apiserver_ips not applied to API server certificate SANs when using docker driver #217

healdropper · 2025-10-10T13:39:37Z

This PR addresses a bug when using the docker driver with apiserver_ips.

Even when apiserver_ips is configured in Terraform, the specified IPs are not added to the Kubernetes API server certificate SANs. As a result, clients connecting via the configured IP hit TLS validation errors (x509: certificate is valid for … not ).

Problem

Example Terraform config:

resource "minikube_cluster" "docker" {
  driver        = "docker"
  cluster_name  = "terraform-provider-minikube-docker"
  apiserver_ips = ["192.168.100.82"]
  ...
}

Running

minikube -p terraform-provider-minikube-docker ssh -- \
  "sudo openssl x509 -noout -text -in /var/lib/minikube/certs/apiserver.crt | grep -A1 'Subject Alternative Name'"

Actual result (missing 192.168.100.82)

the IPs do not appear in the Kubernetes API server certificate SAN

X509v3 Subject Alternative Name: 
    DNS:kubernetes.local, DNS:minikubeCA, DNS:control-plane.minikube.internal, DNS:terraform-provider-minikube-docker,
    DNS:kubernetes.default.svc.cluster.local, DNS:kubernetes.default.svc, DNS:kubernetes.default, DNS:kubernetes,
    DNS:localhost, IP Address:10.96.0.1, IP Address:127.0.0.1, IP Address:10.0.0.1, IP Address:192.168.49.2

Expected result (with 192.168.100.82 included)

X509v3 Subject Alternative Name: 
    DNS:kubernetes.local, DNS:minikubeCA, DNS:control-plane.minikube.internal, DNS:terraform-provider-minikube-docker,
    DNS:kubernetes.default.svc.cluster.local, DNS:kubernetes.default.svc, DNS:kubernetes.default, DNS:kubernetes,
    DNS:localhost, IP Address:192.168.100.82, IP Address:10.96.0.1, IP Address:127.0.0.1, IP Address:10.0.0.1, IP Address:192.168.49.2

Context

This issue occurs only via the Terraform provider.

Running minikube start --apiserver-ips=192.168.100.82 directly works as expected and adds the IP to SANs.

The provider currently doesn’t propagate apiserver_ips to the underlying minikube/kubeadm configuration, which causes the mismatch.

…ocker driver

scott-the-programmer · 2025-10-10T21:16:02Z

Thank you for the contribution! I'll give it a whirl on my machine and cut a release shortly 👍🏽

apiserver_ips not applied to API server certificate SANs when using d…

ac28e67

…ocker driver

healdropper force-pushed the main branch from 1ba8330 to ac28e67 Compare October 10, 2025 13:44

scott-the-programmer merged commit 5107aea into scott-the-programmer:main Oct 10, 2025
1 check passed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

apiserver_ips not applied to API server certificate SANs when using docker driver #217

apiserver_ips not applied to API server certificate SANs when using docker driver #217

Uh oh!

healdropper commented Oct 10, 2025

Uh oh!

scott-the-programmer commented Oct 10, 2025

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

apiserver_ips not applied to API server certificate SANs when using docker driver #217

apiserver_ips not applied to API server certificate SANs when using docker driver #217

Uh oh!

Conversation

healdropper commented Oct 10, 2025

Uh oh!

scott-the-programmer commented Oct 10, 2025

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants