From 80703010bdae0b29cf2a5c5babb8c35ffb667429 Mon Sep 17 00:00:00 2001
From: Matthew Mosesohn <mmosesohn@mirantis.com>
Date: Fri, 13 Jan 2017 14:03:20 +0300
Subject: [PATCH] Use only one certificate for all apiservers

https://github.com/kubernetes/kubernetes/issues/25063
---
 .../manifests/kube-apiserver.manifest.j2          |  6 +++---
 .../manifests/kube-controller-manager.manifest.j2 |  2 +-
 roles/kubernetes/secrets/files/make-ssl.sh        | 15 +++++++++------
 roles/kubernetes/secrets/tasks/gen_certs.yml      |  8 ++++----
 4 files changed, 17 insertions(+), 14 deletions(-)

diff --git a/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2 b/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2
index fe9a49fa8..c05030697 100644
--- a/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2
+++ b/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2
@@ -35,10 +35,10 @@ spec:
     - --service-node-port-range={{ kube_apiserver_node_port_range }}
     - --client-ca-file={{ kube_cert_dir }}/ca.pem
     - --basic-auth-file={{ kube_users_dir }}/known_users.csv
-    - --tls-cert-file={{ kube_cert_dir }}/apiserver-{{ inventory_hostname }}.pem
-    - --tls-private-key-file={{ kube_cert_dir }}/apiserver-{{ inventory_hostname }}-key.pem
+    - --tls-cert-file={{ kube_cert_dir }}/apiserver.pem
+    - --tls-private-key-file={{ kube_cert_dir }}/apiserver-key.pem
     - --token-auth-file={{ kube_token_dir }}/known_tokens.csv
-    - --service-account-key-file={{ kube_cert_dir }}/apiserver-{{ inventory_hostname }}-key.pem
+    - --service-account-key-file={{ kube_cert_dir }}/apiserver-key.pem
     - --secure-port={{ kube_apiserver_port }}
     - --insecure-port={{ kube_apiserver_insecure_port }}
 {% if kube_api_runtime_config is defined %}
diff --git a/roles/kubernetes/master/templates/manifests/kube-controller-manager.manifest.j2 b/roles/kubernetes/master/templates/manifests/kube-controller-manager.manifest.j2
index c604587af..49dd05ba8 100644
--- a/roles/kubernetes/master/templates/manifests/kube-controller-manager.manifest.j2
+++ b/roles/kubernetes/master/templates/manifests/kube-controller-manager.manifest.j2
@@ -23,7 +23,7 @@ spec:
     - controller-manager
     - --master={{ kube_apiserver_endpoint }}
     - --leader-elect=true
-    - --service-account-private-key-file={{ kube_cert_dir }}/apiserver-{{ inventory_hostname }}-key.pem
+    - --service-account-private-key-file={{ kube_cert_dir }}/apiserver-key.pem
     - --root-ca-file={{ kube_cert_dir }}/ca.pem
     - --cluster-signing-cert-file={{ kube_cert_dir }}/ca.pem
     - --cluster-signing-key-file={{ kube_cert_dir }}/ca-key.pem
diff --git a/roles/kubernetes/secrets/files/make-ssl.sh b/roles/kubernetes/secrets/files/make-ssl.sh
index 422bde6cf..4728cc6c2 100755
--- a/roles/kubernetes/secrets/files/make-ssl.sh
+++ b/roles/kubernetes/secrets/files/make-ssl.sh
@@ -72,14 +72,16 @@ else
     openssl req -x509 -new -nodes -key ca-key.pem -days 10000 -out ca.pem -subj "/CN=kube-ca" > /dev/null 2>&1
 fi
 
+if [ ! -e "$SSLDIR/ca-key.pem" ]; then
+    # kube-apiserver key
+    openssl genrsa -out apiserver-key.pem 2048 > /dev/null 2>&1
+    openssl req -new -key apiserver-key.pem -out apiserver.csr -subj "/CN=kube-apiserver" -config ${CONFIG} > /dev/null 2>&1
+    openssl x509 -req -in apiserver.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out apiserver.pem -days 365 -extensions v3_req -extfile ${CONFIG} > /dev/null 2>&1
+    cat ca.pem >> apiserver.pem
+fi
+
 if [ -n "$MASTERS" ]; then
     for host in $MASTERS; do
-        # kube-apiserver key
-        openssl genrsa -out apiserver-${host}-key.pem 2048 > /dev/null 2>&1
-        openssl req -new -key apiserver-${host}-key.pem -out apiserver-${host}.csr -subj "/CN=kube-apiserver-${host}" -config ${CONFIG} > /dev/null 2>&1
-        openssl x509 -req -in apiserver-${host}.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out apiserver-${host}.pem -days 365 -extensions v3_req -extfile ${CONFIG} > /dev/null 2>&1
-        cat ca.pem >> apiserver-${host}.pem
-
         # admin key
         openssl genrsa -out admin-${host}-key.pem 2048 > /dev/null 2>&1
         openssl req -new -key admin-${host}-key.pem -out admin-${host}.csr -subj "/CN=kube-admin-${host}" > /dev/null 2>&1
@@ -90,6 +92,7 @@ fi
 # Nodes and Admin
 if [ -n "$HOSTS" ]; then
     for host in $HOSTS; do
+        # node key
         openssl genrsa -out node-${host}-key.pem 2048 > /dev/null 2>&1
         openssl req -new -key node-${host}-key.pem -out node-${host}.csr -subj "/CN=kube-node-${host}" > /dev/null 2>&1
         openssl x509 -req -in node-${host}.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out node-${host}.pem -days 365 > /dev/null 2>&1
diff --git a/roles/kubernetes/secrets/tasks/gen_certs.yml b/roles/kubernetes/secrets/tasks/gen_certs.yml
index bd652e340..545cba31f 100644
--- a/roles/kubernetes/secrets/tasks/gen_certs.yml
+++ b/roles/kubernetes/secrets/tasks/gen_certs.yml
@@ -39,14 +39,14 @@
                       {% for node in groups['kube-master'] %}
                       'admin-{{ node }}.pem',
                       'admin-{{ node }}-key.pem',
-                      'apiserver-{{ node }}.pem',
-                      'apiserver-{{ node }}-key.pem',
+                      'apiserver.pem',
+                      'apiserver-key.pem',
                       {% endfor %}]"
     my_master_certs: ['ca-key.pem',
                      'admin-{{ inventory_hostname }}.pem',
                      'admin-{{ inventory_hostname }}-key.pem',
-                     'apiserver-{{ inventory_hostname }}.pem',
-                     'apiserver-{{ inventory_hostname }}-key.pem'
+                     'apiserver.pem',
+                     'apiserver-key.pem'
                      ]
     all_node_certs: "['ca.pem',
                     {% for node in groups['k8s-cluster'] %}