Use kubernetes service name in cert request
In kubernetes with atomic we have a set of certificates that we use in
three places:
1. etcd
2. kubernetes apiserver
3. kubernetes service accounts
In order to make service accounts work we need to set the common name
properly in the certificates.
Partial-Bug: #1705694
Change-Id: I04ed3bba938f0d5f340e2141be94058c38c2ed2b
(cherry picked from commit a7ab475cd0
)
This commit is contained in:
parent
7cf0b5051a
commit
34f3011913
|
@ -73,7 +73,7 @@ distinguished_name = req_distinguished_name
|
||||||
req_extensions = req_ext
|
req_extensions = req_ext
|
||||||
prompt = no
|
prompt = no
|
||||||
[req_distinguished_name]
|
[req_distinguished_name]
|
||||||
CN = kubernetes.invalid
|
CN = kubernetes.default.svc
|
||||||
[req_ext]
|
[req_ext]
|
||||||
keyUsage=critical,digitalSignature,keyEncipherment
|
keyUsage=critical,digitalSignature,keyEncipherment
|
||||||
extendedKeyUsage=clientAuth
|
extendedKeyUsage=clientAuth
|
||||||
|
|
|
@ -50,6 +50,8 @@ KUBE_SERVICE_IP=$(echo $PORTAL_NETWORK_CIDR | awk 'BEGIN{FS="[./]"; OFS="."}{pri
|
||||||
|
|
||||||
sans="${sans},IP:${KUBE_SERVICE_IP}"
|
sans="${sans},IP:${KUBE_SERVICE_IP}"
|
||||||
|
|
||||||
|
sans="${sans},DNS:kubernetes,DNS:kubernetes.default,DNS:kubernetes.default.svc,DNS:kubernetes.default.svc.cluster.local"
|
||||||
|
|
||||||
cert_dir=/srv/kubernetes
|
cert_dir=/srv/kubernetes
|
||||||
cert_conf_dir=${cert_dir}/conf
|
cert_conf_dir=${cert_dir}/conf
|
||||||
|
|
||||||
|
@ -99,7 +101,7 @@ distinguished_name = req_distinguished_name
|
||||||
req_extensions = req_ext
|
req_extensions = req_ext
|
||||||
prompt = no
|
prompt = no
|
||||||
[req_distinguished_name]
|
[req_distinguished_name]
|
||||||
CN = kubernetes.invalid
|
CN = kubernetes.default.svc
|
||||||
[req_ext]
|
[req_ext]
|
||||||
subjectAltName = ${sans}
|
subjectAltName = ${sans}
|
||||||
extendedKeyUsage = clientAuth,serverAuth
|
extendedKeyUsage = clientAuth,serverAuth
|
||||||
|
|
Loading…
Reference in New Issue