| As part of adding support for IP subject alt names when generating certificates, we investigated changing the name of the option that controls this to subject-alt-names instead of the current dns-alt-names, since we no longer support only DNS. This prove to be rather complicated due to the following:
- The flag is not confined to the cert command, but also exists as a setting and as an option on some of the certificate-related faces.
- Since faces are not allowed to have options with the same name as existing settings, the face versions of the flag have dash separators, while the setting has underscores, and there is complicated logic to handle this conflict correctly. (See https://github.com/puppetlabs/puppet/blob/master/lib/puppet/face/certificate.rb#L64-L74)
- There is the related --allow-dns-alt-names flag, which is somewhat simpler because it doesn't have a corresponding setting, but still needs to updated in a similar way.
The face issue is the most tangled, and could be dealt with by:
1) removing the dns_alt_names setting and adding a flag explicitly for all the subcommands that need it. This would require deprecation in the 5.x series, and we'd need to make sure that there aren't important workflows that rely on the setting that can't be replaced with the flag.
2) removing the certificate-related faces with the conflict in favor of a more robust agent-side CLI that can use the setting the way the cert command can. This is something we were hoping to do for Puppet 6 anyway, but may run out of time to do. For the time being, the IP subject alt names are supported, just under the dns-alt-names setting/flag. This is misleading and should be fixed one we have come to a decision on the above. |
