feat: bypass hostname check

relates to #76
[skip ci]

Author: clementnuss

internal/controller/csr_controller.go

@@ -56,6 +56,7 @@ type Config struct {
 	BypassDNSResolution    bool
 	IgnoreNonSystemNodeCsr bool
 	AllowedDNSNames        int
+	BypassHostnameCheck    bool
 }
 
 // CertificateSigningRequestReconciler reconciles a CertificateSigningRequest object
@@ -73,7 +74,7 @@ type CertificateSigningRequestReconciler struct {
 // Reconcile will perform a series of checks before deciding whether the CSR should be approved or denied
 // cyclomatic complexity is high (over 15), but this improves
 // readibility for the programmer, therefore we ignore the linting error
-//nolint: gocyclo
+// nolint: gocyclo
 func (r *CertificateSigningRequestReconciler) Reconcile(ctx context.Context, req ctrl.Request) (res ctrl.Result, returnErr error) {
 	l := log.FromContext(ctx)
 

internal/controller/regex_ip_checks.go

@@ -15,6 +15,7 @@ import (
 // DNSCheck is a function checking that the DNS name:
 // complies with the provider-specific regex
 // is resolvable (this check can be opted out with a parameter)
+// nolint: gocyclo
 func (r *CertificateSigningRequestReconciler) DNSCheck(ctx context.Context, csr *certificatesv1.CertificateSigningRequest, x509cr *x509.CertificateRequest) (valid bool, reason string, err error) {
 	if valid = (len(x509cr.DNSNames) <= r.AllowedDNSNames); !valid {
 		reason = "The x509 Cert Request contains more DNS names than allowed through the config flag"
@@ -41,7 +42,7 @@ func (r *CertificateSigningRequestReconciler) DNSCheck(ctx context.Context, csr
 	for _, sanDNSName := range x509cr.DNSNames {
 		hostname := strings.TrimPrefix(csr.Spec.Username, "system:node:")
 
-		if valid = strings.HasPrefix(sanDNSName, hostname); !valid {
+		if valid = strings.HasPrefix(sanDNSName, hostname); !valid && !r.BypassHostnameCheck {
 			reason = "The SAN DNS Name in the x509 CSR is not prefixed by the node name (hostname)"
 			return
 		}