Skip to content

Specify SAN validation precedence over Hostname validation #4039

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Sep 2, 2025
Merged

Specify SAN validation precedence over Hostname validation #4039

merged 1 commit into from
Sep 2, 2025
+15 −3

Conversation

kl52752
Copy link
Contributor

@kl52752 kl52752 commented Aug 27, 2025

What type of PR is this?

/kind documentation

What this PR does / why we need it:
Documentation for BackendTLSPolicy is not complete regarding SAN validation.
Which issue(s) this PR fixes:

Relates to #3979

Does this PR introduce a user-facing change?:

NONE

@k8s-ci-robot k8s-ci-robot added release-note-none Denotes a PR that doesn't merit a release note. kind/documentation Categorizes issue or PR as related to documentation. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Aug 27, 2025
@k8s-ci-robot k8s-ci-robot added do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. kind/gep PRs related to Gateway Enhancement Proposal(GEP) size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Aug 27, 2025
@kl52752
Copy link
Contributor Author

kl52752 commented Aug 27, 2025

/assign @candita @robscott @shaneutt

@kl52752 kl52752 mentioned this pull request Aug 27, 2025
Merged
@candita
Copy link
Contributor

candita commented Aug 27, 2025

/approve
/lgtm
/hold cancel

@k8s-ci-robot k8s-ci-robot added lgtm "Looks good to me", indicates that a PR is ready to be merged. and removed do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. labels Aug 27, 2025
robscott
robscott reviewed Aug 27, 2025
View reviewed changes
apis/v1alpha3/backendtlspolicy_types.go Outdated
Comment on lines 189 to 191
// 3. If SubjectAltNames are specified, Hostname MUST NOT be used for authentication,
// even if this would cause a failure in the case that the SubjectAltNames do not match.
// If you want to use Hostname for authentication, you must add Hostname to the SubjectAltNames list.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The wording here is tricky to get right. Trying to make the distinction between "hostname" as a concept, and as a field.

Suggested change
// 3. If SubjectAltNames are specified, Hostname MUST NOT be used for authentication,
// even if this would cause a failure in the case that the SubjectAltNames do not match.
// If you want to use Hostname for authentication, you must add Hostname to the SubjectAltNames list.
// 3. If SubjectAltNames are specified, only the values in that list will be used for authentication. The
// value of the Hostname field MUST NOT be used for authentication. If you want to use the value
// of the Hostname field for authentication, you MUST add it to the SubjectAltNames list.

@youngnick might have a better suggestion here.

Copy link
Contributor

@youngnick youngnick Aug 28, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the trick is to put the field Hostname in backticks, and use the capitalized form, and use "hostname" for the concept.

How about this:

Suggested change
// 3. If SubjectAltNames are specified, Hostname MUST NOT be used for authentication,
// even if this would cause a failure in the case that the SubjectAltNames do not match.
// If you want to use Hostname for authentication, you must add Hostname to the SubjectAltNames list.
// 3. If SubjectAltNames are specified, `Hostname` MUST NOT be used for authentication, and the list of hostnames
// included in SubjectAltNames MUST be used instead.
// Generally, users SHOULD include the value of `Hostname` in their SubjectAltNames list unless they have a good reason not to.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, that's great, thanks @youngnick!

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I rephrased it and used wording from GEP-3155

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@youngnick @robscott PTAL

@youngnick
Copy link
Contributor

I added a suggestion here, but it's a small optimization, I think that either option is fine, and this change LGTM.

@k8s-ci-robot k8s-ci-robot added do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. and removed lgtm "Looks good to me", indicates that a PR is ready to be merged. labels Aug 28, 2025
@shaneutt shaneutt moved this to Review in Release v1.4.0 Aug 28, 2025
@shaneutt shaneutt added this to the v1.4.0 milestone Aug 28, 2025
@robscott
Copy link
Member

Thanks @kl52752!

/lgtm
/hold cancel

@k8s-ci-robot k8s-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Aug 28, 2025
@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Aug 28, 2025
@youngnick
Copy link
Contributor

/approve

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: candita, kl52752, youngnick

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Sep 2, 2025
@k8s-ci-robot k8s-ci-robot merged commit 4a150bf into kubernetes-sigs:main Sep 2, 2025
19 checks passed
@github-project-automation github-project-automation bot moved this from Review to Done in Release v1.4.0 Sep 2, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kflynn kflynn Awaiting requested review from kflynn

@shaneutt shaneutt Awaiting requested review from shaneutt

@youngnick youngnick Awaiting requested review from youngnick

@robscott robscott Awaiting requested review from robscott

Assignees

@robscott robscott

@candita candita

@shaneutt shaneutt

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/documentation Categorizes issue or PR as related to documentation. kind/gep PRs related to Gateway Enhancement Proposal(GEP) lgtm "Looks good to me", indicates that a PR is ready to be merged. release-note-none Denotes a PR that doesn't merit a release note. size/S Denotes a PR that changes 10-29 lines, ignoring generated files.
Projects
Release v1.4.0
Status: Done
Milestone
v1.4.0
Development

Successfully merging this pull request may close these issues.
6 participants
@kl52752 @candita @youngnick @robscott @k8s-ci-robot @shaneutt