fix: X509 CR SAN IPs properly ignored when bypassing DNS Resolution

issue #253 Signed-off-by: Clément Nussbaumer <clement.nussbaumer@postfinance.ch>
postfinance · May 21, 2024 · 4a53481 · 4a53481
1 parent 4118bc0
commit 4a53481
Showing 1 changed file with 12 additions and 6 deletions.
diff --git a/internal/controller/regex_ip_checks.go b/internal/controller/regex_ip_checks.go
@@ -34,6 +34,7 @@ func (r *CertificateSigningRequestReconciler) DNSCheck(ctx context.Context, csr
 
 	var allResolvedAddrs []string
 
+	// regexp checks
 	for _, sanDNSName := range x509cr.DNSNames {
 		hostname := strings.TrimPrefix(csr.Spec.Username, "system:node:")
 
@@ -46,16 +47,21 @@ func (r *CertificateSigningRequestReconciler) DNSCheck(ctx context.Context, csr
 			reason = "The SAN DNS name in the x509 CR is not allowed by the Cloud provider regex"
 			return valid, reason, err
 		}
+	}
 
-		if !r.BypassDNSResolution {
-			resolvedAddrs, err := r.DNSResolver.LookupHost(dnsCtx, sanDNSName)
+	if r.BypassDNSResolution { // early exit when DNS resolution checks are bypassed
+		return true, reason, nil
+	}
 
-			if err != nil || len(resolvedAddrs) == 0 {
-				return false, "The SAN DNS Name could not be resolved, denying the CSR", nil
-			}
+	// DNS resolution checks
+	for _, sanDNSName := range x509cr.DNSNames {
+		resolvedAddrs, err := r.DNSResolver.LookupHost(dnsCtx, sanDNSName)
 
-			allResolvedAddrs = append(allResolvedAddrs, resolvedAddrs...)
+		if err != nil || len(resolvedAddrs) == 0 {
+			return false, "The SAN DNS Name could not be resolved, denying the CSR", nil
 		}
+
+		allResolvedAddrs = append(allResolvedAddrs, resolvedAddrs...)
 	}
 
 	var setBuilder netipx.IPSetBuilder