diff --git a/cluster/aws/templates/salt-master.sh b/cluster/aws/templates/salt-master.sh index eaa15f5eb0..f9871b5738 100755 --- a/cluster/aws/templates/salt-master.sh +++ b/cluster/aws/templates/salt-master.sh @@ -44,6 +44,12 @@ if [[ -n "${KUBELET_ROOT}" ]]; then EOF fi +if [[ -n "${MASTER_EXTRA_SANS}" ]]; then + cat <>/etc/salt/minion.d/grains.conf + master_extra_sans: '$(echo "$MASTER_EXTRA_SANS" | sed -e "s/'/''/g")' +EOF +fi + # Auto accept all keys from minions that try to join mkdir -p /etc/salt/master.d cat </etc/salt/master.d/auto-accept.conf diff --git a/cluster/aws/util.sh b/cluster/aws/util.sh index a6572d2f5b..e42c5911c3 100644 --- a/cluster/aws/util.sh +++ b/cluster/aws/util.sh @@ -770,6 +770,13 @@ function kube-up { # Get or create master persistent volume ensure-master-pd + # Determine extra certificate names for master + octets=($(echo "$SERVICE_CLUSTER_IP_RANGE" | sed -e 's|/.*||' -e 's/\./ /g')) + ((octets[3]+=1)) + service_ip=$(echo "${octets[*]}" | sed 's/ /./g') + MASTER_EXTRA_SANS="IP:${service_ip},DNS:kubernetes,DNS:kubernetes.default,DNS:kubernetes.default.svc,DNS:kubernetes.default.svc.${DNS_DOMAIN},DNS:${MASTER_NAME}" + + ( # We pipe this to the ami as a startup script in the user-data field. Requires a compatible ami echo "#! /bin/bash" @@ -800,6 +807,7 @@ function kube-up { echo "readonly KUBELET_TOKEN='${KUBELET_TOKEN}'" echo "readonly KUBE_PROXY_TOKEN='${KUBE_PROXY_TOKEN}'" echo "readonly DOCKER_STORAGE='${DOCKER_STORAGE:-}'" + echo "readonly MASTER_EXTRA_SANS='${MASTER_EXTRA_SANS:-}'" grep -v "^#" "${KUBE_ROOT}/cluster/aws/templates/common.sh" grep -v "^#" "${KUBE_ROOT}/cluster/aws/templates/format-disks.sh" grep -v "^#" "${KUBE_ROOT}/cluster/aws/templates/setup-master-pd.sh" diff --git a/cluster/saltbase/salt/generate-cert/init.sls b/cluster/saltbase/salt/generate-cert/init.sls index cfe53747b1..524257b9a3 100644 --- a/cluster/saltbase/salt/generate-cert/init.sls +++ b/cluster/saltbase/salt/generate-cert/init.sls @@ -1,3 +1,4 @@ +{% set master_extra_sans=grains.get('master_extra_sans', '') %} {% if grains.cloud is defined %} {% if grains.cloud == 'gce' %} {% set cert_ip='_use_gce_external_ip_' %} @@ -35,7 +36,7 @@ kubernetes-cert: - unless: test -f /srv/kubernetes/server.cert - source: salt://generate-cert/{{certgen}} {% if cert_ip is defined %} - - args: {{cert_ip}} + - args: {{cert_ip}} {{master_extra_sans}} - require: - pkg: curl {% endif %} diff --git a/cluster/saltbase/salt/generate-cert/make-ca-cert.sh b/cluster/saltbase/salt/generate-cert/make-ca-cert.sh index 5ad79efc66..b96c8d4b98 100755 --- a/cluster/saltbase/salt/generate-cert/make-ca-cert.sh +++ b/cluster/saltbase/salt/generate-cert/make-ca-cert.sh @@ -19,6 +19,7 @@ set -o nounset set -o pipefail cert_ip=$1 +extra_sans=${2:-} cert_dir=/srv/kubernetes cert_group=kube-cert @@ -40,6 +41,11 @@ if [ "$cert_ip" == "_use_azure_dns_name_" ]; then use_cn=true fi +sans="IP:${cert_ip}" +if [[ -n "${extra_sans}" ]]; then + sans="${sans},${extra_sans}" +fi + tmpdir=$(mktemp -d --tmpdir kubernetes_cacert.XXXXXX) trap 'rm -rf "${tmpdir}"' EXIT cd "${tmpdir}" @@ -67,7 +73,7 @@ if [ $use_cn = "true" ]; then cp -p pki/issued/$cert_ip.crt "${cert_dir}/server.cert" > /dev/null 2>&1 cp -p pki/private/$cert_ip.key "${cert_dir}/server.key" > /dev/null 2>&1 else - ./easyrsa --subject-alt-name=IP:$cert_ip build-server-full kubernetes-master nopass > /dev/null 2>&1 + ./easyrsa --subject-alt-name="${sans}" build-server-full kubernetes-master nopass > /dev/null 2>&1 cp -p pki/issued/kubernetes-master.crt "${cert_dir}/server.cert" > /dev/null 2>&1 cp -p pki/private/kubernetes-master.key "${cert_dir}/server.key" > /dev/null 2>&1 fi