Browse Source

Add Kubernetes API Service IP to x509 certificates

By default, API service with service account is accessible from inside
the cluster at the address 10.254.0.1. This IP should be added to SANS
when generating the certs.

Fixes-bug: #1660811
Change-Id: I214b4296bea55bb0c4015165c56fbd8ca3cebd39
(cherry picked from commit 288bb34fe3)
tags/4.1.3^0
ArchiFleKs 2 years ago
parent
commit
b410770989

+ 4
- 0
magnum/drivers/common/templates/kubernetes/fragments/make-cert.sh View File

@@ -46,6 +46,10 @@ if [[ -n "${MASTER_HOSTNAME}" ]]; then
46 46
 fi
47 47
 sans="${sans},IP:127.0.0.1"
48 48
 
49
+KUBE_SERVICE_IP=$(echo $PORTAL_NETWORK_CIDR | awk 'BEGIN{FS="[./]"; OFS="."}{print $1,$2,$3,$4 + 1}')
50
+
51
+sans="${sans},IP:${KUBE_SERVICE_IP}"
52
+
49 53
 cert_dir=/srv/kubernetes
50 54
 cert_conf_dir=${cert_dir}/conf
51 55
 

+ 4
- 0
magnum/drivers/k8s_coreos_v1/templates/fragments/make-cert.yaml View File

@@ -63,6 +63,10 @@ write_files:
63 63
       fi
64 64
       sans="${sans},IP:127.0.0.1"
65 65
 
66
+      KUBE_SERVICE_IP=$(echo $PORTAL_NETWORK_CIDR | awk 'BEGIN{FS="[./]"; OFS="."}{print $1,$2,$3,$4 + 1}')
67
+
68
+      sans="${sans},IP:${KUBE_SERVICE_IP}"
69
+
66 70
       cert_conf_dir=${KUBE_CERTS_PATH}/conf
67 71
 
68 72
       mkdir -p ${cert_conf_dir}

Loading…
Cancel
Save