container-service-extension icon indicating copy to clipboard operation
container-service-extension copied to clipboard

Published 20 hours ago verified publisher icon vmware

Ading multiple SAN to cluster certificate

Open nkruniceva opened this issue 5 years ago • 1 comments

Hello,

Is it possible to add a SAN to a default certificate created by CSE for kube-apiserver?

The default certificate contains only node name and private IPs, which allows securely verified communication to the cluster only from the local network and a common use case can be to publish the API over the Internet.

BR, Nevena Krunic

nkruniceva avatar Feb 21 '20 15:02 nkruniceva

Azure Kubernetes Service solves this by letting you define a public DNS name during cluster creation wizard, and this DNS name ends in the kube-apiserver certificate along with the private DNS names and IPs.

Maybe it would be possible add an option to vcd cse cluster create to define additional SAN(s) to be included in the in the kube-apiserver certificate? Something like

vcd cse cluster create --additional-san k8s.domain.com ...

kubeadm (which I'm guessing is used for bootstrapping the cluster) allows defining additional SANs through its config YAML:

apiServer:
  certSANs:
  - "172.29.50.162"
  - "k8s.domain.com"
  extraArgs:
    ...

nilic avatar Mar 03 '20 13:03 nilic