From ac74493123ffa1ed89585b8f3a4be9e5ed6bfd08 Mon Sep 17 00:00:00 2001
From: Jonas Juselius <jonas.juselius@gmail.com>
Date: Sat, 22 Jun 2024 08:35:23 +0200
Subject: [PATCH] fix: Skip host checks for certs with invalid DNS names

Kubernetes system certs have a CN which is not a vaild DNS name (e.g. system:kube-proxy). The hostname check always fails for kubernetes system certs, causing them to be regenerated every 30m, causing trouble.
---
 cert/verification.go | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/cert/verification.go b/cert/verification.go
index 39f255c4..67560a3c 100644
--- a/cert/verification.go
+++ b/cert/verification.go
@@ -10,6 +10,10 @@ import (
 
 // CertificateMatchesHostname checks if the Certificates hosts are the same as the given hosts
 func CertificateMatchesHostname(hosts []string, cert *x509.Certificate) bool {
+	// skip checks for kubernetes system certs with invalid DNS names (i.e. CN=system:kube-proxy)
+        if len(hosts) == 1 && len(cert.DNSNames)+len(cert.IPAddresses) == 0 { 
+		return true 
+	}
 	a := make([]string, len(hosts))
 	for idx := range hosts {
 		// normalize the IPs.