mirror of
https://github.com/k3s-io/k3s.git
synced 2024-06-07 19:41:36 +00:00
Use same SANs on ServingKubeAPICert as dynamiclistener
The kube-apiserver cert should have the same SANs in the same order, excluding the extra user-configured SANs since this will only be used in-cluster. Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
This commit is contained in:
parent
8f1a20c0d3
commit
3cb4ca4b35
|
@ -319,7 +319,7 @@ func genServerCerts(config *config.Control, runtime *config.ControlRuntime) erro
|
||||||
}
|
}
|
||||||
|
|
||||||
altNames := &certutil.AltNames{
|
altNames := &certutil.AltNames{
|
||||||
DNSNames: []string{"kubernetes.default.svc", "kubernetes.default", "kubernetes", "localhost"},
|
DNSNames: []string{"localhost", "kubernetes", "kubernetes.default", "kubernetes.default.svc." + config.ClusterDomain},
|
||||||
IPs: []net.IP{apiServerServiceIP},
|
IPs: []net.IP{apiServerServiceIP},
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -172,8 +172,8 @@ func apiServer(ctx context.Context, cfg *config.Control, runtime *config.Control
|
||||||
argsMap["tls-cert-file"] = runtime.ServingKubeAPICert
|
argsMap["tls-cert-file"] = runtime.ServingKubeAPICert
|
||||||
argsMap["tls-private-key-file"] = runtime.ServingKubeAPIKey
|
argsMap["tls-private-key-file"] = runtime.ServingKubeAPIKey
|
||||||
argsMap["service-account-key-file"] = runtime.ServiceKey
|
argsMap["service-account-key-file"] = runtime.ServiceKey
|
||||||
argsMap["service-account-issuer"] = "https://kubernetes.default.svc.cluster.local"
|
argsMap["service-account-issuer"] = "https://kubernetes.default.svc." + cfg.ClusterDomain
|
||||||
argsMap["api-audiences"] = "https://kubernetes.default.svc.cluster.local," + version.Program
|
argsMap["api-audiences"] = "https://kubernetes.default.svc." + cfg.ClusterDomain + "," + version.Program
|
||||||
argsMap["kubelet-certificate-authority"] = runtime.ServerCA
|
argsMap["kubelet-certificate-authority"] = runtime.ServerCA
|
||||||
argsMap["kubelet-client-certificate"] = runtime.ClientKubeAPICert
|
argsMap["kubelet-client-certificate"] = runtime.ClientKubeAPICert
|
||||||
argsMap["kubelet-client-key"] = runtime.ClientKubeAPIKey
|
argsMap["kubelet-client-key"] = runtime.ClientKubeAPIKey
|
||||||
|
|
Loading…
Reference in New Issue
Block a user