Support multiple alternative names in the API certificate

[rothgar]

The K2D_ADVERTISE_ADDR currently accepts a single option to sign the certificate. It would be useful to be able to sign alternative names or IP addresses for certificates to be trusted based on IP addresses or aliases.

For example, I would like to be able to use the hostname of the machine, IP address for the LAN, and IP address and hostname from my tailscale network.

[deviantony]

Hey @rothgar do you mind testing the build provided via #94 ?

You can use the -e K2D_ALT_NAMES=name1,name2 environment variable to specify one or more alt names to be associated with the certificate.

The build above can be tested via the portainer/k2d:pr94 image.

[rothgar]

That throws an error for me

2024-11-11T17:32:12.814Z        INFO    cmd/k2d.go:89   starting k2d    {"version": "1.0.0", "config": {"AdvertiseAddr":"192.168.4.4,d.lan","AltNames":null,"DataPath":"/var/lib/k2d","DockerClientTimeout":600000000000,"LogFormat":"text","LogLevel":"debug","OperationBatchMaxSize":25,"OperationNamespaceDeletionDelay":3000000000,"Port":6443,"PortainerAgentVersion":"latest","PortainerEdgeKey":"","PortainerEdgeID":"","Secret":"YOUR_SECRET","StoreBackend":"disk","StoreRegistryBackend":"volume","StoreVolumeCopyImageName":"portainer/pause:latest"}}
2024-11-11T17:32:12.814Z        FATAL   cmd/k2d.go:96   unable to get advertise IP address: invalid IP address: 192.168.4.4,d.lan
main.main
        /home/runner/work/k2d/k2d/cmd/k2d.go:96
runtime.main
        /opt/hostedtoolcache/go/1.23.3/x64/src/runtime/proc.go:272

[deviantony]

@rothgar you have to use the -e K2D_ALT_NAMES= flag.

e.g.

docker run -d \
  --name k2d-k2d \
  --network host \
  --restart always \
  --env K2D_ADVERTISE_ADDR=192.168.4.4 \
  --env K2D_ALT_NAMES=d.lan \
  --env K2D_SECRET=MYSECRET \
  --label resource.k2d.io/namespace-name=k2d \
  --label workload.k2d.io/name=k2d \
  --volume /var/run/docker.sock:/var/run/docker.sock \
  --volume /var/lib/k2d:/var/lib/k2d \
  portainer/k2d:1.0.0

[rothgar]

Thanks for pointing that out. I tried again with

docker run -d \
  --name k2d \
  --network host \
  --restart always \
  --env K2D_ADVERTISE_ADDR=${IP} \
  --env K2D_ALT_NAMES=d.lan,d.gerbil-dragon.ts.net \
  --env K2D_SECRET=YOUR_SECRET \
  --label resource.k2d.io/namespace-name=k2d \
  --label workload.k2d.io/name=k2d \
  --volume /var/run/docker.sock:/var/run/docker.sock \
  --volume /volume1/@docker/k2d:/var/lib/k2d \
  portainer/k2d:pr94

This time I tried signing it with my tailnet DNS and local lan DNS but if I download the kubeconfig and change the host it fails.

kubectl get nodes
The connection to the server d.gerbil-dragon.ts.net:6443 was refused - did you specify the right host or port?

And openssl doesn't have the alt names

openssl s_client -connect 192.168.4.4:6443 </dev/null 2>/dev/null | openssl x509 -noout -text | grep -i -a1 alt
                01:02:03:04:06
            X509v3 Subject Alternative Name: 
                DNS:kubernetes.default.svc, IP Address:192.168.4.4, IP Address:0:0:0:0:0:0:0:1

The container logs look fine though

2024-11-12T04:51:25.340Z        INFO    cmd/k2d.go:89   starting k2d    {"version": "1.0.0", "config": {"AdvertiseAddr":"192.168.4.4","AltNames":["d.lan","d.gerbil-dragon.ts.net"],"DataPath":"/var/lib/k2d","DockerClientTimeout":600000000000,"LogFormat":"text","LogLevel":"debug","OperationBatchMaxSize":25,"OperationNamespaceDeletionDelay":3000000000,"Port":6443,"PortainerAgentVersion":"latest","PortainerEdgeKey":"","PortainerEdgeID":"","Secret":"YOUR_SECRET","StoreBackend":"disk","StoreRegistryBackend":"volume","StoreVolumeCopyImageName":"portainer/pause:latest"}}