Add Kubernetes API Service IP to x509 certificates

By default, API service with service account is accessible from inside
the cluster at the address 10.254.0.1. This IP should be added to SANS
when generating the certs.

Fixes-bug: #1660811
Change-Id: I214b4296bea55bb0c4015165c56fbd8ca3cebd39
This commit is contained in:
ArchiFleKs 2017-02-20 15:57:25 +01:00
parent 88ddece127
commit 288bb34fe3
2 changed files with 8 additions and 0 deletions

View File

@ -46,6 +46,10 @@ if [[ -n "${MASTER_HOSTNAME}" ]]; then
fi
sans="${sans},IP:127.0.0.1"
KUBE_SERVICE_IP=$(echo $PORTAL_NETWORK_CIDR | awk 'BEGIN{FS="[./]"; OFS="."}{print $1,$2,$3,$4 + 1}')
sans="${sans},IP:${KUBE_SERVICE_IP}"
cert_dir=/srv/kubernetes
cert_conf_dir=${cert_dir}/conf

View File

@ -63,6 +63,10 @@ write_files:
fi
sans="${sans},IP:127.0.0.1"
KUBE_SERVICE_IP=$(echo $PORTAL_NETWORK_CIDR | awk 'BEGIN{FS="[./]"; OFS="."}{print $1,$2,$3,$4 + 1}')
sans="${sans},IP:${KUBE_SERVICE_IP}"
cert_conf_dir=${KUBE_CERTS_PATH}/conf
mkdir -p ${cert_conf_dir}