m/n/kubernetes: factor out cluster domain
This removes the hardcoded Kubernetes cluster domain and pushes it out
to a single place at the root of the Kubernetes supervisor tree.
This will later be aligned with the cluster domain specified in the
identity design document, currently this does not change any behavior.
It also removes a bogous SAN from the Kubernetes API server certificate
(kubernetes.default.svc.cluster) for which there is no corresponding
search path.
Change-Id: I30b8907a7b846415f5002c09a24d2d37930a9cd1
Reviewed-on: https://review.monogon.dev/c/monogon/+/773
Tested-by: Jenkins CI
Reviewed-by: Sergiusz Bazanski <serge@monogon.tech>
diff --git a/metropolis/node/kubernetes/pki/kubernetes.go b/metropolis/node/kubernetes/pki/kubernetes.go
index 1a14f99..ef046a2 100644
--- a/metropolis/node/kubernetes/pki/kubernetes.go
+++ b/metropolis/node/kubernetes/pki/kubernetes.go
@@ -100,7 +100,7 @@
Certificates map[KubeCertificateName]*opki.Certificate
}
-func New(l logtree.LeveledLogger, kv clientv3.KV) *PKI {
+func New(l logtree.LeveledLogger, kv clientv3.KV, clusterDomain string) *PKI {
pki := PKI{
namespace: opki.Namespaced(etcdPrefix),
logger: l,
@@ -130,8 +130,7 @@
"kubernetes",
"kubernetes.default",
"kubernetes.default.svc",
- "kubernetes.default.svc.cluster",
- "kubernetes.default.svc.cluster.local",
+ "kubernetes.default.svc." + clusterDomain,
"localhost",
},
// TODO(q3k): add service network internal apiserver address