_USER_AUTHENTICATOR_CA
 EOF
diff --git a/internal/controller/apicerts/certs_manager.go b/internal/controller/apicerts/certs_manager.go
index c99d5162d..e462794e4 100644
--- a/internal/controller/apicerts/certs_manager.go
+++ b/internal/controller/apicerts/certs_manager.go
@@ -119,7 +119,8 @@ func (c *certsManagerController) Sync(ctx controllerlib.Context) error {
 	// Using the CA from above, create a TLS server cert if we have service name.
 	if len(c.serviceNameForGeneratedCertCommonName) != 0 {
 		serviceEndpoint := c.serviceNameForGeneratedCertCommonName + "." + c.namespace + ".svc"
-		tlsCert, err := ca.IssueServerCert([]string{serviceEndpoint}, nil, c.certDuration)
+		// Allow clients to use either service-name.namespace.svc or service-name.namespace.svc.cluster.local to verify TLS.
+		tlsCert, err := ca.IssueServerCert([]string{serviceEndpoint, serviceEndpoint + ".cluster.local"}, nil, c.certDuration)
 		if err != nil {
 			return fmt.Errorf("could not issue serving certificate: %w", err)
 		}
diff --git a/internal/controller/apicerts/certs_manager_test.go b/internal/controller/apicerts/certs_manager_test.go
index 9520f85f1..e51c618f3 100644
--- a/internal/controller/apicerts/certs_manager_test.go
+++ b/internal/controller/apicerts/certs_manager_test.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
 package apicerts
@@ -225,6 +225,7 @@ func TestManagerControllerSync(t *testing.T) {
 				// Validate the created cert using the CA, and also validate the cert's hostname
 				validCert := testutil.ValidateServerCertificate(t, actualCACert, actualCertChain)
 				validCert.RequireDNSName("pinniped-api." + installedInNamespace + ".svc")
+				validCert.RequireDNSName("pinniped-api." + installedInNamespace + ".svc.cluster.local")
 				validCert.RequireLifetime(time.Now(), time.Now().Add(certDuration), 6*time.Minute)
 				validCert.RequireMatchesPrivateKey(actualPrivateKey)
 			})