nixos/kubernetes: allow configuring cfssl API server SANs

author: Antonio Nuno Monteiro <anmonteiro@gmail.com> 2019-11-24 20:53:31 -0800
committer: Jon <jonringer@users.noreply.github.com> 2020-01-18 23:39:21 -0800
commit: e2c11ad3c068744f4549ecc29aa39e937b24bd98 (patch)
tree: 56b66923951cc06b57144cf86b5d22ebc6a795f3 /nixos/modules/services/cluster/kubernetes/pki.nix
parent: bea1a232c615aba177e0ef56600d5f847ad3bbd9 (diff)
1 files changed, 10 insertions, 0 deletions
diff --git a/nixos/modules/services/cluster/kubernetes/pki.nix b/nixos/modules/services/cluster/kubernetes/pki.nix
index 733479e24c97..4275563f1a36 100644
--- a/nixos/modules/services/cluster/kubernetes/pki.nix
+++ b/nixos/modules/services/cluster/kubernetes/pki.nix
@@ -20,6 +20,7 @@ let
         size = 2048;
     };
     CN = top.masterAddress;
+    hosts = cfg.cfsslAPIExtraSANs;
   });
 
   cfsslAPITokenBaseName = "apitoken.secret";
@@ -66,6 +67,15 @@ in
       type = bool;
     };
 
+    cfsslAPIExtraSANs = mkOption {
+      description = ''
+        Extra x509 Subject Alternative Names to be added to the cfssl API webserver TLS cert.
+      '';
+      default = [];
+      example = [ "subdomain.example.com" ];
+      type = listOf str;
+    };
+
     genCfsslAPIToken = mkOption {
       description = ''
         Whether to automatically generate cfssl API-token secret,
author	Antonio Nuno Monteiro <anmonteiro@gmail.com>	2019-11-24 20:53:31 -0800
committer	Jon <jonringer@users.noreply.github.com>	2020-01-18 23:39:21 -0800
commit	e2c11ad3c068744f4549ecc29aa39e937b24bd98 (patch)
tree	56b66923951cc06b57144cf86b5d22ebc6a795f3 /nixos/modules/services/cluster/kubernetes/pki.nix
parent	bea1a232c615aba177e0ef56600d5f847ad3bbd9 (diff)