diff --git a/data/data/bootstrap/files/usr/local/bin/bootkube.sh.template b/data/data/bootstrap/files/usr/local/bin/bootkube.sh.template index e7c95c75709..ce7970a71a3 100755 --- a/data/data/bootstrap/files/usr/local/bin/bootkube.sh.template +++ b/data/data/bootstrap/files/usr/local/bin/bootkube.sh.template @@ -231,8 +231,8 @@ podman run \ --cakey=/opt/openshift/tls/etcd-client-ca.key \ --metric-cacrt=/opt/openshift/tls/etcd-metric-signer.crt \ --metric-cakey=/opt/openshift/tls/etcd-metric-signer.key \ - --servcrt=/opt/openshift/tls/kube-apiserver-lb-server.crt \ - --servkey=/opt/openshift/tls/kube-apiserver-lb-server.key \ + --servcrt=/opt/openshift/tls/kube-apiserver-internal-lb-server.crt \ + --servkey=/opt/openshift/tls/kube-apiserver-internal-lb-server.key \ --address=0.0.0.0:6443 \ --csrdir=/tmp \ --peercertdur=26280h \ diff --git a/pkg/asset/kubeconfig/admin.go b/pkg/asset/kubeconfig/admin.go index 4ce136772d3..2db2592476d 100644 --- a/pkg/asset/kubeconfig/admin.go +++ b/pkg/asset/kubeconfig/admin.go @@ -38,7 +38,8 @@ func (k *AdminClient) Generate(parents asset.Parents) error { return k.kubeconfig.generate( ca, clientCertKey, - installConfig.Config, + getExtAPIServerURL(installConfig.Config), + installConfig.Config.GetName(), "admin", kubeconfigAdminPath, ) diff --git a/pkg/asset/kubeconfig/kubeconfig.go b/pkg/asset/kubeconfig/kubeconfig.go index 05b3db841bd..4cd6fa3ea3f 100644 --- a/pkg/asset/kubeconfig/kubeconfig.go +++ b/pkg/asset/kubeconfig/kubeconfig.go @@ -22,16 +22,17 @@ type kubeconfig struct { func (k *kubeconfig) generate( ca tls.CertInterface, clientCertKey tls.CertKeyInterface, - installConfig *types.InstallConfig, + apiURL string, + cluster string, userName string, kubeconfigPath string, ) error { k.Config = &clientcmd.Config{ Clusters: []clientcmd.NamedCluster{ { - Name: installConfig.ObjectMeta.Name, + Name: cluster, Cluster: clientcmd.Cluster{ - Server: fmt.Sprintf("https://api.%s:6443", installConfig.ClusterDomain()), + Server: apiURL, CertificateAuthorityData: ca.Cert(), }, }, @@ -49,7 +50,7 @@ func (k *kubeconfig) generate( { Name: userName, Context: clientcmd.Context{ - Cluster: installConfig.ObjectMeta.Name, + Cluster: cluster, AuthInfo: userName, }, }, @@ -96,3 +97,11 @@ func (k *kubeconfig) load(f asset.FileFetcher, name string) (found bool, err err k.File, k.Config = file, config return true, nil } + +func getExtAPIServerURL(ic *types.InstallConfig) string { + return fmt.Sprintf("https://api.%s:6443", ic.ClusterDomain()) +} + +func getIntAPIServerURL(ic *types.InstallConfig) string { + return fmt.Sprintf("https://api-int.%s:6443", ic.ClusterDomain()) +} diff --git a/pkg/asset/kubeconfig/kubeconfig_test.go b/pkg/asset/kubeconfig/kubeconfig_test.go index 0e2116ddd03..891846d14ea 100644 --- a/pkg/asset/kubeconfig/kubeconfig_test.go +++ b/pkg/asset/kubeconfig/kubeconfig_test.go @@ -52,6 +52,7 @@ func TestKubeconfigGenerate(t *testing.T) { userName string filename string clientCert tls.CertKeyInterface + apiURL string expectedData []byte }{ { @@ -59,10 +60,11 @@ func TestKubeconfigGenerate(t *testing.T) { userName: "admin", filename: "auth/kubeconfig", clientCert: adminCert, + apiURL: "https://api-int.test-cluster-name.test.example.com:6443", expectedData: []byte(`clusters: - cluster: certificate-authority-data: VEhJUyBJUyBST09UIENBIENFUlQgREFUQQ== - server: https://api.test-cluster-name.test.example.com:6443 + server: https://api-int.test-cluster-name.test.example.com:6443 name: test-cluster-name contexts: - context: @@ -83,10 +85,11 @@ users: userName: "kubelet", filename: "auth/kubeconfig-kubelet", clientCert: kubeletCert, + apiURL: "https://api-int.test-cluster-name.test.example.com:6443", expectedData: []byte(`clusters: - cluster: certificate-authority-data: VEhJUyBJUyBST09UIENBIENFUlQgREFUQQ== - server: https://api.test-cluster-name.test.example.com:6443 + server: https://api-int.test-cluster-name.test.example.com:6443 name: test-cluster-name contexts: - context: @@ -107,7 +110,7 @@ users: for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { kc := &kubeconfig{} - err := kc.generate(rootCA, tt.clientCert, installConfig, tt.userName, tt.filename) + err := kc.generate(rootCA, tt.clientCert, tt.apiURL, installConfig.GetName(), tt.userName, tt.filename) assert.NoError(t, err, "unexpected error generating config") actualFiles := kc.Files() assert.Equal(t, 1, len(actualFiles), "unexpected number of files generated") diff --git a/pkg/asset/kubeconfig/kubelet.go b/pkg/asset/kubeconfig/kubelet.go index e1e1533477e..5b45cd5596d 100644 --- a/pkg/asset/kubeconfig/kubelet.go +++ b/pkg/asset/kubeconfig/kubelet.go @@ -38,7 +38,8 @@ func (k *Kubelet) Generate(parents asset.Parents) error { return k.kubeconfig.generate( ca, clientcertkey, - installConfig.Config, + getIntAPIServerURL(installConfig.Config), + installConfig.Config.GetName(), "kubelet", kubeconfigKubeletPath, ) diff --git a/pkg/asset/manifests/utils.go b/pkg/asset/manifests/utils.go index 603aec23853..19605d270d2 100644 --- a/pkg/asset/manifests/utils.go +++ b/pkg/asset/manifests/utils.go @@ -34,7 +34,7 @@ func configMap(namespace, name string, data genericData) *configurationObject { } func getAPIServerURL(ic *types.InstallConfig) string { - return fmt.Sprintf("https://api.%s:6443", ic.ClusterDomain()) + return fmt.Sprintf("https://api-int.%s:6443", ic.ClusterDomain()) } func getEtcdDiscoveryDomain(ic *types.InstallConfig) string {