microshift icon indicating copy to clipboard operation
microshift copied to clipboard
verified publisher icon openshift

USHIFT-246: New Altnames in kube-apiserver certs

Open rgordill opened this issue 3 years ago • 6 comments

Design Document Link

PR: #<PR Number>

What would you like to be added:

Due to https://github.com/openshift/microshift/blob/main/pkg/cmd/init.go#L82-L88, the kube-apiserver certs are limited to several internal IPs and known names. The only configurable name/ips for external access are the nodename and the nodeip. However, in some cases, an external Firewall/LB is used, or an FQDN is set up for the DNS resolution.

If calling from clients without the proper altname in the cert, there is some extra work to be done to avoid issues and/or disable cert checks, with the security impact to it.

A new configuration field like "cluster.extraCertAPINames" could help to solve the limitation.

Why is this needed:

To avoid some client issues without proper DNS resolution/names when calling the api server.

rgordill avatar Aug 02 '22 07:08 rgordill

Using kubectl, either we set up --insecure-skip-tls-verify=true, --tls-server-name (this last one if not using SNI) or an error is thrown like:

Unable to connect to the server: x509: certificate is valid for kube-apiserver, microshift, kubernetes.default.svc, kubernetes.default, kubernetes, localhost, 10.128.1.138, 127.0.0.1, 10.43.0.1, not <hostname>

rgordill avatar Aug 04 '22 09:08 rgordill

/kind feature

dhellmann avatar Aug 21 '22 17:08 dhellmann

We can update the alt-names as shown in section "Update the kube-api certificate" in https://community.ibm.com/community/user/cloud/blogs/alexei-karve/2022/01/03/microshift-8

thinkahead avatar Aug 22 '22 22:08 thinkahead

Thanks @thinkahead for your suggestion. I could add it manually, although I guess it is not a long-term solution, at least I move forward to my tests.

I think I have to set up the FQDN in the nodeName configuration, so I would have this issue fixed, and also I would have other ones that I am facing now (like trying to do a kubectl logs that redirects to https://microshift:10250, which is only resolved by the node).

rgordill avatar Aug 24 '22 10:08 rgordill

/retitle USHIFT-246: New Altnames in kube-apiserver certs

ggiguash avatar Aug 28 '22 13:08 ggiguash

I'm running Microshift on an AWS snowcone. Like all ec2 instances it has its own internal IP addresses, which microshift knows about when installing, and a public IP associated to the instance that microshift doesn't know about. I created a script that takes the certs created during install and adds custom DNS and IPs to the SAN. I tested this with ACM running on OCP in AWS and it worked fine:

https://github.com/dmc5179/snowcone-microshift/blob/main/certs.sh

dmc5179 avatar Aug 29 '22 23:08 dmc5179

Issues go stale after 90d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle stale. Stale issues rot after an additional 30d of inactivity and eventually close. Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle stale

openshift-bot avatar Nov 28 '22 01:11 openshift-bot

/remove-lifecycle stale

ggiguash avatar Nov 28 '22 06:11 ggiguash