customize TLS cert SAN for apiserver

[mechpen]

When creating TLS cert for apiserver, the SAN is set to use node FQDN and other predefined DNS names, such as leader.telekube.local, apiserver and etc.

Is it possible to add custom DNS names? For example apiserver.<cluster-name>.

The purpose of the feature is to allow a cluster to be accessible from outside the cluster.

[knisbet]

I don't believe this is currently available in the OSS version through configuration. I'll leave this ticket open so we do address it.

As a workaround, you might be able to deploy teleport (https://github.com/gravitational/teleport) as a proxy in-front of the gravity cluster. This is our preferred tooling for sso/audit/proxy to kube clusters, although we use a sort of different deployment model in enterprise releases.