search

k0sproject / k0s

k0s - The Zero Friction Kubernetes
https://docs.k0sproject.io
Other
3.53k stars 355 forks source link

Set multiple Subject Alternative Names in all SSL Certificates, not only in server.crt and k0s-api.crt #3318

Open Friz-zy opened 1 year ago

Friz-zy commented 1 year ago

Is your feature request related to a problem? Please describe.

I have a problem with etcd certificates with setup in docker swarm: in swarm k0s container could has multiple IPs like multiple container IPs and service IP. Only service IP present in dns record which docker resolver return for dns lookup. ETCD gave me a bunch of errors about invalid server, peer or client certs depends on my configuration tries...

Describe the solution you would like

Currently only pki/server.crt and pki/k0s-api.crt contain multiple alternative names, coming from config and auto discovery:

pki/server.crt:
    Subject: O = kubernetes, CN = kubernetes
    X509v3 Subject Alternative Name: 
        DNS:kubernetes, DNS:kubernetes.default, DNS:kubernetes.default.svc,
        DNS:kubernetes.default.svc.cluster, DNS:kubernetes.svc.cluster.local,
        DNS:localhost, DNS:k0s, DNS:k0s-1, DNS:k0s-2, DNS:k0s-3, IP Address:127.0.0.1,
        IP Address:0:0:0:0:0:0:0:1, IP Address:192.168.0.3, IP Address:192.168.0.2,
        IP Address:192.168.0.5, IP Address:10.96.0.1

pki/k0s-api.crt:
    Subject: O = kubernetes, CN = k0s-api
    X509v3 Subject Alternative Name: 
        DNS:kubernetes, DNS:kubernetes.default, DNS:kubernetes.default.svc,
        DNS:kubernetes.default.svc.cluster, DNS:kubernetes.svc.cluster.local,
        DNS:localhost, DNS:k0s, DNS:k0s-1, DNS:k0s-2, DNS:k0s-3, IP Address:127.0.0.1,
        IP Address:0:0:0:0:0:0:0:1, IP Address:192.168.0.3, IP Address:192.168.0.2,
        IP Address:192.168.0.5, IP Address:10.96.0.1

Golang code that collects it located here

In opposite to api.sans config, storage.etcd.peerAddress allow me set only one address or name, not multiple: config and code

So my suggestion is simple: 1) set default list of alternatives names, including api.sans list, into all certificates, like it currently works for pki/server.crt and pki/k0s-api.crt 2) convert storage.etcd.peerAddress into list of strings

List of certificates that require this changes:

pki/etcd/server.crt:
    Subject: O = etcd-server, CN = etcd-server
    X509v3 Subject Alternative Name: 
        DNS:localhost, IP Address:127.0.0.1

pki/etcd/peer.crt:
    Subject: O = etcd-peer, CN = 192.168.0.3
    X509v3 Subject Alternative Name: 
        IP Address:192.168.0.3

pki/apiserver-etcd-client.crt:
    Subject: O = apiserver-etcd-client, CN = apiserver-etcd-client
    X509v3 Subject Alternative Name: 
        DNS:localhost, IP Address:127.0.0.1

Addition certs that could be also updated:

pki/ccm.crt:
    Subject: O = system:kube-controller-manager, CN = system:kube-controller-manager

pki/front-proxy-ca.crt:
    Subject: CN = kubernetes-front-proxy-ca

pki/front-proxy-client.crt:
    Subject: O = front-proxy-client, CN = front-proxy-client

pki/admin.crt:
    Subject: O = system:masters, CN = kubernetes-admin

pki/apiserver-kubelet-client.crt:
    Subject: O = system:masters, CN = apiserver-kubelet-client

pki/scheduler.crt:
    Subject: O = system:kube-scheduler, CN = system:kube-scheduler

pki/konnectivity.crt:
    Subject: O = system:masters, CN = kubernetes-konnectivity

Describe alternatives you've considered

No response

Additional context

No response

jnummelin commented 1 year ago

convert storage.etcd.peerAddress into list of strings

hmm, etcd only accepts a single peer address per node as it's the address other members are supposed to communicate with it. Why would you need multiple SANs on that?