feat: add extra sans support for the api server (#32)

Author: stevensbkang

cmd/kubesolo/main.go

@@ -6,6 +6,7 @@ import (
 	"os/signal"
 	"path/filepath"
 	rdebug "runtime/debug"
+	"strings"
 	"syscall"
 
 	"github.com/alecthomas/kingpin/v2"
@@ -36,6 +37,7 @@ var (
 // the main struct for the kubesolo application
 type kubesolo struct {
 	hostName           string
+	extraSANs          string
 	debug              bool
 	pprofServer        bool
 	portainerEdgeID    string
@@ -59,6 +61,7 @@ var (
 func service() (*kubesolo, error) {
 	return &kubesolo{
 		hostName:           system.GetHostname(),
+		extraSANs:          *flags.APIServerExtraSANs,
 		debug:              *flags.Debug,
 		pprofServer:        *flags.PprofServer,
 		portainerEdgeID:    *flags.PortainerEdgeID,
@@ -334,6 +337,8 @@ func (s *kubesolo) bootstrap() {
 		// API Server paths
 		APIServerDir:          filepath.Join(basePath, types.DefaultAPIServerDir),
 		ServiceAccountKeyFile: filepath.Join(basePath, types.DefaultPKIDir, "apiserver", "service-account.key"),
+		// API Server extra SANs
+		APIServerExtraSANs: strings.Split(s.extraSANs, ","),
 
 		// Kine paths
 		KineDir:        filepath.Join(basePath, types.KubesoloKineDir),

internal/config/flags/flags.go

@@ -4,6 +4,7 @@ import "github.com/alecthomas/kingpin/v2"
 
 // the full list of flags for the kubesolo application
 // Path is the path to the directory containing the kubesolo configuration files
+// APIServerExtraSANs is the flag to add extra SANs to the API Server certificate
 // PortainerEdgeID is the Edge ID for the Portainer Edge Agent
 // PortainerEdgeKey is the Edge Key for the Portainer Edge Agent that can be used to register the Edge Agent with the Portainer Server
 // PortainerEdgeAsync is the flag to enable Portainer Edge Async Mode
@@ -13,6 +14,7 @@ import "github.com/alecthomas/kingpin/v2"
 var (
 	Application        = kingpin.New("kubesolo", "Ultra-lightweight, OCI-compliant, single-node Kubernetes built for constrained environments such as IoT or IIoT devices running in embedded environments.")
 	Path               = Application.Flag("path", "Path to the directory containing the kubesolo configuration files. Defaults to /var/lib/kubesolo.").Envar("KUBESOLO_PATH").Default("/var/lib/kubesolo").String()
+	APIServerExtraSANs = Application.Flag("apiserver-extra-sans", "A comma-separated list of additional Subject Alternative Names (SANs) to include in the API server's TLS certificate. These SANs can be IP addresses or DNS names (e.g., 10.0.0.4,kubesolo.local).").Envar("KUBESOLO_APISERVER_EXTRA_SANS").Default("").String()
 	PortainerEdgeID    = Application.Flag("portainer-edge-id", "Portainer Edge ID. Defaults to empty string.").Envar("KUBESOLO_PORTAINER_EDGE_ID").Default("").String()
 	PortainerEdgeKey   = Application.Flag("portainer-edge-key", "Portainer Edge Key. Defaults to empty string.").Envar("KUBESOLO_PORTAINER_EDGE_KEY").Default("").String()
 	PortainerEdgeAsync = Application.Flag("portainer-edge-async", "Enable Portainer Edge Async Mode. Defaults to false.").Envar("KUBESOLO_PORTAINER_EDGE_ASYNC").Default("false").Bool()

internal/core/pki/options.go

@@ -4,10 +4,12 @@ import (
 	"fmt"
 	"net"
 	"path/filepath"
+	"strings"
 
 	"github.com/portainer/kubesolo/internal/runtime/network"
 	"github.com/portainer/kubesolo/internal/system"
 	"github.com/portainer/kubesolo/types"
+	"github.com/rs/zerolog/log"
 )
 
 // defaultCertOptions returns default options for the specified certificate type
@@ -59,11 +61,11 @@ func defaultCertOptions(certType CertificateType, embedded types.Embedded) CertO
 			"kubernetes.default.svc.cluster.local",
 			"localhost",
 		}
-		opts.IPAddresses = []net.IP{
-			net.ParseIP("127.0.0.1"),
-			net.ParseIP(types.DefaultKubernetesServiceIP),
-		}
+		opts.IPAddresses = []net.IP{net.ParseIP(types.DefaultKubernetesServiceIP)}
 		opts.IPAddresses = append(opts.IPAddresses, ipAddresses...)
+		if len(embedded.APIServerExtraSANs) > 0 {
+			addExtraSANs(&opts, embedded.APIServerExtraSANs)
+		}
 		opts.SignerCertDir = embedded.CACerts.Cert
 		opts.SignerKeyDir = embedded.CACerts.Key
 		opts.CertDir = filepath.Join(embedded.PKIAPIServerDir, "apiserver.crt")
@@ -100,3 +102,26 @@ func defaultCertOptions(certType CertificateType, embedded types.Embedded) CertO
 
 	return opts
 }
+
+// addExtraSANs adds extra SANs to the certificate options
+// it validates the SANs and adds them to the certificate options
+// if the SAN is a valid IPv4 address, it adds it to the IPAddresses field
+// if the SAN is a valid DNS name, it adds it to the DNSNames field
+// if the SAN is invalid, it logs a warning and skips it
+func addExtraSANs(opts *CertOptions, extraSANs []string) {
+	for _, san := range extraSANs {
+		san = strings.TrimSpace(san)
+		if san == "" {
+			continue
+		}
+
+		if network.IsIPv4Address(san) {
+			opts.IPAddresses = append(opts.IPAddresses, net.ParseIP(san))
+		} else if network.IsDNSName(san) {
+			opts.DNSNames = append(opts.DNSNames, san)
+		} else {
+			log.Warn().Str("component", "pki").Msgf("invalid SAN: %s", san)
+			continue
+		}
+	}
+}

internal/runtime/network/ip.go

@@ -3,6 +3,11 @@ package network
 import (
 	"fmt"
 	"net"
+	"regexp"
+)
+
+var (
+	rfc1123 = `^[a-zA-Z0-9]([a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])?(\.[a-zA-Z0-9]([a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])?)*$`
 )
 
 // GetLocalIPs returns all non-loopback IPv4 addresses
@@ -38,3 +43,20 @@ func GetNodeIP() (string, error) {
 
 	return "127.0.0.1", fmt.Errorf("could not find non-loopback private IP address")
 }
+
+// IsIPv4Address returns true if the given string is a valid IPv4 address
+func IsIPv4Address(ip string) bool {
+	return net.ParseIP(ip) != nil && net.ParseIP(ip).To4() != nil
+}
+
+// IsDNSName returns true if the given string is a valid DNS name
+// it follows the RFC 1123 specification for DNS names
+func IsDNSName(name string) bool {
+	if name == "" || len(name) > 253 {
+		return false
+	}
+
+	// RFC 1123 compliant DNS name pattern
+	matched, _ := regexp.MatchString(rfc1123, name)
+	return matched
+}

types/types.go

@@ -71,6 +71,7 @@ type Embedded struct {
 	ContainerdShimBinaryFile string
 	ContainerdRootDir        string
 	ContainerdStateDir       string
+
 	// Conitainerd CNI directories and files
 	ContainerdCNIDir        string
 	ContainerdCNIPluginsDir string
@@ -90,6 +91,8 @@ type Embedded struct {
 	// API Server directory
 	APIServerDir          string
 	ServiceAccountKeyFile string
+	// API Server extra SANs
+	APIServerExtraSANs []string
 
 	// Kine directories and files
 	KineDir        string