Allows additional Subject Alternate Names

kubernetes · Sep 28, 2017 · 4a05fc5 · 4a05fc5
1 parent ea31478
commit 4a05fc5
Show file tree

Hide file tree

Showing 10 changed files with 19 additions and 0 deletions.
diff --git a/pkg/apis/kops/cluster.go b/pkg/apis/kops/cluster.go
@@ -82,6 +82,8 @@ type ClusterSpec struct {
 	// Note that DNSZone can either by the host name of the zone (containing dots),
 	// or can be an identifier for the zone.
 	DNSZone string `json:"dnsZone,omitempty"`
+	// AdditionalSANs adds additional Subject Alternate Names to apiserver cert that kops generates
+	AdditionalSANs []string `json:"additionalSans,omitempty"`
 	// ClusterDNSDomain is the suffix we use for internal DNS names (normally cluster.local)
 	ClusterDNSDomain string `json:"clusterDNSDomain,omitempty"`
 	// ServiceClusterIPRange is the CIDR, from the internal network, where we allocate IPs for services

diff --git a/pkg/apis/kops/v1alpha1/cluster.go b/pkg/apis/kops/v1alpha1/cluster.go
@@ -82,6 +82,8 @@ type ClusterSpec struct {
 	// Note that DNSZone can either by the host name of the zone (containing dots),
 	// or can be an identifier for the zone.
 	DNSZone string `json:"dnsZone,omitempty"`
+	// AdditionalSANs adds additional Subject Alternate Names to apiserver cert that kops generates
+	AdditionalSANs []string `json:"additionalSans,omitempty"`
 	// ClusterDNSDomain is the suffix we use for internal DNS names (normally cluster.local)
 	ClusterDNSDomain string `json:"clusterDNSDomain,omitempty"`
 	// ClusterName is a unique identifier for the cluster, and currently must be a DNS name

diff --git a/pkg/apis/kops/v1alpha1/zz_generated.conversion.go b/pkg/apis/kops/v1alpha1/zz_generated.conversion.go
@@ -533,6 +533,7 @@ func autoConvert_v1alpha1_ClusterSpec_To_kops_ClusterSpec(in *ClusterSpec, out *
 	out.Project = in.Project
 	out.MasterPublicName = in.MasterPublicName
 	out.MasterInternalName = in.MasterInternalName
+	out.AdditionalSANs = in.AdditionalSANs
 	out.NetworkCIDR = in.NetworkCIDR
 	out.NetworkID = in.NetworkID
 	if in.Topology != nil {
@@ -767,6 +768,7 @@ func autoConvert_kops_ClusterSpec_To_v1alpha1_ClusterSpec(in *kops.ClusterSpec,
 	out.Project = in.Project
 	out.MasterPublicName = in.MasterPublicName
 	out.MasterInternalName = in.MasterInternalName
+	out.AdditionalSANs = in.AdditionalSANs
 	out.NetworkCIDR = in.NetworkCIDR
 	out.NetworkID = in.NetworkID
 	if in.Topology != nil {

diff --git a/pkg/apis/kops/v1alpha2/cluster.go b/pkg/apis/kops/v1alpha2/cluster.go
@@ -80,6 +80,8 @@ type ClusterSpec struct {
 	// Note that DNSZone can either by the host name of the zone (containing dots),
 	// or can be an identifier for the zone.
 	DNSZone string `json:"dnsZone,omitempty"`
+	// AdditionalSANs adds additional Subject Alternate Names to apiserver cert that kops generates
+	AdditionalSANs []string `json:"additionalSans,omitempty"`
 	// ClusterDNSDomain is the suffix we use for internal DNS names (normally cluster.local)
 	ClusterDNSDomain string `json:"clusterDNSDomain,omitempty"`
 	// ServiceClusterIPRange is the CIDR, from the internal network, where we allocate IPs for services

diff --git a/pkg/apis/kops/v1alpha2/zz_generated.conversion.go b/pkg/apis/kops/v1alpha2/zz_generated.conversion.go
@@ -579,6 +579,7 @@ func autoConvert_v1alpha2_ClusterSpec_To_kops_ClusterSpec(in *ClusterSpec, out *
 	out.Project = in.Project
 	out.MasterPublicName = in.MasterPublicName
 	out.MasterInternalName = in.MasterInternalName
+	out.AdditionalSANs = in.AdditionalSANs
 	out.NetworkCIDR = in.NetworkCIDR
 	out.NetworkID = in.NetworkID
 	if in.Topology != nil {
@@ -829,6 +830,7 @@ func autoConvert_kops_ClusterSpec_To_v1alpha2_ClusterSpec(in *kops.ClusterSpec,
 	out.Project = in.Project
 	out.MasterPublicName = in.MasterPublicName
 	out.MasterInternalName = in.MasterInternalName
+	out.AdditionalSANs = in.AdditionalSANs
 	out.NetworkCIDR = in.NetworkCIDR
 	out.NetworkID = in.NetworkID
 	if in.Topology != nil {

diff --git a/pkg/model/pki.go b/pkg/model/pki.go
@@ -163,6 +163,7 @@ func (b *PKIModelBuilder) Build(c *fi.ModelBuilderContext) error {
 		// Names specified in the cluster spec
 		alternateNames = append(alternateNames, b.Cluster.Spec.MasterPublicName)
 		alternateNames = append(alternateNames, b.Cluster.Spec.MasterInternalName)
+		alternateNames = append(alternateNames, b.Cluster.Spec.AdditionalSANs...)
 
 		// Referencing it by internal IP should work also
 		{

diff --git a/tests/integration/conversion/minimal/v1alpha0.yaml b/tests/integration/conversion/minimal/v1alpha0.yaml
@@ -20,6 +20,8 @@ spec:
   kubernetesVersion: v1.4.6
   masterInternalName: api.internal.minimal.example.com
   masterPublicName: api.minimal.example.com
+  additionalSans:
+  - proxy.api.minimal.example.com
   networkCIDR: 172.20.0.0/16
   networking:
     kubenet: {}

diff --git a/tests/integration/conversion/minimal/v1alpha1.yaml b/tests/integration/conversion/minimal/v1alpha1.yaml
@@ -23,6 +23,8 @@ spec:
   kubernetesVersion: v1.4.6
   masterInternalName: api.internal.minimal.example.com
   masterPublicName: api.minimal.example.com
+  additionalSans:
+  - proxy.api.minimal.example.com
   networkCIDR: 172.20.0.0/16
   networking:
     kubenet: {}

diff --git a/upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/kopeio-vxlan/cluster.yaml b/upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/kopeio-vxlan/cluster.yaml
@@ -21,6 +21,8 @@ spec:
   kubernetesVersion: v1.4.6
   masterInternalName: api.internal.minimal.example.com
   masterPublicName: api.minimal.example.com
+  additionalSans:
+  - proxy.api.minimal.example.com
   networkCIDR: 172.20.0.0/16
   networking:
     kopeio: {}

diff --git a/upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/simple/cluster.yaml b/upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/simple/cluster.yaml
@@ -21,6 +21,8 @@ spec:
   kubernetesVersion: v1.4.6
   masterInternalName: api.internal.minimal.example.com
   masterPublicName: api.minimal.example.com
+  additionalSans:
+  - proxy.api.minimal.example.com
   networkCIDR: 172.20.0.0/16
   networking:
     kubenet: {}