Skip to content

fix(certgen): use POD_NAMESPACE for default server SANs instead of hardcoded namespace #2096

Description

@akram

Problem Statement

The Rust constant DEFAULT_SERVER_SANS in crates/openshell-bootstrap/src/pki.rs:32-42 hardcodes openshell.openshell.svc and openshell.openshell.svc.cluster.local. When the Helm chart passes explicit --server-san args (as in PR #2062), the certgen binary still prepends these hardcoded SANs, resulting in duplicate and incorrect entries in the certificate.

PR #2062 fixes the Helm side (option B from #2060), but the Rust binary should also be namespace-aware so that the hardcoded defaults don't leak into certificates for non-openshell namespaces.

Proposed Design

Read the POD_NAMESPACE environment variable (already available via the downward API in certgen.yaml:91-94) and use it to generate namespace-aware default SANs:

fn default_server_sans(namespace: &str) -> Vec<String> {
    let name = "openshell";
    vec![
        name.to_string(),
        format!("{name}.{namespace}.svc"),
        format!("{name}.{namespace}.svc.cluster.local"),
        "localhost".to_string(),
        format!("{name}.localhost"),
        format!("*.{name}.localhost"),
        "host.docker.internal".to_string(),
        "host.containers.internal".to_string(),
    ]
}

When --server-san args are provided, skip the defaults entirely — the caller (Helm template or user) has full control over the SAN list.

Changes required

  • crates/openshell-bootstrap/src/pki.rs — replace the DEFAULT_SERVER_SANS constant with a function that reads POD_NAMESPACE
  • crates/openshell-server/src/certgen.rs:91 — pass the namespace to generate_pki() when no --server-san args are provided
  • Update tests that reference DEFAULT_SERVER_SANS

Alternatives Considered

  1. Helm-only fix (PR fix(helm): generate namespace-aware SANs in certgen and cert-manager templates #2062, option B from bug: PKI certgen hardcodes namespace "openshell" in server certificate SANs — breaks deployments in other namespaces #2060): Already implemented. Fixes the Helm path but the Rust defaults still produce duplicate SANs in the cert. Works but not clean.

  2. Remove DEFAULT_SERVER_SANS entirely: Would break local openshell gateway generate-certs invocations that don't pass --server-san args (e.g., Docker/Podman installs where there is no Helm).

  3. Condition defaults on --server-san presence only: Skip defaults when any --server-san is passed. Simpler than reading POD_NAMESPACE but loses the fallback for non-Helm installs where namespace matters.

Agent Investigation

  • Explored crates/openshell-bootstrap/src/pki.rs:32-42 — confirmed the constant is used unconditionally in build_server_sans() at line 134.
  • Explored crates/openshell-server/src/certgen.rs:91 — the certgen binary receives server_sans from CLI args and passes them to generate_pki(). The POD_NAMESPACE env var is available (set in certgen.yaml:91-94) but not read.
  • Verified by deploying in openshell-system: the generated cert contains both openshell.openshell.svc.cluster.local (from Rust defaults) and openshell.openshell-system.svc.cluster.local (from Helm --server-san args). Duplicates are harmless but messy.

Related


  • I've reviewed existing issues and the architecture docs
  • This is a design proposal, not a "please build this" request

Metadata

Metadata

Assignees

No one assigned

    Labels

    area:clusterRelated to running OpenShell on k3s/dockerarea:gatewayGateway server and control-plane workstate:agent-readyApproved for agent implementationstate:pr-openedPR has been opened for this issue

    Fields

    No fields configured for Enhancement.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions