From 57d3317df8a636734f4e82627c25cdd43ad55eeb Mon Sep 17 00:00:00 2001
From: Francesco Pantano <fpantano@redhat.com>
Date: Wed, 29 May 2024 11:38:09 +0200
Subject: [PATCH] Additional SubjectName in the CertificateRequest

This patch adds a way to check the appropriate annotation within a SVC
and look for additional SNs that should be added to the
CertificateRequest. Glance needs this mechanism because for each SVC
(public, internal), we have an associated headless service, and it is
used to resolve each replica Pod worker_self_reference_url.
This allows to proxy Pod2Pod requests via HTTPS.

Signed-off-by: Francesco Pantano <fpantano@redhat.com>
---
 pkg/openstack/common.go | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/pkg/openstack/common.go b/pkg/openstack/common.go
index cc6f49a1d..3a0ca4839 100644
--- a/pkg/openstack/common.go
+++ b/pkg/openstack/common.go
@@ -298,6 +298,11 @@ func EnsureEndpointConfig(
 						Labels:      util.MergeMaps(ed.Labels, map[string]string{serviceCertSelector: ""}),
 						Usages:      nil,
 					}
+
+					addSubjNames := util.GetStringListFromMap(svc.Annotations, tls.AdditionalSubjectNamesKey)
+					if len(addSubjNames) > 0 {
+						certRequest.Hostnames = append(certRequest.Hostnames, addSubjNames...)
+					}
 					if instance.Spec.TLS.Ingress.Cert.Duration != nil {
 						certRequest.Duration = &instance.Spec.TLS.Ingress.Cert.Duration.Duration
 					}
@@ -343,6 +348,11 @@ func EnsureEndpointConfig(
 					Labels:      util.MergeMaps(ed.Labels, map[string]string{serviceCertSelector: ""}),
 					Usages:      nil,
 				}
+
+				addSubjNames := util.GetStringListFromMap(svc.Annotations, tls.AdditionalSubjectNamesKey)
+				if len(addSubjNames) > 0 {
+					certRequest.Hostnames = append(certRequest.Hostnames, addSubjNames...)
+				}
 				if instance.Spec.TLS.PodLevel.Internal.Cert.Duration != nil {
 					certRequest.Duration = &instance.Spec.TLS.PodLevel.Internal.Cert.Duration.Duration
 				}