restore subject common name prefix check, fix Printf call (#2)

digitalocean · Sep 10, 2019 · 37e1c11 · 37e1c11
1 parent 59d8c78
commit 37e1c11
Showing 1 changed file with 5 additions and 1 deletion.
diff --git a/pkg/controller/certificatesigningrequest/helpers.go b/pkg/controller/certificatesigningrequest/helpers.go
@@ -79,8 +79,12 @@ func isNodeServingCert(csr *capi.CertificateSigningRequest, x509cr *x509.Certifi
 		log.Println("Usage does not match")
 		return false
 	}
+	if !strings.HasPrefix(x509cr.Subject.CommonName, "system:node:") {
+		log.Printf("CN does not start with 'system:node': %s\n", x509cr.Subject.CommonName)
+		return false
+	}
 	if csr.Spec.Username != x509cr.Subject.CommonName {
-		log.Println("x509 CN %q doesn't match CSR username %q", x509cr.Subject.CommonName, csr.Spec.Username)
+		log.Printf("x509 CN %q doesn't match CSR username %q", x509cr.Subject.CommonName, csr.Spec.Username)
 		return false
 	}
 	return true