Merge branch 'vexxhost:main' into k8s_1_28

CHANGELOG.md

@@ -1,5 +1,13 @@
 # Changelog
 
+## [0.20.0](https://github.com/vexxhost/magnum-cluster-api/compare/v0.19.2...v0.20.0) (2024-06-27)
+
+
+### Features
+
+* support additional cert sans [ATMOSPHERE-260] ([#402](https://github.com/vexxhost/magnum-cluster-api/issues/402)) ([da93f6a](https://github.com/vexxhost/magnum-cluster-api/commit/da93f6abc822579d52d88eace644c7d9bd0a8cdd))
+* support cilium cni ([#287](https://github.com/vexxhost/magnum-cluster-api/issues/287)) ([4f922d0](https://github.com/vexxhost/magnum-cluster-api/commit/4f922d0a805cea8a4b0e6e520b28d81a55b5e150))
+
 ## [0.19.2](https://github.com/vexxhost/magnum-cluster-api/compare/v0.19.1...v0.19.2) (2024-06-20)
 
 

docs/user/labels.md

@@ -168,6 +168,11 @@ is often accomplished by deploying a driver on each node.
 
 ## Kubernetes
 
+* `api_server_cert_sans`
+
+   Specify the additional Subject Alternative Names (SANs) for the Kubernetes API Server,
+   separated by commas.
+
 * `api_server_tls_cipher_suites`
 
    Specify the list of TLS cipher suites to use for the Kubernetes API server,

magnum_cluster_api/resources.py

@@ -1183,6 +1183,15 @@ def get_object(self) -> objects.ClusterClass:
                                 },
                             },
                         },
+                        {
+                            "name": "apiServerSANs",
+                            "required": True,
+                            "schema": {
+                                "openAPIV3Schema": {
+                                    "type": "string",
+                                },
+                            },
+                        },
                         {
                             "name": "nodeCidr",
                             "required": True,
@@ -2050,6 +2059,7 @@ def get_object(self) -> objects.ClusterClass:
                                                     - {{ .builtin.cluster.name }}.{{ .builtin.cluster.namespace }}
                                                     - {{ .builtin.cluster.name }}.{{ .builtin.cluster.namespace }}.svc
                                                     - {{ .builtin.cluster.name }}.{{ .builtin.cluster.namespace }}.svc.cluster.local # noqa: E501
+                                                    {{ .apiServerSANs }}
                                                     """
                                                 ),
                                             },
@@ -2624,6 +2634,10 @@ def get_object(self) -> objects.Cluster:
                                     "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",  # noqa: E501
                                 ),
                             },
+                            {
+                                "name": "apiServerSANs",
+                                "value": utils.generate_api_cert_san_list(self.cluster),
+                            },
                             {
                                 "name": "nodeCidr",
                                 "value": self.cluster.labels.get(

magnum_cluster_api/utils.py

@@ -483,3 +483,11 @@ def kube_apply_patch(resource):
 
     resource.api.raise_for_status(resp)
     resource.set_obj(resp.json())
+
+
+def generate_api_cert_san_list(cluster: magnum_objects.Cluster):
+    cert_sans = cluster.labels.get("api_server_cert_sans", "")
+    additional_cert_sans_list = cert_sans.split(",")
+
+    # Add the additional cert SANs to the template
+    return "\n".join(f"- {san}" for san in additional_cert_sans_list if san)

pyproject.toml

@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "magnum-cluster-api"  
-version = "0.19.2"
+version = "0.20.0"
 description = "Cluster API driver for Magnum"
 authors = ["Mohammed Naser <[email protected]>"]
 license = "Apache-2.0"