Skip to content
This repository has been archived by the owner on Oct 24, 2023. It is now read-only.

feat: add localhost and 127.0.0.1 to certificates #243

Merged
merged 1 commit into from
Jan 10, 2019
Merged

feat: add localhost and 127.0.0.1 to certificates #243

merged 1 commit into from
Jan 10, 2019

Conversation

sylr
Copy link
Contributor

@sylr sylr commented Jan 7, 2019
edited
Loading

Reason for Change:

There are some cases where we have pods on master nodes who needs to communicate with the API server (e.g.: cluster-autoscaler) but it cannot use the kubernetes.default service cause it will intermittently fail due to the fact that, if the request is forwarded by the service to the apiserver on the same node as it originated from, the request will never come back due to Martian source network error.

The way around that is to use host network and send request to localhost:443 but localhost is currently not part of the default domains in the certificates generated.

Issue Fixed:

Requirements:

Notes:

@acs-bot acs-bot added the size/S label Jan 7, 2019
@codecov
Copy link

codecov bot commented Jan 7, 2019
edited
Loading

Codecov Report

Merging #243 into master will decrease coverage by <.01%.
The diff coverage is 100%.

@@            Coverage Diff             @@
##           master     #243      +/-   ##
==========================================
- Coverage   53.21%   53.21%   -0.01%     
==========================================
  Files          95       95              
  Lines       14248    14235      -13     
==========================================
- Hits         7582     7575       -7     
+ Misses       6001     5995       -6     
  Partials      665      665

@jackfrancis
Copy link
Member

@khenidak Curious for your thoughts on this one. Does this seem like a sane path we should allow?

@tariq1890 tariq1890 requested a review from ritazh January 8, 2019 02:05
@tariq1890
Copy link
Contributor

tariq1890 commented Jan 8, 2019
edited
Loading

@sylr These changes may be redundant. In this method, we are already appending the localhost IP to that slice before creating the certs.

@sylr
Copy link
Contributor Author

sylr commented Jan 8, 2019

@tariq1890 you're right, I fixed that.

@sylr sylr force-pushed the cert-localhost branch 2 times, most recently from 344d226 to 7e39c68 Compare January 8, 2019 10:21
@tariq1890
Copy link
Contributor

@sylr We'll need to circle back a bit . You'll need to append "localhost " to this sliceips := []net.IP{firstMasterIP} like you did in the previous iteration of this PR.

Once that is done. You can remove all of the append statements in pki.go. You can remove the mutexes too :)

tariq1890
tariq1890 reviewed Jan 8, 2019
View reviewed changes
pkg/helpers/pki.go Outdated
@@ -88,7 +88,11 @@ func CreatePki(extraFQDNs []string, extraIPs []net.IP, clusterDomain string, caP
}

group.Go(func() (err error) {
apiServerCertificate, apiServerPrivateKey, err = createCertificate("apiserver", caCertificate, caPrivateKey, false, true, extraFQDNs, extraIPs, nil)
ip := net.ParseIP("127.0.0.1").To4()
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please refer to my latest PR comment. If that is done, we won't need to do these kind of appends

feat: add localhost and 127.0.0.1 to certificates
f4981b2 
Signed-off-by: Sylvain Rabot <s.rabot@lectra.com>
tariq1890
tariq1890 approved these changes Jan 10, 2019
View reviewed changes
Copy link
Contributor

@tariq1890 tariq1890 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm. Thanks @sylr :)

@jackfrancis
Copy link
Member

/lgtm

@acs-bot acs-bot added the lgtm label Jan 10, 2019
@acs-bot
Copy link

acs-bot commented Jan 10, 2019

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jackfrancis, sylr

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@acs-bot acs-bot merged commit 0c10b1e into Azure:master Jan 10, 2019
jackfrancis pushed a commit that referenced this pull request Jan 11, 2019
@sylr @jackfrancis
feat: add localhost and 127.0.0.1 to certificates (#243)
a503c2e 
Signed-off-by: Sylvain Rabot <s.rabot@lectra.com>
@sylr sylr mentioned this pull request Mar 1, 2019
Closed
juhacket pushed a commit to juhacket/aks-engine that referenced this pull request Mar 14, 2019
@sylr
feat: add localhost and 127.0.0.1 to certificates (Azure#243)
f1f7d3b 
Signed-off-by: Sylvain Rabot <s.rabot@lectra.com>
@sylr sylr mentioned this pull request Oct 8, 2019
Closed
@sylr sylr deleted the cert-localhost branch October 16, 2019 07:11
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@tariq1890 tariq1890 tariq1890 approved these changes

@ritazh ritazh Awaiting requested review from ritazh

Assignees

@jackfrancis jackfrancis

Labels
approved lgtm size/S
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@sylr @jackfrancis @tariq1890 @acs-bot