use .cluster.local address for LUA (squid cannot resolve .svc addresses)

2025-12-23 06:15:47 +00:00 · 2024-10-10 14:44:14 -07:00
parent eca8914760
commit 4d2bbac674
4 changed files with 8 additions and 6 deletions
--- a/internal/controller/apicerts/certs_manager.go
+++ b/internal/controller/apicerts/certs_manager.go
@@ -119,7 +119,8 @@ func (c *certsManagerController) Sync(ctx controllerlib.Context) error {
 	// Using the CA from above, create a TLS server cert if we have service name.
 	if len(c.serviceNameForGeneratedCertCommonName) != 0 {
 		serviceEndpoint := c.serviceNameForGeneratedCertCommonName + "." + c.namespace + ".svc"
-		tlsCert, err := ca.IssueServerCert([]string{serviceEndpoint}, nil, c.certDuration)
+		// Allow clients to use either service-name.namespace.svc or service-name.namespace.svc.cluster.local to verify TLS.
+		tlsCert, err := ca.IssueServerCert([]string{serviceEndpoint, serviceEndpoint + ".cluster.local"}, nil, c.certDuration)
 		if err != nil {
 			return fmt.Errorf("could not issue serving certificate: %w", err)
 		}
--- a/internal/controller/apicerts/certs_manager_test.go
+++ b/internal/controller/apicerts/certs_manager_test.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package apicerts
@@ -225,6 +225,7 @@ func TestManagerControllerSync(t *testing.T) {
 				// Validate the created cert using the CA, and also validate the cert's hostname
 				validCert := testutil.ValidateServerCertificate(t, actualCACert, actualCertChain)
 				validCert.RequireDNSName("pinniped-api." + installedInNamespace + ".svc")
+				validCert.RequireDNSName("pinniped-api." + installedInNamespace + ".svc.cluster.local")
 				validCert.RequireLifetime(time.Now(), time.Now().Add(certDuration), 6*time.Minute)
 				validCert.RequireMatchesPrivateKey(actualPrivateKey)
 			})