Use only one certificate for all apiservers

https://github.com/kubernetes/kubernetes/issues/25063

Use only one certificate for all apiservers
80703010 · Matthew Mosesohn · e88c1067 · 80703010 · 80703010 · 80703010
Commit 80703010 authored 8 years ago by Matthew Mosesohn
--- a/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2
+++ b/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2
@@ -35,10 +35,10 @@ spec:
    - --service-node-port-range={{ kube_apiserver_node_port_range }}
    - --client-ca-file={{ kube_cert_dir }}/ca.pem
    - --basic-auth-file={{ kube_users_dir }}/known_users.csv
-    - --tls-cert-file={{ kube_cert_dir }}/apiserver-{{ inventory_hostname }}.pem
-    - --tls-private-key-file={{ kube_cert_dir }}/apiserver-{{ inventory_hostname }}-key.pem
+    - --tls-cert-file={{ kube_cert_dir }}/apiserver.pem
+    - --tls-private-key-file={{ kube_cert_dir }}/apiserver-key.pem
    - --token-auth-file={{ kube_token_dir }}/known_tokens.csv
-    - --service-account-key-file={{ kube_cert_dir }}/apiserver-{{ inventory_hostname }}-key.pem
+    - --service-account-key-file={{ kube_cert_dir }}/apiserver-key.pem
    - --secure-port={{ kube_apiserver_port }}
    - --insecure-port={{ kube_apiserver_insecure_port }}
 {% if kube_api_runtime_config is defined %}

--- a/roles/kubernetes/master/templates/manifests/kube-controller-manager.manifest.j2
+++ b/roles/kubernetes/master/templates/manifests/kube-controller-manager.manifest.j2
@@ -23,7 +23,7 @@ spec:
    - controller-manager
    - --master={{ kube_apiserver_endpoint }}
    - --leader-elect=true
-    - --service-account-private-key-file={{ kube_cert_dir }}/apiserver-{{ inventory_hostname }}-key.pem
+    - --service-account-private-key-file={{ kube_cert_dir }}/apiserver-key.pem
    - --root-ca-file={{ kube_cert_dir }}/ca.pem
    - --cluster-signing-cert-file={{ kube_cert_dir }}/ca.pem
    - --cluster-signing-key-file={{ kube_cert_dir }}/ca-key.pem

--- a/roles/kubernetes/secrets/files/make-ssl.sh
+++ b/roles/kubernetes/secrets/files/make-ssl.sh
@@ -72,14 +72,16 @@ else
    openssl req -x509 -new -nodes -key ca-key.pem -days 10000 -out ca.pem -subj "/CN=kube-ca" > /dev/null 2>&1
 fi

+if [ ! -e "$SSLDIR/ca-key.pem" ]; then
+    # kube-apiserver key
+    openssl genrsa -out apiserver-key.pem 2048 > /dev/null 2>&1
+    openssl req -new -key apiserver-key.pem -out apiserver.csr -subj "/CN=kube-apiserver" -config ${CONFIG} > /dev/null 2>&1
+    openssl x509 -req -in apiserver.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out apiserver.pem -days 365 -extensions v3_req -extfile ${CONFIG} > /dev/null 2>&1
+    cat ca.pem >> apiserver.pem
+fi
+
 if [ -n "$MASTERS" ]; then
    for host in $MASTERS; do
-        # kube-apiserver key
-        openssl genrsa -out apiserver-${host}-key.pem 2048 > /dev/null 2>&1
-        openssl req -new -key apiserver-${host}-key.pem -out apiserver-${host}.csr -subj "/CN=kube-apiserver-${host}" -config ${CONFIG} > /dev/null 2>&1
-        openssl x509 -req -in apiserver-${host}.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out apiserver-${host}.pem -days 365 -extensions v3_req -extfile ${CONFIG} > /dev/null 2>&1
-        cat ca.pem >> apiserver-${host}.pem
-
        # admin key
        openssl genrsa -out admin-${host}-key.pem 2048 > /dev/null 2>&1
        openssl req -new -key admin-${host}-key.pem -out admin-${host}.csr -subj "/CN=kube-admin-${host}" > /dev/null 2>&1
@@ -90,6 +92,7 @@ fi
 # Nodes and Admin
 if [ -n "$HOSTS" ]; then
    for host in $HOSTS; do
+        # node key
        openssl genrsa -out node-${host}-key.pem 2048 > /dev/null 2>&1
        openssl req -new -key node-${host}-key.pem -out node-${host}.csr -subj "/CN=kube-node-${host}" > /dev/null 2>&1
        openssl x509 -req -in node-${host}.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out node-${host}.pem -days 365 > /dev/null 2>&1

--- a/roles/kubernetes/secrets/tasks/gen_certs.yml
+++ b/roles/kubernetes/secrets/tasks/gen_certs.yml
@@ -39,14 +39,14 @@
                      {% for node in groups['kube-master'] %}
                      'admin-{{ node }}.pem',
                      'admin-{{ node }}-key.pem',
-                      'apiserver-{{ node }}.pem',
-                      'apiserver-{{ node }}-key.pem',
+                      'apiserver.pem',
+                      'apiserver-key.pem',
                      {% endfor %}]"
    my_master_certs: ['ca-key.pem',
                     'admin-{{ inventory_hostname }}.pem',
                     'admin-{{ inventory_hostname }}-key.pem',
-                     'apiserver-{{ inventory_hostname }}.pem',
-                     'apiserver-{{ inventory_hostname }}-key.pem'
+                     'apiserver.pem',
+                     'apiserver-key.pem'
                     ]
    all_node_certs: "['ca.pem',
                    {% for node in groups['k8s-cluster'] %}