Merge pull request #54947 from hyperbolic2346/lb

Automatic merge from submit-queue (batch tested with PRs 54875, 54813, 54595, 54947, 54766). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. extra_sans option added to load balancer Also cleaned up kubernetes-master charm to use the new method of determining a certificate has changed. **What this PR does / why we need it**: Adds an option for the load balancer charm to add extra SAN entries to the generated certificate used by nginx. **Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*: Fixes # **Special notes for your reviewer**: **Release note**: ```release-note Added extra_sans config option to kubeapi-load-balancer charm. This allows the user to specify extra SAN entries on the certificate generated for the load balancer. ```
2025-07-31 07:20:13 +00:00 · 2017-11-01 18:45:35 -07:00 · 2017-11-01 18:45:35 -07:00 · fcdbd060ed
commit fcdbd060ed
parent d19595186b 21c8253dfe
3 changed files with 41 additions and 5 deletions
--- a/cluster/juju/layers/kubeapi-load-balancer/config.yaml
+++ b/cluster/juju/layers/kubeapi-load-balancer/config.yaml
@ -3,3 +3,9 @@ options:
    type: int
    default: 443
    description: The port to run the loadbalancer
+  extra_sans:
+    type: string
+    default: ""
+    description: |
+      Space-separated list of extra SAN entries to add to the x509 certificate
+      created for the load balancers.
--- a/cluster/juju/layers/kubeapi-load-balancer/reactive/load_balancer.py
+++ b/cluster/juju/layers/kubeapi-load-balancer/reactive/load_balancer.py
@ -22,9 +22,12 @@ from charms import layer
 from charms.reactive import when, when_any, when_not
 from charms.reactive import set_state, remove_state
 from charmhelpers.core import hookenv
+from charmhelpers.core import host
 from charmhelpers.contrib.charmsupport import nrpe
+from charms.reactive.helpers import data_changed

 from charms.layer import nginx
+from charms.layer import tls_client

 from subprocess import Popen
 from subprocess import PIPE
@ -44,12 +47,36 @@ def request_server_certificates(tls):
        hookenv.unit_private_ip(),
        socket.gethostname(),
    ]
+    # maybe they have extra names they want as SANs
+    extra_sans = hookenv.config('extra_sans')
+    if extra_sans and not extra_sans == "":
+        sans.extend(extra_sans.split())
    # Create a path safe name by removing path characters from the unit name.
    certificate_name = hookenv.local_unit().replace('/', '_')
    # Request a server cert with this information.
    tls.request_server_cert(common_name, sans, certificate_name)


+@when('config.changed.extra_sans', 'certificates.available')
+def update_certificate(tls):
+    # Using the config.changed.extra_sans flag to catch changes.
+    # IP changes will take ~5 minutes or so to propagate, but
+    # it will update.
+    request_server_certificates(tls)
+
+
+@when('certificates.server.cert.available',
+      'nginx.available', 'tls_client.server.certificate.written')
+def kick_nginx(tls):
+    # we are just going to sighup it, but still want to avoid kicking it
+    # without need
+    if data_changed('cert', tls.get_server_cert()):
+        # certificate changed, so sighup nginx
+        hookenv.log("Certificate information changed, sending SIGHUP to nginx")
+        host.service_restart('nginx')
+    tls_client.reset_certificate_write_flag('server')
+
+
@when('config.changed.port')
 def close_old_port():
    config = hookenv.config()
--- a/cluster/juju/layers/kubernetes-master/reactive/kubernetes_master.py
+++ b/cluster/juju/layers/kubernetes-master/reactive/kubernetes_master.py
@ -45,6 +45,8 @@ from charms.kubernetes.common import get_version
 from charms.kubernetes.common import retry
 from charms.kubernetes.flagmanager import FlagManager

+from charms.layer import tls_client
+
 from charmhelpers.core import hookenv
 from charmhelpers.core import host
 from charmhelpers.core import unitdata
@ -552,15 +554,15 @@ def send_data(tls):

@when('config.changed.extra_sans', 'certificates.available')
 def update_certificate(tls):
-    # I using the config.changed flag instead of something more
-    # specific to try and catch ip changes. Being a little
-    # spammy here is ok because the cert layer checks for
-    # changes to the cert before issuing a new one
+    # Using the config.changed.extra_sans flag to catch changes.
+    # IP changes will take ~5 minutes or so to propagate, but
+    # it will update.
    send_data(tls)


@when('certificates.server.cert.available',
-      'kubernetes-master.components.started')
+      'kubernetes-master.components.started',
+      'tls_client.server.certificate.written')
 def kick_api_server(tls):
    # need to be idempotent and don't want to kick the api server
    # without need
@ -568,6 +570,7 @@ def kick_api_server(tls):
        # certificate changed, so restart the api server
        hookenv.log("Certificate information changed, restarting api server")
        set_state('kube-apiserver.do-restart')
+    tls_client.reset_certificate_write_flag('server')


@when('kubernetes-master.components.started')