Browse Source

Add Kubernetes API Service IP to x509 certificates

By default, API service with service account is accessible from inside
the cluster at the address 10.254.0.1. This IP should be added to SANS
when generating the certs.

Closes-bug: #1660811
Depends-On: Icc93fb11e19bb900396c485719908655fac75cf6
Change-Id: I214b4296bea55bb0c4015165c56fbd8ca3cebd39
(cherry picked from commit 288bb34fe3)
tags/3.3.1^0
ArchiFleKs 2 years ago
parent
commit
ce5133ce56

+ 4
- 0
magnum/drivers/common/templates/kubernetes/fragments/make-cert.sh View File

@@ -46,6 +46,10 @@ if [[ -n "${MASTER_HOSTNAME}" ]]; then
46 46
 fi
47 47
 sans="${sans},IP:127.0.0.1"
48 48
 
49
+KUBE_SERVICE_IP=$(echo $PORTAL_NETWORK_CIDR | awk 'BEGIN{FS="[./]"; OFS="."}{print $1,$2,$3,$4 + 1}')
50
+
51
+sans="${sans},IP:${KUBE_SERVICE_IP}"
52
+
49 53
 cert_dir=/srv/kubernetes
50 54
 cert_conf_dir=${cert_dir}/conf
51 55
 

+ 4
- 0
magnum/drivers/k8s_coreos_v1/templates/fragments/make-cert.yaml View File

@@ -64,6 +64,10 @@ write_files:
64 64
       fi
65 65
       sans="${sans},IP:127.0.0.1"
66 66
 
67
+      KUBE_SERVICE_IP=$(echo $PORTAL_NETWORK_CIDR | awk 'BEGIN{FS="[./]"; OFS="."}{print $1,$2,$3,$4 + 1}')
68
+
69
+      sans="${sans},IP:${KUBE_SERVICE_IP}"
70
+
67 71
       cert_dir=/etc/kubernetes/ssl
68 72
       cert_conf_dir=${cert_dir}/conf
69 73
 

Loading…
Cancel
Save