Adding config option to add additional SANs to the master's certificate.

Regenerate certificate if data on certificate changes. This includes IP address and SANs. Restart API server after updating certificate.
2025-08-02 00:07:50 +00:00 · 2017-10-11 17:20:48 -04:00 · 2017-10-11 17:20:48 -04:00 · 73e8af34af
commit 73e8af34af
parent 194f3983f0
2 changed files with 33 additions and 1 deletions
--- a/cluster/juju/layers/kubernetes-master/config.yaml
+++ b/cluster/juju/layers/kubernetes-master/config.yaml
@ -7,6 +7,12 @@ options:
    type: string
    default: cluster.local
    description: The local domain for cluster dns
+  extra_sans:
+    type: string
+    default: ""
+    description: |
+      Space-separated list of extra SAN entries to add to the x509 certificate
+      created for the master nodes.
  service-cidr:
    type: string
    default: 10.152.183.0/24
--- a/cluster/juju/layers/kubernetes-master/reactive/kubernetes_master.py
+++ b/cluster/juju/layers/kubernetes-master/reactive/kubernetes_master.py
@ -356,7 +356,7 @@ def start_master(etcd):
                       'Configuring the Kubernetes master services.')
    freeze_service_cidr()
    if not etcd.get_connection_string():
-        # etcd is not returning a connection string. This hapens when
+        # etcd is not returning a connection string. This happens when
        # the master unit disconnects from etcd and is ready to terminate.
        # No point in trying to start master services and fail. Just return.
        return
@ -457,12 +457,38 @@ def send_data(tls):
        'kubernetes.default.svc',
        'kubernetes.default.svc.{0}'.format(domain)
    ]
+
+    # maybe they have extra names they want as SANs
+    extra_sans = hookenv.config('extra_sans')
+    if extra_sans and not extra_sans == "":
+      sans.extend(extra_sans.split())
+
    # Create a path safe name by removing path characters from the unit name.
    certificate_name = hookenv.local_unit().replace('/', '_')
    # Request a server cert with this information.
    tls.request_server_cert(common_name, sans, certificate_name)


+@when('config.changed', 'certificates.available')
+def update_certificate(tls):
+    # I using the config.changed flag instead of something more
+    # specific to try and catch ip changes. Being a little
+    # spammy here is ok because the cert layer checks for
+    # changes to the cert before issuing a new one
+    send_data(tls)
+
+
+@when('certificates.server.cert.available',
+      'kubernetes-master.components.started')
+def kick_api_server(tls):
+    # need to be idempotent and don't want to kick the api server
+    # without need
+    if data_changed('cert', tls.get_server_cert()):
+        # certificate changed, so restart the api server
+        hookenv.log("Certificate information changed, restarting api server")
+        set_state('kube-apiserver.do-restart')
+
+
@when('kubernetes-master.components.started')
 def configure_cdk_addons():
    ''' Configure CDK addons '''