k2d icon indicating copy to clipboard operation
k2d copied to clipboard
verified publisher icon portainer

Support multiple alternative names in the API certificate

Open rothgar opened this issue 1 year ago • 4 comments

The K2D_ADVERTISE_ADDR currently accepts a single option to sign the certificate. It would be useful to be able to sign alternative names or IP addresses for certificates to be trusted based on IP addresses or aliases.

For example, I would like to be able to use the hostname of the machine, IP address for the LAN, and IP address and hostname from my tailscale network.

rothgar avatar Oct 15 '24 16:10 rothgar

Hey @rothgar do you mind testing the build provided via https://github.com/portainer/k2d/pull/94 ?

You can use the -e K2D_ALT_NAMES=name1,name2 environment variable to specify one or more alt names to be associated with the certificate.

The build above can be tested via the portainer/k2d:pr94 image.

deviantony avatar Nov 09 '24 18:11 deviantony

That throws an error for me

2024-11-11T17:32:12.814Z        INFO    cmd/k2d.go:89   starting k2d    {"version": "1.0.0", "config": {"AdvertiseAddr":"192.168.4.4,d.lan","AltNames":null,"DataPath":"/var/lib/k2d","DockerClientTimeout":600000000000,"LogFormat":"text","LogLevel":"debug","OperationBatchMaxSize":25,"OperationNamespaceDeletionDelay":3000000000,"Port":6443,"PortainerAgentVersion":"latest","PortainerEdgeKey":"","PortainerEdgeID":"","Secret":"YOUR_SECRET","StoreBackend":"disk","StoreRegistryBackend":"volume","StoreVolumeCopyImageName":"portainer/pause:latest"}}
2024-11-11T17:32:12.814Z        FATAL   cmd/k2d.go:96   unable to get advertise IP address: invalid IP address: 192.168.4.4,d.lan
main.main
        /home/runner/work/k2d/k2d/cmd/k2d.go:96
runtime.main
        /opt/hostedtoolcache/go/1.23.3/x64/src/runtime/proc.go:272

rothgar avatar Nov 11 '24 17:11 rothgar

@rothgar you have to use the -e K2D_ALT_NAMES= flag.

e.g.

docker run -d \
  --name k2d-k2d \
  --network host \
  --restart always \
  --env K2D_ADVERTISE_ADDR=192.168.4.4 \
  --env K2D_ALT_NAMES=d.lan \
  --env K2D_SECRET=MYSECRET \
  --label resource.k2d.io/namespace-name=k2d \
  --label workload.k2d.io/name=k2d \
  --volume /var/run/docker.sock:/var/run/docker.sock \
  --volume /var/lib/k2d:/var/lib/k2d \
  portainer/k2d:1.0.0

deviantony avatar Nov 11 '24 20:11 deviantony

Thanks for pointing that out. I tried again with

docker run -d \
  --name k2d \
  --network host \
  --restart always \
  --env K2D_ADVERTISE_ADDR=${IP} \
  --env K2D_ALT_NAMES=d.lan,d.gerbil-dragon.ts.net \
  --env K2D_SECRET=YOUR_SECRET \
  --label resource.k2d.io/namespace-name=k2d \
  --label workload.k2d.io/name=k2d \
  --volume /var/run/docker.sock:/var/run/docker.sock \
  --volume /volume1/@docker/k2d:/var/lib/k2d \
  portainer/k2d:pr94

This time I tried signing it with my tailnet DNS and local lan DNS but if I download the kubeconfig and change the host it fails.

kubectl get nodes
The connection to the server d.gerbil-dragon.ts.net:6443 was refused - did you specify the right host or port?

And openssl doesn't have the alt names

openssl s_client -connect 192.168.4.4:6443 </dev/null 2>/dev/null | openssl x509 -noout -text | grep -i -a1 alt
                01:02:03:04:06
            X509v3 Subject Alternative Name: 
                DNS:kubernetes.default.svc, IP Address:192.168.4.4, IP Address:0:0:0:0:0:0:0:1

The container logs look fine though

2024-11-12T04:51:25.340Z        INFO    cmd/k2d.go:89   starting k2d    {"version": "1.0.0", "config": {"AdvertiseAddr":"192.168.4.4","AltNames":["d.lan","d.gerbil-dragon.ts.net"],"DataPath":"/var/lib/k2d","DockerClientTimeout":600000000000,"LogFormat":"text","LogLevel":"debug","OperationBatchMaxSize":25,"OperationNamespaceDeletionDelay":3000000000,"Port":6443,"PortainerAgentVersion":"latest","PortainerEdgeKey":"","PortainerEdgeID":"","Secret":"YOUR_SECRET","StoreBackend":"disk","StoreRegistryBackend":"volume","StoreVolumeCopyImageName":"portainer/pause:latest"}}

rothgar avatar Nov 12 '24 04:11 rothgar