kube-controller-manager Cert does not contain any SANs - causing problems when scraping its metrics

[hajowieland]

I tried to scrape the metrics of kube-controller-manager with the following scrape config - the kube-controller-manager-cert-prometheus Secret contains the CA of the K8s API Server, the Certificate of kube-controller-manager and the key for kube-controller-manager cert:

spec:
  endpoints:
  - bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
    port: http-metrics
    scheme: https
    tlsConfig:
      ca:
        secret:
          key: ca.crt
          name: kube-controller-manager-cert-prometheus
      cert:
        secret:
          key: cert.crt
          name: kube-controller-manager-cert-prometheus
      keySecret:
        key: key.pem
        name: kube-controller-manager-cert-prometheus

This fails with this error:

cannot perform request to "https://<IP-of-host>:10257/metrics":
Get "https://<IP-of-host>:10257/metrics":
tls: failed to verify certificate:
x509: cannot validate certificate for <IP-of-host> because it doesn't contain any IP SANs

My kube-controller-manager systemd unit file looks like this (posting only the relevant parts):

ExecStart=/usr/local/bin/kube-controller-manager \
  --allocate-node-cidrs=true \
  --authentication-kubeconfig=/etc/kubernetes/controller/kube-controller-manager/kubeconfig \
  --authorization-kubeconfig=/etc/kubernetes/controller/kube-controller-manager/kubeconfig \
  --bind-address=<IP-of-host> \
  --client-ca-file=/etc/kubernetes/controller/pki/cert-k8s-apiserver.pem \
  --cluster-cidr=10.200.0.0/16 \
  --cluster-name=kubernetes \
  --cluster-signing-cert-file=/etc/kubernetes/controller/pki/cert-k8s-apiserver.pem \
  --cluster-signing-key-file=/etc/kubernetes/controller/pki/cert-k8s-apiserver-key.pem \
  --kubeconfig=/etc/kubernetes/controller/kube-controller-manager/kubeconfig \
  --leader-elect=true \
  --requestheader-client-ca-file=/etc/kubernetes/controller/pki/ca-k8s-apiserver.pem \
  --root-ca-file=/etc/kubernetes/controller/pki/ca-k8s-apiserver.pem \
  --secure-port=10257 \
  --service-account-private-key-file=/etc/kubernetes/controller/pki/cert-k8s-controller-manager-sa-key.pem \
  --service-cluster-ip-range=10.32.0.0/16 \
  --tls-cert-file=/etc/kubernetes/controller/pki/cert-k8s-controller-manager.pem \
  --tls-private-key-file=/etc/kubernetes/controller/pki/cert-k8s-controller-manager-key.pem \
  --use-service-account-credentials=true

Adding the SANs to the Cert works and I will create a PR for the change.