Is there a way to add a SAN to the api server certificate?

darxkies / k8s-tew

Kubernetes - The Easier Way

GNU General Public License v3.0

307 stars 38 forks source link

Is there a way to add a SAN to the api server certificate? #28

Closed figassis closed 3 years ago

figassis commented 4 years ago

I'm running k8s-tew behind a load balancer external to the cluster, but I'm unable to point kubectl to the lb. My workaround is as follows:

modify kubeconfig.yaml to point to one of the nodes: server: https://node1:16443
at /etc/hosts entry pointing node1 to the load balancer on my local machine

Suffice to say this is not ideal. There are ways to add alternate names on kubeadmn setups. Is there a way using k8s-tew, or maybe this could be something to add as a command?

Thanks!

darxkies commented 4 years ago

That is not supported for now. I will add it in a future release. Can you make a concrete suggestion?

There might be another workaround for now but it is not tested. The controller virtual IP is added as SAN. But setting the controller virtual IP and the interface, that starts the internal load balancer. To prevent that the controller virtual IP interface has to be set to an empty string.

darxkies commented 4 years ago

In the new version 2.4.0-beta.5 there are two new configuration options:

--san-dns-names string                           SAN DNS Names (comma separated)
--san-ip-addresses string                        SAN IP Addresses (comma separated)

Please let me know if that works for you.

figassis commented 4 years ago

Hi! yes, that'd definitely work, will test!

darxkies commented 3 years ago

Did it work?