Merge pull request #35109 from sttts/sttts-sni
Automatic merge from submit-queue
Add SNI support to the apiserver
This PR adds the `--tls-sni-key-cert` flag to the apiserver. It can be passed multiple times in the following ways:
``` shell
$ apiserver \
--tls-sni-cert-key '*.example.com,example.com: example.key,example.crt' \
--tls-sni-cert-key 'foo.key,foo.crt'
```
The first variant explicitly sets the accepted domain names, the second variant reads the common names and DNS names from the certificate itself.
If no domain name matches, the existing certificate (`--tls-cert-file`) is used.
``` golang
fs.Var(config.NewNamedCertKeyArray(&s.SNICertKeys), "tls-sni-cert-key", ""+
"A pair of x509 certificate and private key file paths, optionally prefixed with a list of "+
"domain patterns which are fully qualified domain names, possibly with prefixed wildcard "+
"segments. If no domain patterns are provided, the names of the certificate are "+
"extracted. Non-wildcard matches trump over wildcard matches, explicit domain patterns "+
"trump over extracted names. For multiple key/certificate pairs, use the "+
"--tls-sni-key-cert multiple times. "+
"Examples: \"example.key,example.crt\" or \"*.foo.com,foo.com:foo.key,foo.crt\".")
```
``` release-note
Add SNI support to the apiserver
Pass multiple certificates and domain name patterns with `--tls-sni-cert-key` and the right certificate will be chosen depending on the url the client is using.
```
Showing
This diff is collapsed.
Click to expand it.
Please
register
or
sign in
to comment