[EKS] [request]: EKS CA should honor SAN x509 extension

[mightyguava]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Tell us about your request
Add support to the EKS CA to create certificates with SANs extensions

Which service(s) is this request for?
EKS

Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard?

We would like to create mTLS certs for pods operating as part of a cluster that needs to communicate peer to peer. At the minimum, the pods need to be able to identify as the service's DNS, and the pod's DNS. This can't be done using the EKS CA right now because it ignores the SAN x509 extension. Even if the CSR contains SANs, the signed cert generated by the CA drops them.

Are you currently working around this issue?

There are a few non-ideal workarounds, see

cloudfoundry-incubator/quarks-operator@cbab593
pingcap/tidb-operator#1685

Both seem to require modifying the application to use an alternative TLS verification scheme.

Additional context
This issue was raised here as well awslabs/amazon-eks-ami#341.

[owenthereal]

Any updates on this?

[mikestef9]

Hi @jingweno

We are working towards supporting this feature with the release of Kubernetes v1.16

[mikestef9]

This now supported on EKS for Kubernetes 1.16 and above clusters.

https://docs.aws.amazon.com/eks/latest/userguide/kubernetes-versions.html#kubernetes-1.16