Browse Source

Add Kubernetes API Service IP to x509 certificates

By default, API service with service account is accessible from inside
the cluster at the address 10.254.0.1. This IP should be added to SANS
when generating the certs.

Fixes-bug: #1660811
Change-Id: I214b4296bea55bb0c4015165c56fbd8ca3cebd39
ArchiFleKs 2 years ago
parent
commit
288bb34fe3

+ 4
- 0
magnum/drivers/common/templates/kubernetes/fragments/make-cert.sh View File

@@ -46,6 +46,10 @@ if [[ -n "${MASTER_HOSTNAME}" ]]; then
46 46
 fi
47 47
 sans="${sans},IP:127.0.0.1"
48 48
 
49
+KUBE_SERVICE_IP=$(echo $PORTAL_NETWORK_CIDR | awk 'BEGIN{FS="[./]"; OFS="."}{print $1,$2,$3,$4 + 1}')
50
+
51
+sans="${sans},IP:${KUBE_SERVICE_IP}"
52
+
49 53
 cert_dir=/srv/kubernetes
50 54
 cert_conf_dir=${cert_dir}/conf
51 55
 

+ 4
- 0
magnum/drivers/k8s_coreos_v1/templates/fragments/make-cert.yaml View File

@@ -63,6 +63,10 @@ write_files:
63 63
       fi
64 64
       sans="${sans},IP:127.0.0.1"
65 65
 
66
+      KUBE_SERVICE_IP=$(echo $PORTAL_NETWORK_CIDR | awk 'BEGIN{FS="[./]"; OFS="."}{print $1,$2,$3,$4 + 1}')
67
+
68
+      sans="${sans},IP:${KUBE_SERVICE_IP}"
69
+
66 70
       cert_conf_dir=${KUBE_CERTS_PATH}/conf
67 71
 
68 72
       mkdir -p ${cert_conf_dir}

Loading…
Cancel
Save