Use kubernetes service name in cert request

In kubernetes with atomic we have a set of certificates that we use in
three places:
1. etcd
2. kubernetes apiserver
3. kubernetes service accounts

In order to make service accounts work we need to set the common name
properly in the certificates.

Partial-Bug: #1705694

Change-Id: I04ed3bba938f0d5f340e2141be94058c38c2ed2b
(cherry picked from commit a7ab475cd0)
This commit is contained in:
Mathieu Velten 2017-07-17 10:53:21 +02:00
parent 7cf0b5051a
commit 34f3011913
2 changed files with 4 additions and 2 deletions

View File

@ -73,7 +73,7 @@ distinguished_name = req_distinguished_name
req_extensions = req_ext
prompt = no
[req_distinguished_name]
CN = kubernetes.invalid
CN = kubernetes.default.svc
[req_ext]
keyUsage=critical,digitalSignature,keyEncipherment
extendedKeyUsage=clientAuth

View File

@ -50,6 +50,8 @@ KUBE_SERVICE_IP=$(echo $PORTAL_NETWORK_CIDR | awk 'BEGIN{FS="[./]"; OFS="."}{pri
sans="${sans},IP:${KUBE_SERVICE_IP}"
sans="${sans},DNS:kubernetes,DNS:kubernetes.default,DNS:kubernetes.default.svc,DNS:kubernetes.default.svc.cluster.local"
cert_dir=/srv/kubernetes
cert_conf_dir=${cert_dir}/conf
@ -99,7 +101,7 @@ distinguished_name = req_distinguished_name
req_extensions = req_ext
prompt = no
[req_distinguished_name]
CN = kubernetes.invalid
CN = kubernetes.default.svc
[req_ext]
subjectAltName = ${sans}
extendedKeyUsage = clientAuth,serverAuth