Skip to content

Instantly share code, notes, and snippets.

@abdennour
Created April 18, 2021 00:50
Show Gist options
  • Save abdennour/450163a67ed7b4e3fd5813276ffca462 to your computer and use it in GitHub Desktop.
Save abdennour/450163a67ed7b4e3fd5813276ffca462 to your computer and use it in GitHub Desktop.
expose kube-apiserver thru ingress
kind: Ingress
metadata:
name: kubeapi
namespace: default
annotations:
nginx.ingress.kubernetes.io/secure-backends: "true"
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
spec:
rules:
- host: "api.devops.example.com"
http:
paths:
- pathType: Prefix
path: "/"
backend:
service:
name: kubernetes
port:
number: 443
# Verify SAN of current APIServer certificate
openssl x509 -in /etc/kubernetes/pki/apiserver.crt -text
# Retrieve current kubeadm-config
kubectl -n kube-system get configmap kubeadm-config -o jsonpath='{.data.ClusterConfiguration}' > kubeadm-original.yaml
cp kubeadm-original.yaml kubeadm-latest.yaml
# Add extra SANs
vi kubeadm-latest.yaml
cat kubeadm-latest.yaml
apiServer:
certSANs:
- "api.devops.example.com"
- "kapi.company.org"
extraArgs:
....
# remove current apiserver certificates
mv /etc/kubernetes/pki/apiserver.{crt,key} ~
# regenerate apiserver certificates
kubeadm init phase certs apiserver --config kubeadm-latest.yaml
# restart api server
docker kill $(docker ps | grep kube-apiserver | grep -v pause | awk '{print $1}')
# verify again the SAN is in the certificate
openssl x509 -in /etc/kubernetes/pki/apiserver.crt -text
# update configmap in kube-system
kubeadm init phase upload-config kubeadm --config ./kubeadm-latest.yaml
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment