Merge branch 'features/tls-host-localhost'

PaxAutoma · Apr 16, 2018 · 2ae7229 · 2ae7229
2 parents 2ced2c5 + 41e3fbe
commit 2ae7229
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 5 deletions.
diff --git a/components/installer/pkg/crypto.go b/components/installer/pkg/crypto.go
@@ -135,6 +135,8 @@ func createAPIServerCSR(ctx *InstallerContext) (csrBytes, keyBytes []byte, errOu
 		Hosts: []string{
 			ctx.Responses.ControllerIP,
 			ctx.Responses.KubeAPIServiceIP,
+			"127.0.0.1",
+			"localhost",
 			"kubernetes.default.svc",
 		},
 		CN: fmt.Sprintf("%s (Controller Server)", ctx.Responses.OrgInfo.Cluster),

diff --git a/components/teamster/pkg/teamster/api.go b/components/teamster/pkg/teamster/api.go
@@ -136,6 +136,7 @@ func (t *TeamsterAPI) GenClientCert(w http.ResponseWriter, r *http.Request) {
 	query := r.URL.Query()
 	user := query.Get("user")
 	groups := query["group"]
+	host := query.Get("host")
 
 	if user == "" || len(groups) == 0 {
 		http.Error(w, "request should include 'user' and 'group' arguments", http.StatusBadRequest)
@@ -147,9 +148,11 @@ func (t *TeamsterAPI) GenClientCert(w http.ResponseWriter, r *http.Request) {
 		panic(errors.Wrap(err, "failed to create user credentials"))
 	}
 
-	ip, err := getAPIServerIP(t.cluster.Vars["CONTROLLER_PRIVATE_IF"])
-	if err != nil {
-		panic(errors.Wrap(err, "failed to obtain controller private IP"))
+	if host == "" {
+		host, err = getAPIServerIP(t.cluster.Vars["CONTROLLER_PRIVATE_IF"])
+		if err != nil {
+			panic(errors.Wrap(err, "failed to obtain controller private IP"))
+		}
 	}
 
 	ctx := identity.ClientContext{
@@ -159,8 +162,9 @@ func (t *TeamsterAPI) GenClientCert(w http.ResponseWriter, r *http.Request) {
 		InstallID: t.cluster.InstallID,
 		User:      user,
 	}
-	if ip != "" {
-		ctx.ServerURL = fmt.Sprintf("https://%s:%s", ip, t.cluster.Vars["OPEROS_KUBE_API_SECURE_PORT"])
+
+	if host != "" {
+		ctx.ServerURL = fmt.Sprintf("https://%s:%s", host, t.cluster.Vars["OPEROS_KUBE_API_SECURE_PORT"])
 	}
 
 	tarball.SendTarball(identity.ClientManifest, ctx, w, "operos-credentials.tar.gz")

diff --git a/components/waterfront/server/pkg/waterfront/clientcert.go b/components/waterfront/server/pkg/waterfront/clientcert.go
@@ -21,6 +21,7 @@ import (
 	"log"
 	"net/http"
 	"net/url"
+	"strings"
 )
 
 func MakeGenClientCertHandler(teamsterAddr string) http.Handler {
@@ -33,6 +34,7 @@ func MakeGenClientCertHandler(teamsterAddr string) http.Handler {
 		q := getURL.Query()
 		q.Set("user", "admin")
 		q.Add("group", "admin")
+		q.Set("host", strings.SplitN(r.Host, ":", 2)[0])
 		getURL.RawQuery = q.Encode()
 
 		resp, err := http.Get(getURL.String())