Multiple api-servers, controller-managers and service account tokens
huggsboson opened this issue · 1 comments
One place where all of the kubernetes documentation (and this guide) is unclear is if we are running multiple API servers should we generate a kube-apiserver-server.pem and kube-apiserver-server-key.pem per host (and add a SAN to the cert if we want to use an LB)? Or do we re-use the same one across all of the hosts. We've had some issues with the default service-account token being usable on one api server but not others when we generate a cert per (even though this seems like the most sensible setup). Basically it seems like the service account tokens are signed using the TLS public key so that the API servers can verify it later, but if all the api servers have a different key pair this won't work out well.
Digging through the docs and reasoning from pki it seems like and looking at this issues kubernetes/kubernetes#11000. It seems like the controller-manager yaml needs to be configured to use the same private key across all hosts. The apiservers then need to be configured to either use the same tls private key file (for that file's PUBLIC key), or be given the public key matching the private key from the controller manager.