Skip to content

fix: add check to validate cp node name = token declared node-name#780

Open
ethandcosta wants to merge 1 commit into
canonical:v4from
ethandcosta:KU-6173/fix-inconsistent-cp-join
Open

fix: add check to validate cp node name = token declared node-name#780
ethandcosta wants to merge 1 commit into
canonical:v4from
ethandcosta:KU-6173/fix-inconsistent-cp-join

Conversation

@ethandcosta

@ethandcosta ethandcosta commented Jul 1, 2026

Copy link
Copy Markdown

Currently, microcluster does not validate that the name of a joining node matches the name attached to the token in joins with. So for example, I can do get-join-token on node x, and use it to join with node y. The docs [doc/clustering.md] says that this behavior should not be the case.

This causes problems for us in k8s-snap, where we need to enforce node name deduplication to prevent data store drifts between microcluster and etcd (canonical/cluster-api-k8s#229) and indeed we are doing this for worker nodes, but we cannot affect this behavior for CP nodes, as their lifecycle is owned by microcluster. This fix should prevent joins where a node uses a token that declares a different node name

Signed-off-by: ethandcosta <ethan.dcosta@canonical.com>
@ethandcosta ethandcosta force-pushed the KU-6173/fix-inconsistent-cp-join branch from 8c81ddf to 1728c68 Compare July 1, 2026 16:55
@ethandcosta ethandcosta changed the title fix: add check to validate cp name = token name fix: add check to validate cp node name = token declared node-name Jul 1, 2026
return fmt.Errorf("Joining server certificate SAN does not contain join token name")
}

if req.Name != record.Name {

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

#204 added the ability to account for member name changes after creating the token.

In this PR, this commit added the check you see a few lines above. If the SAN field of the cert provided by the joiner does not contain the name of the join token record, it errors out.

So my question is why do you require this extra check, if the one above should already error out? When the new member creates its server.crt, it uses its own name.
Do you maybe modify the members server.crt prior to performing the join?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants