kube/certs: discover TLS domains from TCP TerminateTLS handlers (#19020)
After #18179 switched to L4 TCPForward, EnsureCertLoops found no domains since it only checked service.Web entries. Certs were never provisioned, leaving kube-apiserver ProxyGroups stuck at 0/N ready. Fixes #19019 Signed-off-by: Raj Singh <raj@tailscale.com>
This commit is contained in:
@@ -53,6 +53,7 @@ func (cm *CertManager) EnsureCertLoops(ctx context.Context, sc *ipn.ServeConfig)
|
||||
currentDomains := make(map[string]bool)
|
||||
const httpsPort = "443"
|
||||
for _, service := range sc.Services {
|
||||
// L7 Web handlers (HA Ingress).
|
||||
for hostPort := range service.Web {
|
||||
domain, port, err := net.SplitHostPort(string(hostPort))
|
||||
if err != nil {
|
||||
@@ -63,6 +64,12 @@ func (cm *CertManager) EnsureCertLoops(ctx context.Context, sc *ipn.ServeConfig)
|
||||
}
|
||||
currentDomains[domain] = true
|
||||
}
|
||||
// L4 TCP handlers with TLS termination (kube-apiserver proxy).
|
||||
for _, handler := range service.TCP {
|
||||
if handler != nil && handler.TerminateTLS != "" {
|
||||
currentDomains[handler.TerminateTLS] = true
|
||||
}
|
||||
}
|
||||
}
|
||||
cm.mu.Lock()
|
||||
defer cm.mu.Unlock()
|
||||
|
||||
Reference in New Issue
Block a user