From 1401286910f46fe07c7f48c02fb1c7946455bf15 Mon Sep 17 00:00:00 2001
From: Matthew Mosesohn <matthew.mosesohn@gmail.com>
Date: Tue, 9 Jan 2018 14:37:34 +0300
Subject: [PATCH] Add support for cert alt names for etcd (#2139)

* Add support for cert alt names for etcd

* Update gen_certs_vault.yml
---
 roles/etcd/defaults/main.yml         | 7 +++++++
 roles/etcd/tasks/gen_certs_vault.yml | 2 +-
 roles/etcd/templates/openssl.conf.j2 | 4 ++++
 3 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/roles/etcd/defaults/main.yml b/roles/etcd/defaults/main.yml
index e2b1b83c7..d53caea22 100644
--- a/roles/etcd/defaults/main.yml
+++ b/roles/etcd/defaults/main.yml
@@ -8,6 +8,13 @@ etcd_data_dir: "/var/lib/etcd"
 etcd_config_dir: /etc/ssl/etcd
 etcd_cert_dir: "{{ etcd_config_dir }}/ssl"
 etcd_cert_group: root
+# Note: This does not set up DNS entries. It simply adds the following DNS
+# entries to the certificate
+etcd_cert_alt_names:
+  - "etcd.{{ system_namespace }}.svc.{{ dns_domain }}"
+  - "etcd.{{ system_namespace }}.svc"
+  - "etcd.{{ system_namespace }}"
+  - "etcd"
 
 etcd_script_dir: "{{ bin_dir }}/etcd-scripts"
 
diff --git a/roles/etcd/tasks/gen_certs_vault.yml b/roles/etcd/tasks/gen_certs_vault.yml
index e8955cf70..fae397356 100644
--- a/roles/etcd/tasks/gen_certs_vault.yml
+++ b/roles/etcd/tasks/gen_certs_vault.yml
@@ -13,7 +13,7 @@
 - include: ../../vault/tasks/shared/issue_cert.yml
   vars:
     issue_cert_common_name: "etcd:master:{{ item.rsplit('/', 1)[1].rsplit('.', 1)[0] }}"
-    issue_cert_alt_names: "{{ groups.etcd + ['localhost'] }}"
+    issue_cert_alt_names: "{{ groups['etcd'] + ['localhost'] + (etcd_cert_alt_names)|default() }}"
     issue_cert_copy_ca: "{{ item == etcd_master_certs_needed|first }}"
     issue_cert_file_group: "{{ etcd_cert_group }}"
     issue_cert_file_owner: kube
diff --git a/roles/etcd/templates/openssl.conf.j2 b/roles/etcd/templates/openssl.conf.j2
index c4a0d81c9..f5970af81 100644
--- a/roles/etcd/templates/openssl.conf.j2
+++ b/roles/etcd/templates/openssl.conf.j2
@@ -31,6 +31,10 @@ DNS.{{ 1 + loop.index }} = {{ host }}
 {% set idx =  groups['etcd'] | length | int + 2 %}
 DNS.{{ idx | string }} = {{ apiserver_loadbalancer_domain_name }}
 {% endif %}
+{% set idx =  groups['etcd'] | length | int + 3 %}
+{%- for etcd_alt_name in etcd_cert_alt_names -%}
+DNS.{{ idx + 1 + loop.index }} = {{ etcd_alt_name }}
+{%- endfor -%}
 {% for host in groups['etcd'] %}
 IP.{{ 2 * loop.index - 1 }} = {{ hostvars[host]['access_ip'] | default(hostvars[host]['ansible_default_ipv4']['address']) }}
 IP.{{ 2 * loop.index }} = {{ hostvars[host]['ip'] | default(hostvars[host]['ansible_default_ipv4']['address']) }}