mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-09-14 13:45:06 +00:00
Add Subject Alt Names to self signed apiserver certs
A cert from GCE shows: - IP Address:23.236.49.122 - IP Address:10.0.0.1 - DNS:kubernetes, - DNS:kubernetes.default - DNS:kubernetes.default.svc - DNS:kubernetes.default.svc.cluster.local - DNS:e2e-test-zml-master A similarly configured self signed cert shows: - IP Address:23.236.49.122 - IP Address:10.0.0.1 - DNS:kubernetes - DNS:kubernetes.default - DNS:kubernetes.default.svc So we are missing the fqdn kubernetes.default.svc.cluster.local. The apiserver does not even know the fqdn! it's defined entirely by the kubelet! We also do not have the cluster name certificate. This may be --cluster-name= argument to the apiserver but will take a bit more research.
This commit is contained in:
Eric Paris
@@ -147,6 +147,9 @@ type Config struct {
|
||||
// The range of IPs to be assigned to services with type=ClusterIP or greater
|
||||
ServiceClusterIPRange *net.IPNet
|
||||
|
||||
// The IP address for the master service (must be inside ServiceClusterIPRange
|
||||
ServiceReadWriteIP net.IP
|
||||
|
||||
// The range of ports to be assigned to services with type=NodePort or greater
|
||||
ServiceNodePortRange util.PortRange
|
||||
|
||||
@@ -245,6 +248,15 @@ func setDefaults(c *Config) {
|
||||
}
|
||||
c.ServiceClusterIPRange = serviceClusterIPRange
|
||||
}
|
||||
if c.ServiceReadWriteIP == nil {
|
||||
// Select the first valid IP from ServiceClusterIPRange to use as the master service IP.
|
||||
serviceReadWriteIP, err := ipallocator.GetIndexedIP(c.ServiceClusterIPRange, 1)
|
||||
if err != nil {
|
||||
glog.Fatalf("Failed to generate service read-write IP for master service: %v", err)
|
||||
}
|
||||
glog.V(4).Infof("Setting master service IP to %q (read-write).", serviceReadWriteIP)
|
||||
c.ServiceReadWriteIP = serviceReadWriteIP
|
||||
}
|
||||
if c.ServiceNodePortRange.Size == 0 {
|
||||
// TODO: Currently no way to specify an empty range (do we need to allow this?)
|
||||
// We should probably allow this for clouds that don't require NodePort to do load-balancing (GCE)
|
||||
@@ -311,13 +323,6 @@ func New(c *Config) *Master {
|
||||
glog.Fatalf("master.New() called with config.KubeletClient == nil")
|
||||
}
|
||||
|
||||
// Select the first valid IP from serviceClusterIPRange to use as the master service IP.
|
||||
serviceReadWriteIP, err := ipallocator.GetIndexedIP(c.ServiceClusterIPRange, 1)
|
||||
if err != nil {
|
||||
glog.Fatalf("Failed to generate service read-write IP for master service: %v", err)
|
||||
}
|
||||
glog.V(4).Infof("Setting master service IP to %q (read-write).", serviceReadWriteIP)
|
||||
|
||||
m := &Master{
|
||||
serviceClusterIPRange: c.ServiceClusterIPRange,
|
||||
serviceNodePortRange: c.ServiceNodePortRange,
|
||||
@@ -343,7 +348,7 @@ func New(c *Config) *Master {
|
||||
externalHost: c.ExternalHost,
|
||||
clusterIP: c.PublicAddress,
|
||||
publicReadWritePort: c.ReadWritePort,
|
||||
serviceReadWriteIP: serviceReadWriteIP,
|
||||
serviceReadWriteIP: c.ServiceReadWriteIP,
|
||||
// TODO: serviceReadWritePort should be passed in as an argument, it may not always be 443
|
||||
serviceReadWritePort: 443,
|
||||
|
||||
|
||||
Reference in New Issue
Block a user