tls: ensure all ip families are considered for kube-apiserver-service-network-server

The commit ensures all service networks are considered (i.e. that is all
IP families) when generating the certificate
kube-apiserver-service-network-server.

Author: tthvo

pkg/asset/tls/apiserver.go

@@ -297,9 +297,14 @@ func (a *KubeAPIServerServiceNetworkServerCertKey) Generate(ctx context.Context,
 	ca := &KubeAPIServerServiceNetworkSignerCertKey{}
 	installConfig := &installconfig.InstallConfig{}
 	dependencies.Get(ca, installConfig)
-	serviceAddress, err := cidrhost(installConfig.Config.Networking.ServiceNetwork[0].IPNet, 1)
-	if err != nil {
-		return errors.Wrap(err, "failed to get service address for kube-apiserver from InstallConfig")
+
+	serviceAddresses := make([]net.IP, len(installConfig.Config.Networking.ServiceNetwork))
+	for i, svcNet := range installConfig.Config.Networking.ServiceNetwork {
+		serviceAddress, err := cidrhost(svcNet.IPNet, 1)
+		if err != nil {
+			return errors.Wrap(err, "failed to get service address for kube-apiserver from InstallConfig")
+		}
+		serviceAddresses[i] = net.ParseIP(serviceAddress)
 	}
 
 	cfg := &CertCfg{
@@ -315,7 +320,7 @@ func (a *KubeAPIServerServiceNetworkServerCertKey) Generate(ctx context.Context,
 			"openshift.default.svc",
 			"openshift.default.svc.cluster.local",
 		},
-		IPAddresses: []net.IP{net.ParseIP(serviceAddress)},
+		IPAddresses: serviceAddresses,
 	}
 
 	return a.SignedCertKey.Generate(ctx, cfg, ca, "kube-apiserver-service-network-server", AppendParent)