Allow configuring the actual cluster DNS domain for the TLS certificate (#2770)

stephan2012 · web-flow · commit 3b25a4b98e3e · 2022-08-31T16:06:53.000-07:00
* Use actual cluster DNS domain for the TLS certificate

* Rename clusterDomain to cluster.dnsDomain

Signed-off-by: Stephan Austermühle &lt;au@hcsd.de&gt;

Signed-off-by: Stephan Austermühle &lt;au@hcsd.de&gt;
diff --git a/helm/aws-load-balancer-controller/README.md b/helm/aws-load-balancer-controller/README.md
@@ -80,6 +80,8 @@ kubectl apply -k "github.com/aws/eks-charts/stable/aws-load-balancer-controller/
 
 If you are setting `enableCertManager: true` you need to have installed cert-manager and it's CRDs before installing this chart; to install [cert-manager](https://artifacthub.io/packages/helm/cert-manager/cert-manager) follow the installation guide.
 
+Set `cluster.dnsDomain` (default: `cluster.local`) to the actual DNS domain of your cluster to include the FQDN in requested TLS certificates.
+
 #### Installing the Prometheus Operator
 
 If you are setting `serviceMonitor.enabled: true` you need to have installed the Prometheus Operator ServiceMonitor CRD before installing this chart and have the operator running to collect the metrics. The easiest way to do this is to install the [kube-prometheus-stack](https://artifacthub.io/packages/helm/prometheus-community/kube-prometheus-stack) Helm chart using the installation guide.
@@ -171,6 +173,7 @@ The default values set by the application itself can be confirmed [here](https:/
 | `image.tag`                                    | image tag                                                                                                | `<VERSION>`                                                                        |
 | `image.pullPolicy`                             | image pull policy                                                                                        | `IfNotPresent`                                                                     |
 | `clusterName`                                  | Kubernetes cluster name                                                                                  | None                                                                               |
+| `cluster.dnsDomain`                            | DNS domain of the Kubernetes cluster, included in TLS certificate requests                               | `cluster.local`                                                                    |
 | `securityContext`                              | Set to security context for pod                                                                          | `{}`                                                                               |
 | `resources`                                    | Controller pod resource requests & limits                                                                | `{}`                                                                               |
 | `priorityClassName`                            | Controller pod priority class                                                                            | system-cluster-critical                                                            |
diff --git a/helm/aws-load-balancer-controller/templates/_helpers.tpl b/helm/aws-load-balancer-controller/templates/_helpers.tpl
@@ -105,7 +105,7 @@ caCert: {{ index $secret.data "ca.crt" }}
 clientCert: {{ index $secret.data "tls.crt" }}
 clientKey: {{ index $secret.data "tls.key" }}
 {{- else -}}
-{{- $altNames := list (printf "%s.%s" $serviceName .Release.Namespace) (printf "%s.%s.svc" $serviceName .Release.Namespace) (printf "%s.%s.svc.cluster.local" $serviceName .Release.Namespace) -}}
+{{- $altNames := list (printf "%s.%s" $serviceName .Release.Namespace) (printf "%s.%s.svc" $serviceName .Release.Namespace) (printf "%s.%s.svc.%s" $serviceName .Release.Namespace .Values.cluster.dnsDomain) -}}
 {{- $ca := genCA "aws-load-balancer-controller-ca" 3650 -}}
 {{- $cert := genSignedCert (include "aws-load-balancer-controller.fullname" .) nil $altNames 3650 $ca -}}
 caCert: {{ $ca.Cert | b64enc }}
diff --git a/helm/aws-load-balancer-controller/templates/webhook.yaml b/helm/aws-load-balancer-controller/templates/webhook.yaml
@@ -167,7 +167,7 @@ metadata:
 spec:
   dnsNames:
   - {{ template "aws-load-balancer-controller.webhookService" . }}.{{ .Release.Namespace }}.svc
-  - {{ template "aws-load-balancer-controller.webhookService" . }}.{{ .Release.Namespace }}.svc.cluster.local
+  - {{ template "aws-load-balancer-controller.webhookService" . }}.{{ .Release.Namespace }}.svc.{{ .Values.cluster.dnsDomain }}
   issuerRef:
     kind: Issuer
     name: {{ template "aws-load-balancer-controller.namePrefix" . }}-selfsigned-issuer
diff --git a/helm/aws-load-balancer-controller/values.yaml b/helm/aws-load-balancer-controller/values.yaml
@@ -13,9 +13,6 @@ imagePullSecrets: []
 nameOverride: ""
 fullnameOverride: ""
 
-# The name of the Kubernetes cluster. A non-empty value is required
-clusterName:
-
 serviceAccount:
   # Specifies whether a service account should be created
   create: true
@@ -78,7 +75,7 @@ configureDefaultAffinity: true
 # topologySpreadConstraints is a stable feature of k8s v1.19 which provides the ability to
 # control how Pods are spread across your cluster among failure-domains such as regions, zones,
 # nodes, and other user-defined topology domains.
-# 
+#
 # more details here: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
 topologySpreadConstraints: {}
 
@@ -104,6 +101,14 @@ additionalLabels: {}
 # Enable cert-manager
 enableCertManager: false
 
+# The name of the Kubernetes cluster. A non-empty value is required
+clusterName:
+
+# cluster contains configurations specific to the kubernetes cluster
+cluster:
+    # Cluster DNS domain (required for requesting TLS certificates)
+    dnsDomain: cluster.local
+
 # The ingress class this controller will satisfy. If not specified, controller will match all
 # ingresses without ingress class annotation and ingresses of type alb
 ingressClass: alb
