github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-09-14 05:36:12 +00:00
Code Issues Projects Releases Wiki Activity

Add Subject Alt Names to self signed apiserver certs

Browse Source 
A cert from GCE shows:
- IP Address:23.236.49.122
- IP Address:10.0.0.1
- DNS:kubernetes,
- DNS:kubernetes.default
- DNS:kubernetes.default.svc
- DNS:kubernetes.default.svc.cluster.local
- DNS:e2e-test-zml-master

A similarly configured self signed cert shows:
- IP Address:23.236.49.122
- IP Address:10.0.0.1
- DNS:kubernetes
- DNS:kubernetes.default
- DNS:kubernetes.default.svc

So we are missing the fqdn kubernetes.default.svc.cluster.local. The
apiserver does not even know the fqdn! it's defined entirely by the
kubelet! We also do not have the cluster name certificate. This may be
--cluster-name= argument to the apiserver but will take a bit more
research.
This commit is contained in:
Eric Paris
2015-07-01 16:57:48 -04:00
parent 4f9cfc84c4
commit 7a29af4d2c
4 changed files with 25 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
pkg/util/crypto.go
View File

@@ -38,7 +38,7 @@ import (
// The certificate will be created with file mode 0644. The key will be created with file mode 0600.
// If the certificate or key files already exist, they will be overwritten.
// Any parent directories of the certPath or keyPath will be created as needed with file mode 0755.
func GenerateSelfSignedCert(host, certPath, keyPath string) error {
func GenerateSelfSignedCert(host, certPath, keyPath string, ServiceReadWriteIP net.IP) error {
priv, err := rsa.GenerateKey(rand.Reader, 2048)
if err != nil {
return err
@@ -63,6 +63,15 @@ func GenerateSelfSignedCert(host, certPath, keyPath string) error {
template.DNSNames = append(template.DNSNames, host)
}
if ServiceReadWriteIP != nil {
template.IPAddresses = append(template.IPAddresses, ServiceReadWriteIP)
}
// It would be nice to have the next line, but only the kubelets know the fqdn, the apiserver is clueless
// template.DNSNames = append(template.DNSNames, "kubernetes.default.svc.CLUSTER.DNS.NAME")
template.DNSNames = append(template.DNSNames, "kubernetes.default.svc")
template.DNSNames = append(template.DNSNames, "kubernetes.default")
template.DNSNames = append(template.DNSNames, "kubernetes")
derBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, &priv.PublicKey, priv)
if err != nil {
return err