Kiam server health check is hardcoded

[kevtaylor]

The latest vault (0.10.1) does not allow port names in the subject alternative name

Previous editions allowed this: "alt_names=kiam-server:443,localhost:443" when creating an pki issue

This has now been stopped and only valid dns names are allowed

Vault will allow localhost overriding which will create:

X509v3 Subject Alternative Name:
                DNS:localhost

...but the server health checks in the kiam-server manifest specify the port in the server address check and this is validated against the SAN in the cert

livenessProbe:
                  exec:
                    command:
                    - /health
                    - --cert=/etc/kiam/tls/server.pem
                    - --key=/etc/kiam/tls/server-key.pem
                    - --ca=/etc/kiam/tls/ca.pem
                    - --server-address=localhost:443
                    - --server-address-refresh=2s
                    - --timeout=5s

Need to either allow a configurable server-address or have some other health check

/cc @pingles

[kevtaylor]

I'm going to put in a PR to make the server address configurable
/assign @kevtaylor

[pingles]

We recently took a PR to address this uswitch/kiam#86. I'm hoping we can pick up a few other changes and have a 3.0 release within a couple of weeks. The change has been integrated so there's a tagged image on Quay with the new code but there's a few other improvements I'd like to see pulled in before we move to do another release.

The TLS change is potentially breaking (depending on how certs are generated) so it is potentially worth talking about how kube-aws does that currently. If you're generating them with Vault and there's no port in the server name then you should be able to work fine.