Use kubernetes service name in cert request

In kubernetes with atomic we have a set of certificates that we use in three places: 1. etcd 2. kubernetes apiserver 3. kubernetes service accounts In order to make service accounts work we need to set the common name properly in the certificates. Partial-Bug: #1705694 Change-Id: I04ed3bba938f0d5f340e2141be94058c38c2ed2b
2017-07-17 10:53:21 +02:00 · 2017-07-17 10:53:21 +02:00 · a7ab475cd0
parent ffe2ea4baa
commit a7ab475cd0
2 changed files with 4 additions and 2 deletions
--- a/magnum/drivers/common/templates/kubernetes/fragments/make-cert-client.sh
+++ b/magnum/drivers/common/templates/kubernetes/fragments/make-cert-client.sh
@ -73,7 +73,7 @@ distinguished_name = req_distinguished_name
 req_extensions     = req_ext
 prompt = no
 [req_distinguished_name]
-CN = kubernetes.invalid
+CN = kubernetes.default.svc
 [req_ext]
 keyUsage=critical,digitalSignature,keyEncipherment
 extendedKeyUsage=clientAuth
--- a/magnum/drivers/common/templates/kubernetes/fragments/make-cert.sh
+++ b/magnum/drivers/common/templates/kubernetes/fragments/make-cert.sh
@ -55,6 +55,8 @@ KUBE_SERVICE_IP=$(echo $PORTAL_NETWORK_CIDR | awk 'BEGIN{FS="[./]"; OFS="."}{pri

 sans="${sans},IP:${KUBE_SERVICE_IP}"

+sans="${sans},DNS:kubernetes,DNS:kubernetes.default,DNS:kubernetes.default.svc,DNS:kubernetes.default.svc.cluster.local"
+
 cert_dir=/srv/kubernetes
 cert_conf_dir=${cert_dir}/conf

@ -104,7 +106,7 @@ distinguished_name = req_distinguished_name
 req_extensions     = req_ext
 prompt = no
 [req_distinguished_name]
-CN = kubernetes.invalid
+CN = kubernetes.default.svc
 [req_ext]
 subjectAltName = ${sans}
 extendedKeyUsage = clientAuth,serverAuth