Overwrite agent leaf cert trust domain on the servers

2020-06-30 09:48:42 -04:00 · 2020-06-30 09:48:42 -04:00 · a97f9ff386
parent 5600069d69
commit a97f9ff386
1 changed files with 25 additions and 0 deletions
--- a/agent/consul/connect_ca_endpoint.go
+++ b/agent/consul/connect_ca_endpoint.go
@ -4,6 +4,7 @@ import (
 	"context"
 	"errors"
 	"fmt"
+	"net/url"
 	"reflect"
 	"strings"
 	"time"
@ -427,6 +428,30 @@ func (s *ConnectCA) Sign(
 			return fmt.Errorf("SPIFFE ID in CSR from a different trust domain: %s, "+
 				"we are %s", serviceID.Host, signingID.Host())
 		}
+	} else {
+		// isAgent - if we support more ID types then this would need to be an else if
+		// here we are just automatically fixing the trust domain. For auto-encrypt and
+		// auto-config they make certificate requests before learning about the roots
+		// so they will have a dummy trust domain in the CSR.
+		trustDomain := signingID.Host()
+		if agentID.Host != trustDomain {
+			originalURI := agentID.URI()
+
+			agentID.Host = trustDomain
+			csr.Subject.CommonName = connect.AgentCN(agentID.Agent, trustDomain)
+
+			// recreate the URIs list
+			uris := make([]*url.URL, len(csr.URIs))
+			for i, uri := range csr.URIs {
+				if originalURI.String() == uri.String() {
+					uris[i] = agentID.URI()
+				} else {
+					uris[i] = uri
+				}
+			}
+
+			csr.URIs = uris
+		}
 	}

 	// Verify that the ACL token provided has permission to act as this service