Use kubernetes service name in cert request
In kubernetes with atomic we have a set of certificates that we use in
three places:
1. etcd
2. kubernetes apiserver
3. kubernetes service accounts
In order to make service accounts work we need to set the common name
properly in the certificates.
Partial-Bug: #1705694
Change-Id: I04ed3bba938f0d5f340e2141be94058c38c2ed2b
(cherry picked from commit a7ab475cd0
)
This commit is contained in:
parent
7cf0b5051a
commit
34f3011913
|
@ -73,7 +73,7 @@ distinguished_name = req_distinguished_name
|
|||
req_extensions = req_ext
|
||||
prompt = no
|
||||
[req_distinguished_name]
|
||||
CN = kubernetes.invalid
|
||||
CN = kubernetes.default.svc
|
||||
[req_ext]
|
||||
keyUsage=critical,digitalSignature,keyEncipherment
|
||||
extendedKeyUsage=clientAuth
|
||||
|
|
|
@ -50,6 +50,8 @@ KUBE_SERVICE_IP=$(echo $PORTAL_NETWORK_CIDR | awk 'BEGIN{FS="[./]"; OFS="."}{pri
|
|||
|
||||
sans="${sans},IP:${KUBE_SERVICE_IP}"
|
||||
|
||||
sans="${sans},DNS:kubernetes,DNS:kubernetes.default,DNS:kubernetes.default.svc,DNS:kubernetes.default.svc.cluster.local"
|
||||
|
||||
cert_dir=/srv/kubernetes
|
||||
cert_conf_dir=${cert_dir}/conf
|
||||
|
||||
|
@ -99,7 +101,7 @@ distinguished_name = req_distinguished_name
|
|||
req_extensions = req_ext
|
||||
prompt = no
|
||||
[req_distinguished_name]
|
||||
CN = kubernetes.invalid
|
||||
CN = kubernetes.default.svc
|
||||
[req_ext]
|
||||
subjectAltName = ${sans}
|
||||
extendedKeyUsage = clientAuth,serverAuth
|
||||
|
|
Loading…
Reference in New Issue