Page MenuHomePhabricator

Figure out how to deal with SSL cert issues for kubernetes masters
Closed, ResolvedPublic

Description

Problem: Kubernetes master use ssl, with puppet certs. The name it has is the fqdn, so tools-k8s-master-01.tools.eqiad.wmflabs.

Except:

  1. Kubernetes things should use service / DNS names to access this, so it ends up being kubernetes.default.svc rather than tools-k8s-master-01
  2. It requires that we put our CA cert inside all containers, which sucks.
  3. Lots of tools (like kube2sky) won't operate without TLS.

Details

Related Gerrit Patches:
operations/puppet : productionbase: Allow adding SANs to puppet CSRs

Event Timeline

yuvipanda claimed this task.
yuvipanda raised the priority of this task from to Needs Triage.
yuvipanda updated the task description. (Show Details)
yuvipanda added a project: Cloud-Services.
yuvipanda added subscribers: yuvipanda, Joe.
Restricted Application added subscribers: StudiesWorld, Aklapper. · View Herald TranscriptNov 29 2015, 1:53 AM
chasemp triaged this task as Medium priority.Nov 30 2015, 4:50 PM
chasemp added a subscriber: chasemp.

I should just setup SANs for the kubernetes domains into the certificate used by the k8s master.

Change 267826 had a related patch set uploaded (by Yuvipanda):
base: Allow adding SANs to puppet CSRs

https://gerrit.wikimedia.org/r/267826

Change 267826 merged by Yuvipanda:
base: Allow adding SANs to puppet CSRs

https://gerrit.wikimedia.org/r/267826

yuvipanda closed this task as Resolved.Feb 2 2016, 3:36 AM

Done \o/