You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The Rust constant DEFAULT_SERVER_SANS in crates/openshell-bootstrap/src/pki.rs:32-42 hardcodes openshell.openshell.svc and openshell.openshell.svc.cluster.local. When the Helm chart passes explicit --server-san args (as in PR #2062), the certgen binary still prepends these hardcoded SANs, resulting in duplicate and incorrect entries in the certificate.
PR #2062 fixes the Helm side (option B from #2060), but the Rust binary should also be namespace-aware so that the hardcoded defaults don't leak into certificates for non-openshell namespaces.
Proposed Design
Read the POD_NAMESPACE environment variable (already available via the downward API in certgen.yaml:91-94) and use it to generate namespace-aware default SANs:
Remove DEFAULT_SERVER_SANS entirely: Would break local openshell gateway generate-certs invocations that don't pass --server-san args (e.g., Docker/Podman installs where there is no Helm).
Condition defaults on --server-san presence only: Skip defaults when any --server-san is passed. Simpler than reading POD_NAMESPACE but loses the fallback for non-Helm installs where namespace matters.
Agent Investigation
Explored crates/openshell-bootstrap/src/pki.rs:32-42 — confirmed the constant is used unconditionally in build_server_sans() at line 134.
Explored crates/openshell-server/src/certgen.rs:91 — the certgen binary receives server_sans from CLI args and passes them to generate_pki(). The POD_NAMESPACE env var is available (set in certgen.yaml:91-94) but not read.
Verified by deploying in openshell-system: the generated cert contains both openshell.openshell.svc.cluster.local (from Rust defaults) and openshell.openshell-system.svc.cluster.local (from Helm --server-san args). Duplicates are harmless but messy.
Problem Statement
The Rust constant
DEFAULT_SERVER_SANSincrates/openshell-bootstrap/src/pki.rs:32-42hardcodesopenshell.openshell.svcandopenshell.openshell.svc.cluster.local. When the Helm chart passes explicit--server-sanargs (as in PR #2062), the certgen binary still prepends these hardcoded SANs, resulting in duplicate and incorrect entries in the certificate.PR #2062 fixes the Helm side (option B from #2060), but the Rust binary should also be namespace-aware so that the hardcoded defaults don't leak into certificates for non-
openshellnamespaces.Proposed Design
Read the
POD_NAMESPACEenvironment variable (already available via the downward API incertgen.yaml:91-94) and use it to generate namespace-aware default SANs:When
--server-sanargs are provided, skip the defaults entirely — the caller (Helm template or user) has full control over the SAN list.Changes required
crates/openshell-bootstrap/src/pki.rs— replace theDEFAULT_SERVER_SANSconstant with a function that readsPOD_NAMESPACEcrates/openshell-server/src/certgen.rs:91— pass the namespace togenerate_pki()when no--server-sanargs are providedDEFAULT_SERVER_SANSAlternatives Considered
Helm-only fix (PR fix(helm): generate namespace-aware SANs in certgen and cert-manager templates #2062, option B from bug: PKI certgen hardcodes namespace "openshell" in server certificate SANs — breaks deployments in other namespaces #2060): Already implemented. Fixes the Helm path but the Rust defaults still produce duplicate SANs in the cert. Works but not clean.
Remove
DEFAULT_SERVER_SANSentirely: Would break localopenshell gateway generate-certsinvocations that don't pass--server-sanargs (e.g., Docker/Podman installs where there is no Helm).Condition defaults on
--server-sanpresence only: Skip defaults when any--server-sanis passed. Simpler than readingPOD_NAMESPACEbut loses the fallback for non-Helm installs where namespace matters.Agent Investigation
crates/openshell-bootstrap/src/pki.rs:32-42— confirmed the constant is used unconditionally inbuild_server_sans()at line 134.crates/openshell-server/src/certgen.rs:91— the certgen binary receivesserver_sansfrom CLI args and passes them togenerate_pki(). ThePOD_NAMESPACEenv var is available (set incertgen.yaml:91-94) but not read.openshell-system: the generated cert contains bothopenshell.openshell.svc.cluster.local(from Rust defaults) andopenshell.openshell-system.svc.cluster.local(from Helm--server-sanargs). Duplicates are harmless but messy.Related