Rke: how to add extra pki dnsname

Created on 1 Dec 2017  路  8Comments  路  Source: rancher/rke

we need add vip or loadbalance ip to pki dnsname,like this

"1.2.3.4",  # apiserver loadbalance ip
"localhost",
"kubernetes",
"kubernetes.default",
"kubernetes.default.svc",
kinenhancement kinquestion
Source
picture colinlabs
👍1

All 8 comments

Currently we are using host's address, internal address, and hostname as values for pki alt names and ips, but we don't allow for extra names or ips at the moment, we will consider adding custom IPs and DNS Names to the kube api certificate

galal-hussein picture galal-hussein on 2 Dec 2017

@galal-hussein hi guys, this feature will be usefully, by the default ,we can't add more ips to kube api certificate, so when we connect to apiserver with loadbalance ip, it can't work. we hope that this feature could be implemente As soon as possible, thanks you!

colinlabs picture colinlabs on 3 Dec 2017

Another voice for requesting this ability/feature, we could use additional flags for hostnames or IPs to add to the kube api certificate so that we're able to use a load balancer for all master nodes.

HighwayofLife picture HighwayofLife on 7 Feb 2018

+1 to this. Would like to have master nodes load balanced and not exposed publicly. Would be best to be able to add SANs to configuration.

Maybe something like this? 

authentication:
  strategy: x509
  controlplane_sans:
    - my.loadbalancer.com
rossedman picture rossedman on 11 Mar 2018

Submitted a PR #433 -- Looking for feedback from you guys. Thanks!

HighwayofLife picture HighwayofLife on 23 Mar 2018
👍1

I can confirm with latest master that i extra sans were added to the kubeapi certificate:

 DNS:my-loadbalancer-1234567890.us-west-2.elb.amazonaws.com, DNS:localhost, DNS:kubernetes, DNS:kubernetes.default, DNS:kubernetes.default.svc, DNS:kubernetes.default.svc.cluster.local, IP Address:159.65.47.98, IP Address:159.65.253.200, IP Address:167.99.61.54, IP Address:10.18.160.10, IP Address:127.0.0.1, IP Address:10.233.0.1
galal-hussein picture galal-hussein on 24 Mar 2018

with the version 0.2.2 seems that the extra sans are not anymore added.

cluster.yml:

authentication:
      strategy: x509
      sans: 
        - "207.154.234.236"

openssl x509 -in kube-apiserver.pem -text -noout

DNS:localhost, DNS:kubernetes, DNS:kubernetes.default, DNS:kubernetes.default.svc, DNS:kubernetes.default.svc.cluster.local, IP Address:192.168.12.10, IP Address:192.168.12.11, IP Address:192.168.12.16, IP Address:127.0.0.1, IP Address:10.43.0.1
alerosso picture alerosso on 5 Jun 2019
👍1

with the version 0.2.2 seems that the extra sans are not anymore added.

cluster.yml:

authentication:
      strategy: x509
      sans: 
        - "207.154.234.236"

openssl x509 -in kube-apiserver.pem -text -noout

DNS:localhost, DNS:kubernetes, DNS:kubernetes.default, DNS:kubernetes.default.svc, DNS:kubernetes.default.svc.cluster.local, IP Address:192.168.12.10, IP Address:192.168.12.11, IP Address:192.168.12.16, IP Address:127.0.0.1, IP Address:10.43.0.1

I have the same issue

lukeskywlkr picture lukeskywlkr on 5 Jun 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

rstpv picture rstpv  路  4Comments
galal-hussein picture galal-hussein  路  4Comments
riaan53 picture riaan53  路  3Comments
de13 picture de13  路  3Comments
stieler-it picture stieler-it  路  3Comments