nixos/kubernetes: allow configuring cfssl API server SANs

2019-11-24 20:53:31 -08:00 · 2019-11-24 20:53:31 -08:00 · e2c11ad3c0
parent bea1a232c6
commit e2c11ad3c0
1 changed files with 10 additions and 0 deletions
--- a/nixos/modules/services/cluster/kubernetes/pki.nix
+++ b/nixos/modules/services/cluster/kubernetes/pki.nix
@ -20,6 +20,7 @@ let
        size = 2048;
    };
    CN = top.masterAddress;
+    hosts = cfg.cfsslAPIExtraSANs;
  });

  cfsslAPITokenBaseName = "apitoken.secret";
@ -66,6 +67,15 @@ in
      type = bool;
    };

+    cfsslAPIExtraSANs = mkOption {
+      description = ''
+        Extra x509 Subject Alternative Names to be added to the cfssl API webserver TLS cert.
+      '';
+      default = [];
+      example = [ "subdomain.example.com" ];
+      type = listOf str;
+    };
+
    genCfsslAPIToken = mkOption {
      description = ''
        Whether to automatically generate cfssl API-token secret,