-
Notifications
You must be signed in to change notification settings - Fork 53
Certificate regeneration via extra_sans options
The extra_sans configuration option is there to allow extra SAN entries in the generated certificate for the load balancer and the Kubernetes api server. This allows the cluster to be accessed via dns name or through some external load balancer.
The load balancer will watch for certificate changes and SIGHUP nginx. It does this by using host.service_restart('nginx') which ultimately get us to the command systemctl restart nginx. This is a graceful restart, which will not disrupt service.
The master nodes use a certificate to secure communication to the api server. The master has a config option called extra_sans which allows the administrator to add SAN entries to the certificate. When this config changes, the master node(s) will regenerate its certificate and restart the api server to update the certificate used for communication. This is disruptive and restarts the api server.
Usage is the same for both the Kubernetes master and the load balancer. The configuration option takes a space-separated list of extra entries.
juju config kubernetes-master extra_sans="master.mydomain.com lb.mydomain.com"
juju config kubeapi-load-balancer extra_sans="master.mydomain.com lb.mydomain.com"
To clear the entries out of the certificate, use an empty string
juju config kubernetes-master extra_sans=""
juju config kubeapi-load-balancer extra_sans=""