Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
tls: set mcs cert common name to not-valid-hostname
go1.15 clients do not like server certs with common name set to a valid hostname. casuing failures like ``` x509: certificate relies on legacy Common Name field, use SANs or temporarily enable Common Name matching with GODEBUG=x509ignoreCN=0 ``` So, looking at the go 1.15 release notes https://golang.org/doc/go1.15 ``` X.509 CommonName deprecation ¶ The deprecated, legacy behavior of treating the CommonName field on X.509 certificates as a host name when no Subject Alternative Names are present is now disabled by default. It can be temporarily re-enabled by adding the value x509ignoreCN=0 to the GODEBUG environment variable.Note that if the CommonName is an invalid host name, it's always ignored, regardless of GODEBUG settings. Invalid names include those with any characters other than letters, digits, hyphens and underscores, and those with empty labels or trailing dots. ``` Setting the common name for MCS cert to `system:machine-config-server` like other kube-apiserver server certificates to make sure the common name is not a valid hostname. also the vSphere platform only set the dnsnames and ip addresses when the API vips were provided. Since we cannot depend on hostname in CN anymore, the platform now sets the DNSNames to hostname and adds the VIP if API vips is provided.
- Loading branch information
1 parent
a2a6b5e
commit b2d424b