Browse Source

Use kubernetes service name in cert request

In kubernetes with atomic we have a set of certificates that we use in
three places:
1. etcd
2. kubernetes apiserver
3. kubernetes service accounts

In order to make service accounts work we need to set the common name
properly in the certificates.

Partial-Bug: #1705694

Change-Id: I04ed3bba938f0d5f340e2141be94058c38c2ed2b
(cherry picked from commit a7ab475cd0)
Mathieu Velten 1 year ago
parent
commit
34f3011913

+ 1
- 1
magnum/drivers/common/templates/kubernetes/fragments/make-cert-client.sh View File

@@ -73,7 +73,7 @@ distinguished_name = req_distinguished_name
73 73
 req_extensions     = req_ext
74 74
 prompt = no
75 75
 [req_distinguished_name]
76
-CN = kubernetes.invalid
76
+CN = kubernetes.default.svc
77 77
 [req_ext]
78 78
 keyUsage=critical,digitalSignature,keyEncipherment
79 79
 extendedKeyUsage=clientAuth

+ 3
- 1
magnum/drivers/common/templates/kubernetes/fragments/make-cert.sh View File

@@ -50,6 +50,8 @@ KUBE_SERVICE_IP=$(echo $PORTAL_NETWORK_CIDR | awk 'BEGIN{FS="[./]"; OFS="."}{pri
50 50
 
51 51
 sans="${sans},IP:${KUBE_SERVICE_IP}"
52 52
 
53
+sans="${sans},DNS:kubernetes,DNS:kubernetes.default,DNS:kubernetes.default.svc,DNS:kubernetes.default.svc.cluster.local"
54
+
53 55
 cert_dir=/srv/kubernetes
54 56
 cert_conf_dir=${cert_dir}/conf
55 57
 
@@ -99,7 +101,7 @@ distinguished_name = req_distinguished_name
99 101
 req_extensions     = req_ext
100 102
 prompt = no
101 103
 [req_distinguished_name]
102
-CN = kubernetes.invalid
104
+CN = kubernetes.default.svc
103 105
 [req_ext]
104 106
 subjectAltName = ${sans}
105 107
 extendedKeyUsage = clientAuth,serverAuth

Loading…
Cancel
Save