Magnum

kubernetes api-server certificate missing internal clusterip

Bug #1660811 reported by Ricardo Rocha
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Magnum
Fix Released
High
Kevin Lefevre

Bug Description

The certificate generated in the kubernetes master shows something like:

openssl x509 -in /srv/kubernetes/server.crt -text -certopt no_subject,no_header,no_version,no_serial,no_signame,no_validity,no_subject,no_issuer,no_pubkey,no_sigdump,no_aux
        X509v3 extensions:
            X509v3 Subject Alternative Name:
                IP Address:PUBLIC_NODEIP, IP Address:NODEIP, IP Address:127.0.0.1
            X509v3 Extended Key Usage:
                TLS Web Client Authentication, TLS Web Server Authentication

There's also a hook to have the private ip address, but we miss the internal clusterIP of the kubernetes API. This is required by multiple tools like helm or fission.io, which rely on the clusterIP to talk to the kube-api using the svcaccount.

As far as i see the code is in:
https://github.com/openstack/magnum/blob/master/magnum/drivers/common/templates/kubernetes/fragments/make-cert.sh

and we should add to the subject alt names of the cert the first IP of the --service-cluster-ip-range option passed to the kube-api, which is controlled in magnum by the portal_network_cidr:
https://github.com/openstack/magnum/blob/master/magnum/drivers/k8s_fedora_atomic_v1/templates/kubecluster.yaml#L63

Spyros Trigazis (strigazi)
Changed in magnum:
importance: Undecided → High
status: New → Triaged
OpenStack Infra (hudson-openstack)
Changed in magnum:
assignee: nobody → Kevin Lefevre (archifleks)
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to magnum (master)

Reviewed: https://review.openstack.org/436037
Committed: https://git.openstack.org/cgit/openstack/magnum/commit/?id=288bb34fe311041a911bba9d43dfb75176ee43cd
Submitter: Jenkins
Branch: master

commit 288bb34fe311041a911bba9d43dfb75176ee43cd
Author: ArchiFleKs <email address hidden>
Date: Mon Feb 20 15:57:25 2017 +0100

    Add Kubernetes API Service IP to x509 certificates

    By default, API service with service account is accessible from inside
    the cluster at the address 10.254.0.1. This IP should be added to SANS
    when generating the certs.

    Fixes-bug: #1660811
    Change-Id: I214b4296bea55bb0c4015165c56fbd8ca3cebd39

Changed in magnum:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to magnum (stable/ocata)

Fix proposed to branch: stable/ocata
Review: https://review.openstack.org/485370

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to magnum (stable/newton)

Fix proposed to branch: stable/newton
Review: https://review.openstack.org/485372

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to magnum (stable/ocata)

Reviewed: https://review.openstack.org/485370
Committed: https://git.openstack.org/cgit/openstack/magnum/commit/?id=b410770989fb53fed170a1fa503fe8ba176a5e6d
Submitter: Jenkins
Branch: stable/ocata

commit b410770989fb53fed170a1fa503fe8ba176a5e6d
Author: ArchiFleKs <email address hidden>
Date: Mon Feb 20 15:57:25 2017 +0100

    Add Kubernetes API Service IP to x509 certificates

    By default, API service with service account is accessible from inside
    the cluster at the address 10.254.0.1. This IP should be added to SANS
    when generating the certs.

    Fixes-bug: #1660811
    Change-Id: I214b4296bea55bb0c4015165c56fbd8ca3cebd39
    (cherry picked from commit 288bb34fe311041a911bba9d43dfb75176ee43cd)

tags: added: in-stable-ocata
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to magnum (stable/newton)

Reviewed: https://review.openstack.org/485372
Committed: https://git.openstack.org/cgit/openstack/magnum/commit/?id=ce5133ce56e3635bde8097a3eaf4b2c86a9a14e9
Submitter: Jenkins
Branch: stable/newton

commit ce5133ce56e3635bde8097a3eaf4b2c86a9a14e9
Author: ArchiFleKs <email address hidden>
Date: Mon Feb 20 15:57:25 2017 +0100

    Add Kubernetes API Service IP to x509 certificates

    By default, API service with service account is accessible from inside
    the cluster at the address 10.254.0.1. This IP should be added to SANS
    when generating the certs.

    Closes-bug: #1660811
    Depends-On: Icc93fb11e19bb900396c485719908655fac75cf6
    Change-Id: I214b4296bea55bb0c4015165c56fbd8ca3cebd39
    (cherry picked from commit 288bb34fe311041a911bba9d43dfb75176ee43cd)

tags: added: in-stable-newton
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/magnum 3.3.1

This issue was fixed in the openstack/magnum 3.3.1 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.