From 3cb4ca4b35dbdbdf17fa3ce42667244496ccccf5 Mon Sep 17 00:00:00 2001
From: Brad Davidson <brad.davidson@rancher.com>
Date: Tue, 27 Apr 2021 22:45:33 -0700
Subject: [PATCH] Use same SANs on ServingKubeAPICert as dynamiclistener

The kube-apiserver cert should have the same SANs in the same order,
excluding the extra user-configured SANs since this will only be used
in-cluster.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
---
 pkg/daemons/control/deps/deps.go | 2 +-
 pkg/daemons/control/server.go    | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/pkg/daemons/control/deps/deps.go b/pkg/daemons/control/deps/deps.go
index 15ad7c90f7..2e7729d0e4 100644
--- a/pkg/daemons/control/deps/deps.go
+++ b/pkg/daemons/control/deps/deps.go
@@ -319,7 +319,7 @@ func genServerCerts(config *config.Control, runtime *config.ControlRuntime) erro
 	}
 
 	altNames := &certutil.AltNames{
-		DNSNames: []string{"kubernetes.default.svc", "kubernetes.default", "kubernetes", "localhost"},
+		DNSNames: []string{"localhost", "kubernetes", "kubernetes.default", "kubernetes.default.svc." + config.ClusterDomain},
 		IPs:      []net.IP{apiServerServiceIP},
 	}
 
diff --git a/pkg/daemons/control/server.go b/pkg/daemons/control/server.go
index f3067dbc48..bee9419621 100644
--- a/pkg/daemons/control/server.go
+++ b/pkg/daemons/control/server.go
@@ -172,8 +172,8 @@ func apiServer(ctx context.Context, cfg *config.Control, runtime *config.Control
 	argsMap["tls-cert-file"] = runtime.ServingKubeAPICert
 	argsMap["tls-private-key-file"] = runtime.ServingKubeAPIKey
 	argsMap["service-account-key-file"] = runtime.ServiceKey
-	argsMap["service-account-issuer"] = "https://kubernetes.default.svc.cluster.local"
-	argsMap["api-audiences"] = "https://kubernetes.default.svc.cluster.local," + version.Program
+	argsMap["service-account-issuer"] = "https://kubernetes.default.svc." + cfg.ClusterDomain
+	argsMap["api-audiences"] = "https://kubernetes.default.svc." + cfg.ClusterDomain + "," + version.Program
 	argsMap["kubelet-certificate-authority"] = runtime.ServerCA
 	argsMap["kubelet-client-certificate"] = runtime.ClientKubeAPICert
 	argsMap["kubelet-client-key"] = runtime.ClientKubeAPIKey