mirror of
https://github.com/k3s-io/k3s.git
synced 2024-06-07 19:41:36 +00:00
Use same SANs on ServingKubeAPICert as dynamiclistener
The kube-apiserver cert should have the same SANs in the same order, excluding the extra user-configured SANs since this will only be used in-cluster. Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
This commit is contained in:
parent
8f1a20c0d3
commit
3cb4ca4b35
|
@ -319,7 +319,7 @@ func genServerCerts(config *config.Control, runtime *config.ControlRuntime) erro
|
|||
}
|
||||
|
||||
altNames := &certutil.AltNames{
|
||||
DNSNames: []string{"kubernetes.default.svc", "kubernetes.default", "kubernetes", "localhost"},
|
||||
DNSNames: []string{"localhost", "kubernetes", "kubernetes.default", "kubernetes.default.svc." + config.ClusterDomain},
|
||||
IPs: []net.IP{apiServerServiceIP},
|
||||
}
|
||||
|
||||
|
|
|
@ -172,8 +172,8 @@ func apiServer(ctx context.Context, cfg *config.Control, runtime *config.Control
|
|||
argsMap["tls-cert-file"] = runtime.ServingKubeAPICert
|
||||
argsMap["tls-private-key-file"] = runtime.ServingKubeAPIKey
|
||||
argsMap["service-account-key-file"] = runtime.ServiceKey
|
||||
argsMap["service-account-issuer"] = "https://kubernetes.default.svc.cluster.local"
|
||||
argsMap["api-audiences"] = "https://kubernetes.default.svc.cluster.local," + version.Program
|
||||
argsMap["service-account-issuer"] = "https://kubernetes.default.svc." + cfg.ClusterDomain
|
||||
argsMap["api-audiences"] = "https://kubernetes.default.svc." + cfg.ClusterDomain + "," + version.Program
|
||||
argsMap["kubelet-certificate-authority"] = runtime.ServerCA
|
||||
argsMap["kubelet-client-certificate"] = runtime.ClientKubeAPICert
|
||||
argsMap["kubelet-client-key"] = runtime.ClientKubeAPIKey
|
||||
|
|
Loading…
Reference in New Issue
Block a user