kubekey
kubekey copied to clipboard
kubesphere
Support dynamic update of apiserver's certSANs
Your current KubeKey version
version.BuildInfo{Version:"1.1.0", GitCommit:"70671f7", GitTreeState:"", GoVersion:"go1.14.15"}
Describe this feature
In some scenarios, apiserver needs to be exposed externally after cluster is created, such as binding additional eip to apiserver. At this time, its certificate needs to be updated. I hope kk can provide such a function: dynamic update of apiserver's certSANs.
Describe the solution you'd like
I have two ideas:
- Modify the apiserverCertExtraSans field in config-sample, and then execute kk upgrade, kk renews the certificate during the upgrade process
- Extend kk certs, provide an independent command to update certs, such as: ./kk certs addSans 1.1.1.1
Additional information
we can view cluster certificate status like this:
# openssl s_client -connect master1:6443 </dev/null | openssl x509 -noout -ext subjectAltName
depth=0 CN = kube-apiserver
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = kube-apiserver
verify error:num=21:unable to verify the first certificate
verify return:1
DONE
X509v3 Subject Alternative Name:
DNS:kubernetes, DNS:kubernetes.default, DNS:kubernetes.default.svc, DNS:kubernetes.default.svc.cluster.local, DNS:lb.kubesphere.local, DNS:localhost, DNS:master1, DNS:master1.cluster.local, DNS:worker-s001, DNS:worker-s001.cluster.local, DNS:worker-s002, DNS:worker-s002.cluster.local, IP Address:10.96.0.1, IP Address:172.17.2.5, IP Address:127.0.0.1, IP Address:172.17.2.4, IP Address:172.17.2.3
