Use same SANs on ServingKubeAPICert as dynamiclistener

The kube-apiserver cert should have the same SANs in the same order, excluding the extra user-configured SANs since this will only be used in-cluster. Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2024-06-07 19:41:36 +00:00 · 2021-04-27 22:45:33 -07:00 · 2021-04-27 22:45:33 -07:00 · 3cb4ca4b35
commit 3cb4ca4b35
parent 8f1a20c0d3
2 changed files with 3 additions and 3 deletions
--- a/pkg/daemons/control/deps/deps.go
+++ b/pkg/daemons/control/deps/deps.go
@ -319,7 +319,7 @@ func genServerCerts(config *config.Control, runtime *config.ControlRuntime) erro
 	}
 	altNames := &certutil.AltNames{
-		DNSNames: []string{"kubernetes.default.svc", "kubernetes.default", "kubernetes", "localhost"},
+		DNSNames: []string{"localhost", "kubernetes", "kubernetes.default", "kubernetes.default.svc." + config.ClusterDomain},
 		IPs:      []net.IP{apiServerServiceIP},
 	}
--- a/pkg/daemons/control/server.go
+++ b/pkg/daemons/control/server.go
@ -172,8 +172,8 @@ func apiServer(ctx context.Context, cfg *config.Control, runtime *config.Control
 	argsMap["tls-cert-file"] = runtime.ServingKubeAPICert
 	argsMap["tls-private-key-file"] = runtime.ServingKubeAPIKey
 	argsMap["service-account-key-file"] = runtime.ServiceKey
-	argsMap["service-account-issuer"] = "https://kubernetes.default.svc.cluster.local"
+	argsMap["service-account-issuer"] = "https://kubernetes.default.svc." + cfg.ClusterDomain
-	argsMap["api-audiences"] = "https://kubernetes.default.svc.cluster.local," + version.Program
+	argsMap["api-audiences"] = "https://kubernetes.default.svc." + cfg.ClusterDomain + "," + version.Program
 	argsMap["kubelet-certificate-authority"] = runtime.ServerCA
 	argsMap["kubelet-client-certificate"] = runtime.ClientKubeAPICert
 	argsMap["kubelet-client-key"] = runtime.ClientKubeAPIKey