fix: add check to validate cp node name = token declared node-name#780
Open
ethandcosta wants to merge 1 commit into
Open
fix: add check to validate cp node name = token declared node-name#780ethandcosta wants to merge 1 commit into
ethandcosta wants to merge 1 commit into
Conversation
Signed-off-by: ethandcosta <ethan.dcosta@canonical.com>
8c81ddf to
1728c68
Compare
roosterfish
reviewed
Jul 2, 2026
| return fmt.Errorf("Joining server certificate SAN does not contain join token name") | ||
| } | ||
|
|
||
| if req.Name != record.Name { |
Contributor
There was a problem hiding this comment.
#204 added the ability to account for member name changes after creating the token.
In this PR, this commit added the check you see a few lines above. If the SAN field of the cert provided by the joiner does not contain the name of the join token record, it errors out.
So my question is why do you require this extra check, if the one above should already error out? When the new member creates its server.crt, it uses its own name.
Do you maybe modify the members server.crt prior to performing the join?
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Currently, microcluster does not validate that the name of a joining node matches the name attached to the token in joins with. So for example, I can do get-join-token on node x, and use it to join with node y. The docs [doc/clustering.md] says that this behavior should not be the case.
This causes problems for us in k8s-snap, where we need to enforce node name deduplication to prevent data store drifts between microcluster and etcd (canonical/cluster-api-k8s#229) and indeed we are doing this for worker nodes, but we cannot affect this behavior for CP nodes, as their lifecycle is owned by microcluster. This fix should prevent joins where a node uses a token that declares a different node name