Merge pull request #54234 from hyperbolic2346/san

Automatic merge from submit-queue (batch tested with PRs 54113, 54234). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. Adding config option to add additional SANs to the master's certificate. Regenerate certificate if data on certificate changes. This includes IP address and SANs. Restart API server after updating certificate. **What this PR does / why we need it**: This allows users to add addition SAN entries to the certificate generated. **Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes # https://github.com/juju-solutions/bundle-canonical-kubernetes/issues/426 **Special notes for your reviewer**: **Release note**: ```release-note Added support for SAN entries in the master node certificate via juju kubernetes-master config. ```
2025-07-29 06:27:05 +00:00 · 2017-10-20 09:44:03 -07:00 · 2017-10-20 09:44:03 -07:00 · 5ea86fc7cb
commit 5ea86fc7cb
parent d7eebdfdbe 16036c3fd4
2 changed files with 33 additions and 1 deletions
--- a/cluster/juju/layers/kubernetes-master/config.yaml
+++ b/cluster/juju/layers/kubernetes-master/config.yaml
@ -7,6 +7,12 @@ options:
    type: string
    default: cluster.local
    description: The local domain for cluster dns
+  extra_sans:
+    type: string
+    default: ""
+    description: |
+      Space-separated list of extra SAN entries to add to the x509 certificate
+      created for the master nodes.
  service-cidr:
    type: string
    default: 10.152.183.0/24
--- a/cluster/juju/layers/kubernetes-master/reactive/kubernetes_master.py
+++ b/cluster/juju/layers/kubernetes-master/reactive/kubernetes_master.py
@ -356,7 +356,7 @@ def start_master(etcd):
                       'Configuring the Kubernetes master services.')
    freeze_service_cidr()
    if not etcd.get_connection_string():
-        # etcd is not returning a connection string. This hapens when
+        # etcd is not returning a connection string. This happens when
        # the master unit disconnects from etcd and is ready to terminate.
        # No point in trying to start master services and fail. Just return.
        return
@ -457,12 +457,38 @@ def send_data(tls):
        'kubernetes.default.svc',
        'kubernetes.default.svc.{0}'.format(domain)
    ]
+
+    # maybe they have extra names they want as SANs
+    extra_sans = hookenv.config('extra_sans')
+    if extra_sans and not extra_sans == "":
+        sans.extend(extra_sans.split())
+
    # Create a path safe name by removing path characters from the unit name.
    certificate_name = hookenv.local_unit().replace('/', '_')
    # Request a server cert with this information.
    tls.request_server_cert(common_name, sans, certificate_name)


+@when('config.changed.extra_sans', 'certificates.available')
+def update_certificate(tls):
+    # I using the config.changed flag instead of something more
+    # specific to try and catch ip changes. Being a little
+    # spammy here is ok because the cert layer checks for
+    # changes to the cert before issuing a new one
+    send_data(tls)
+
+
+@when('certificates.server.cert.available',
+      'kubernetes-master.components.started')
+def kick_api_server(tls):
+    # need to be idempotent and don't want to kick the api server
+    # without need
+    if data_changed('cert', tls.get_server_cert()):
+        # certificate changed, so restart the api server
+        hookenv.log("Certificate information changed, restarting api server")
+        set_state('kube-apiserver.do-restart')
+
+
@when('kubernetes-master.components.started')
 def configure_cdk_addons():
    ''' Configure CDK addons '''