Added 'localhost' and 127.0.0.1 to the controller's TLS cert.

This change also uses the Host header sent to Waterfront as the hostname of the Kubernetes API server in the kubeconfig that is generated via the credentials download. This makes VM port-forwarding scenarios possible, for example when using a NAT network with VirtualBox.
PaxAutoma · Apr 16, 2018 · 41e3fbe · 41e3fbe
1 parent 7caefb1
commit 41e3fbe
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 5 deletions.
diff --git a/components/installer/pkg/crypto.go b/components/installer/pkg/crypto.go
@@ -135,6 +135,8 @@ func createAPIServerCSR(ctx *InstallerContext) (csrBytes, keyBytes []byte, errOu
 		Hosts: []string{
 			ctx.Responses.ControllerIP,
 			ctx.Responses.KubeAPIServiceIP,
+			"127.0.0.1",
+			"localhost",
 			"kubernetes.default.svc",
 		},
 		CN: fmt.Sprintf("%s (Controller Server)", ctx.Responses.OrgInfo.Cluster),

diff --git a/components/teamster/pkg/teamster/api.go b/components/teamster/pkg/teamster/api.go
@@ -136,6 +136,7 @@ func (t *TeamsterAPI) GenClientCert(w http.ResponseWriter, r *http.Request) {
 	query := r.URL.Query()
 	user := query.Get("user")
 	groups := query["group"]
+	host := query.Get("host")
 
 	if user == "" || len(groups) == 0 {
 		http.Error(w, "request should include 'user' and 'group' arguments", http.StatusBadRequest)
@@ -147,9 +148,11 @@ func (t *TeamsterAPI) GenClientCert(w http.ResponseWriter, r *http.Request) {
 		panic(errors.Wrap(err, "failed to create user credentials"))
 	}
 
-	ip, err := getAPIServerIP(t.cluster.Vars["CONTROLLER_PRIVATE_IF"])
-	if err != nil {
-		panic(errors.Wrap(err, "failed to obtain controller private IP"))
+	if host == "" {
+		host, err = getAPIServerIP(t.cluster.Vars["CONTROLLER_PRIVATE_IF"])
+		if err != nil {
+			panic(errors.Wrap(err, "failed to obtain controller private IP"))
+		}
 	}
 
 	ctx := identity.ClientContext{
@@ -159,8 +162,9 @@ func (t *TeamsterAPI) GenClientCert(w http.ResponseWriter, r *http.Request) {
 		InstallID: t.cluster.InstallID,
 		User:      user,
 	}
-	if ip != "" {
-		ctx.ServerURL = fmt.Sprintf("https://%s:%s", ip, t.cluster.Vars["OPEROS_KUBE_API_SECURE_PORT"])
+
+	if host != "" {
+		ctx.ServerURL = fmt.Sprintf("https://%s:%s", host, t.cluster.Vars["OPEROS_KUBE_API_SECURE_PORT"])
 	}
 
 	tarball.SendTarball(identity.ClientManifest, ctx, w, "operos-credentials.tar.gz")

diff --git a/components/waterfront/server/pkg/waterfront/clientcert.go b/components/waterfront/server/pkg/waterfront/clientcert.go
@@ -21,6 +21,7 @@ import (
 	"log"
 	"net/http"
 	"net/url"
+	"strings"
 )
 
 func MakeGenClientCertHandler(teamsterAddr string) http.Handler {
@@ -33,6 +34,7 @@ func MakeGenClientCertHandler(teamsterAddr string) http.Handler {
 		q := getURL.Query()
 		q.Set("user", "admin")
 		q.Add("group", "admin")
+		q.Set("host", strings.SplitN(r.Host, ":", 2)[0])
 		getURL.RawQuery = q.Encode()
 
 		resp, err := http.Get(getURL.String())