From ce5133ce56e3635bde8097a3eaf4b2c86a9a14e9 Mon Sep 17 00:00:00 2001 From: ArchiFleKs Date: Mon, 20 Feb 2017 15:57:25 +0100 Subject: [PATCH] Add Kubernetes API Service IP to x509 certificates By default, API service with service account is accessible from inside the cluster at the address 10.254.0.1. This IP should be added to SANS when generating the certs. Closes-bug: #1660811 Depends-On: Icc93fb11e19bb900396c485719908655fac75cf6 Change-Id: I214b4296bea55bb0c4015165c56fbd8ca3cebd39 (cherry picked from commit 288bb34fe311041a911bba9d43dfb75176ee43cd) --- .../common/templates/kubernetes/fragments/make-cert.sh | 4 ++++ .../drivers/k8s_coreos_v1/templates/fragments/make-cert.yaml | 4 ++++ 2 files changed, 8 insertions(+) diff --git a/magnum/drivers/common/templates/kubernetes/fragments/make-cert.sh b/magnum/drivers/common/templates/kubernetes/fragments/make-cert.sh index 323551e7c1..9cdf692d20 100644 --- a/magnum/drivers/common/templates/kubernetes/fragments/make-cert.sh +++ b/magnum/drivers/common/templates/kubernetes/fragments/make-cert.sh @@ -46,6 +46,10 @@ if [[ -n "${MASTER_HOSTNAME}" ]]; then fi sans="${sans},IP:127.0.0.1" +KUBE_SERVICE_IP=$(echo $PORTAL_NETWORK_CIDR | awk 'BEGIN{FS="[./]"; OFS="."}{print $1,$2,$3,$4 + 1}') + +sans="${sans},IP:${KUBE_SERVICE_IP}" + cert_dir=/srv/kubernetes cert_conf_dir=${cert_dir}/conf diff --git a/magnum/drivers/k8s_coreos_v1/templates/fragments/make-cert.yaml b/magnum/drivers/k8s_coreos_v1/templates/fragments/make-cert.yaml index f087fbee6e..ef0700b401 100644 --- a/magnum/drivers/k8s_coreos_v1/templates/fragments/make-cert.yaml +++ b/magnum/drivers/k8s_coreos_v1/templates/fragments/make-cert.yaml @@ -64,6 +64,10 @@ write_files: fi sans="${sans},IP:127.0.0.1" + KUBE_SERVICE_IP=$(echo $PORTAL_NETWORK_CIDR | awk 'BEGIN{FS="[./]"; OFS="."}{print $1,$2,$3,$4 + 1}') + + sans="${sans},IP:${KUBE_SERVICE_IP}" + cert_dir=/etc/kubernetes/ssl cert_conf_dir=${cert_dir}/conf