Allows additional Subject Alternate Names #2063
Conversation
|
Hi @pdh. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
k8s-ci-robot
added
the
cncf-cla: yes
|
@k8s-bot ok to test |
cmd/kops/create_cluster.go
Outdated
| @@ -167,6 +168,8 @@ func NewCmdCreateCluster(f *util.Factory, out io.Writer) *cobra.Command { | |||
| cmd.Flags().StringSliceVar(&options.NodeSecurityGroups, "node-security-groups", options.NodeSecurityGroups, "Add precreated additional security groups to nodes.") | |||
| cmd.Flags().StringSliceVar(&options.MasterSecurityGroups, "master-security-groups", options.MasterSecurityGroups, "Add precreated additional security groups to masters.") | |||
|
|
|||
| cmd.Flags().StringSliceVar(&options.AdditionalSANs, "additional-sans", options.AdditionalSANs, "Add additional Subject Alternate Names to the kops generated apiserver cert") | |||
There was a problem hiding this comment.
Should we have this cli option? We try not to have all api level option via the cli.
There was a problem hiding this comment.
Yeah, I agree that this may not be desired to add as a CLI option. Happy to remove.
| @@ -21,6 +21,8 @@ spec: | |||
| kubernetesVersion: v1.4.6 | |||
| masterInternalName: api.internal.minimal.example.com | |||
| masterPublicName: api.minimal.example.com | |||
| additionalSans: | |||
| - proxy.api.minimal.example.com | |||
There was a problem hiding this comment.
Do we need this in the dockerbuilder test? Or do we need another test??
pkg/apis/kops/v1alpha1/cluster.go
Outdated
| @@ -68,6 +68,9 @@ type ClusterSpec struct { | |||
| // MasterInternalName is the internal DNS name for the master nodes | |||
| MasterInternalName string `json:"masterInternalName,omitempty"` | |||
|
|
|||
| // AdditionalSANs adds additional Subject Alternate Names to apiserver cert that kops generates | |||
| AdditionalSANs []string `json:"additionalSans,omitempty"` | |||
There was a problem hiding this comment.
@justinsb et al ... AdditionalSANs ... is SANs a common reference. SSL and TLS are probably one of my weakest areas ... lol
pkg/apis/kops/cluster.go
Outdated
| @@ -67,6 +67,9 @@ type ClusterSpec struct { | |||
| // MasterInternalName is the internal DNS name for the master nodes | |||
| MasterInternalName string `json:"masterInternalName,omitempty"` | |||
|
|
|||
| // AdditionalSANs adds additional Subject Alternate Names to apiserver cert that kops generates | |||
| AdditionalSANs []string `json:"additionalSans,omitempty"` | |||
There was a problem hiding this comment.
So this adds the API value. Where is the biz logic to add the SAN to the cert? I am probably missing it.
|
👍 |
|
This looks good.. I'll just have to ponder whether Do you mind if I move it if I decide it should go somewhere else @pdh? The top candidate in my mind is under the Also, |
|
Thanks for taking a look. @justinsb definitely feel free to move it. |
|
@justinsb I would like the docker unit test removed, and had a couple of other questions. May be off base ;) |
|
Love for this to be accepted, as I'm having to run with the flag --insecure-skip-tls-verify in my clusters that are being accessed through an NGINX proxy. :-( |
|
bump |
|
bump.. this will be super helpful to access apiserver from outside the network. Current stuck on this. |
|
Once the reviews are resolved we can get this in. If the author wants someone else can branch and push the needed changes. |
|
I think all should be addressed now. Let me know if anything else is needed. |
|
Assigning to @justinsb as he had the last comments |
|
Any chance this can be reviewed? |
pkg/apis/kops/v1alpha2/cluster.go
Outdated
| @@ -65,6 +65,9 @@ type ClusterSpec struct { | |||
| // MasterInternalName is the internal DNS name for the master nodes | |||
| MasterInternalName string `json:"masterInternalName,omitempty"` | |||
|
|
|||
| // AdditionalSANs adds additional Subject Alternate Names to apiserver cert that kops generates | |||
| AdditionalSANs []string `json:"additionalSans,omitempty"` | |||
There was a problem hiding this comment.
why not additionalSAN? The capitalization is bit odd given there's networkCIDR.
|
Maybe there should be a PKI section in the spec? I can imagine a few other sections like Node CSR approval and certificate expiration/revocation that could go under there also. |
|
@pdh PR needs rebase |
k8s-github-robot
added
the
needs-rebase
|
I think this should go into the next release. |
|
Needs a rebase :( |
pdh
force-pushed
the
additional-sans
branch
from
3fa03b4
to
1d2d020
Compare
k8s-ci-robot
added
the
size/S
k8s-github-robot
removed
the
needs-rebase
pdh
force-pushed
the
additional-sans
branch
from
1d2d020
to
4a05fc5
Compare
|
@chrislovecnm rebased 👍 |
|
@blakebarnett can you take a look at this? Let me know if you cannot |
|
My only issues are with the naming and capitalization of the JSON parameters ( If everyone else is happy with it as is, fine with merging, would really like to use this. |
|
We'd love to use this as well 👍 |
pdh
force-pushed
the
additional-sans
branch
3 times, most recently
from
07b2529
to
14f22d0
Compare
|
@chrislovecnm @justinsb Hi folks, just giving this a nudge. |
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: justinsb The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these OWNERS Files:
You can indicate your approval by writing |
k8s-github-robot
added
the
approved
ghost
mentioned this pull request
|
Does this also works for creating cluster through terraform? |
Adds support for specifying additional SANs for issue #1922
This change is