Mandatory to have management service listening on IP on default NIC?

[benj-n]

Hi,

In the recent changes related to security [1], some certificate validation has been introduced:
"Validate incoming cluster service requests are from peer management servers based on the server's certificate dns name"

As a matter of fact, those certificates also contain IP addresses in the SAN field.
However, it looks like the IP addresses are extracted from the default NIC only [2].

As I understand it, that means, from now on, if we want to use IP for cross-management and management-hosts communication, then it is mandatory to have the management service listening on an IP on the default NIC (the one holding the route to the default gateway). Otherwise, certificates won't be validated.

Am I reading this right?
Any other people with such deployments (e.g. using an IP from a second interface) ? Did you find a way to circumvent this?

Thank you,

-Benjamin.

[1] commit/2cf838cc1d19298fe874b6abfcc9bbf88c7c6e49
[2] RootCAProvider.java

[rohityadavcloud]

@benj-n per https://github.com/apache/cloudstack/blob/main/plugins/ca/root-ca/src/main/java/org/apache/cloudstack/ca/provider/RootCAProvider.java#L372 the mgmt server certificate should have all the IPs of the default nic - this is only used to communicate b/w mgmt server - mgmt server & not b/w agent (kvm host) & mgmt server. What you can do it to keep the default nic of your mgmt server hosts on the same subnet/cidr.