kubernetes api-server certificate missing internal clusterip
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Magnum |
Fix Released
|
High
|
Kevin Lefevre |
Bug Description
The certificate generated in the kubernetes master shows something like:
openssl x509 -in /srv/kubernetes
X509v3 extensions:
X509v3 Subject Alternative Name:
IP Address:
X509v3 Extended Key Usage:
TLS Web Client Authentication, TLS Web Server Authentication
There's also a hook to have the private ip address, but we miss the internal clusterIP of the kubernetes API. This is required by multiple tools like helm or fission.io, which rely on the clusterIP to talk to the kube-api using the svcaccount.
As far as i see the code is in:
https:/
and we should add to the subject alt names of the cert the first IP of the --service-
https:/
Changed in magnum: | |
importance: | Undecided → High |
status: | New → Triaged |
Changed in magnum: | |
assignee: | nobody → Kevin Lefevre (archifleks) |
status: | Triaged → In Progress |
Reviewed: https:/ /review. openstack. org/436037 /git.openstack. org/cgit/ openstack/ magnum/ commit/ ?id=288bb34fe31 1041a911bba9d43 dfb75176ee43cd
Committed: https:/
Submitter: Jenkins
Branch: master
commit 288bb34fe311041 a911bba9d43dfb7 5176ee43cd
Author: ArchiFleKs <email address hidden>
Date: Mon Feb 20 15:57:25 2017 +0100
Add Kubernetes API Service IP to x509 certificates
By default, API service with service account is accessible from inside
the cluster at the address 10.254.0.1. This IP should be added to SANS
when generating the certs.
Fixes-bug: #1660811 b0c4015165c56fb d8ca3cebd39
Change-Id: I214b4296bea55b