From afc3f7dce49fc6c78051032ac6f6e417e3f140df Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andreas=20Kr=C3=BCger?= <ak@patientsky.com>
Date: Tue, 13 Nov 2018 16:10:59 +0100
Subject: [PATCH] Create certificates for each node too (#3698)

---
 .../secrets/tasks/gen_certs_script.yml        | 35 ++++++++++++-------
 ...openssl.conf.j2 => openssl-master.conf.j2} |  0
 .../secrets/templates/openssl-node.conf.j2    | 16 +++++++++
 3 files changed, 38 insertions(+), 13 deletions(-)
 rename roles/kubernetes/secrets/templates/{openssl.conf.j2 => openssl-master.conf.j2} (100%)
 create mode 100644 roles/kubernetes/secrets/templates/openssl-node.conf.j2

diff --git a/roles/kubernetes/secrets/tasks/gen_certs_script.yml b/roles/kubernetes/secrets/tasks/gen_certs_script.yml
index b6d6cb442..cf8881aab 100644
--- a/roles/kubernetes/secrets/tasks/gen_certs_script.yml
+++ b/roles/kubernetes/secrets/tasks/gen_certs_script.yml
@@ -28,14 +28,21 @@
   tags:
     - k8s-secrets
 
-- name: Gen_certs | write openssl config
+- name: Gen_certs | write masters openssl config
   template:
-    src: "openssl.conf.j2"
-    dest: "{{ kube_config_dir }}/openssl.conf"
+    src: "openssl-master.conf.j2"
+    dest: "{{ kube_config_dir }}/openssl-master.conf"
   run_once: yes
-  delegate_to: "{{groups['kube-master'][0]}}"
+  delegate_to: "{{ groups['kube-master']|first }}"
   when: gen_certs|default(false)
 
+- name: Gen_certs | write nodes openssl config
+  template:
+    src: "openssl-node.conf.j2"
+    dest: "{{ kube_config_dir }}/{{ inventory_hostname }}-openssl.conf"
+  delegate_to: "{{ groups['kube-master']|first }}"
+  when: gen_certs|default(false) and inventory_hostname in groups['k8s-cluster']
+
 - name: Gen_certs | copy certs generation script
   template:
     src: "make-ssl.sh.j2"
@@ -45,24 +52,26 @@
   delegate_to: "{{groups['kube-master'][0]}}"
   when: gen_certs|default(false)
 
-- name: Gen_certs | run cert generation script
-  command: "{{ kube_script_dir }}/make-ssl.sh -f {{ kube_config_dir }}/openssl.conf -d {{ kube_cert_dir }}"
+- name: Gen_certs | run master cert generation script
+  command: "{{ kube_script_dir }}/make-ssl.sh -f {{ kube_config_dir }}/openssl-master.conf -d {{ kube_cert_dir }}"
   environment:
     - MASTERS: "{% for m in groups['kube-master'] %}
                   {% if gen_master_certs|default(false) %}
                     {{ m }}
                   {% endif %}
                 {% endfor %}"
-    - HOSTS: "{% for h in groups['k8s-cluster'] %}
-                {% if gen_node_certs[h]|default(true) %}
-                    {{ h }}
-                {% endif %}
-              {% endfor %}"
-  run_once: yes
-  delegate_to: "{{groups['kube-master'][0]}}"
+  delegate_to: "{{ groups['kube-master']|first }}"
   when: gen_certs|default(false)
   notify: set secret_changed
 
+- name: Gen_certs | run nodes cert generation script
+  command: "{{ kube_script_dir }}/make-ssl.sh -f {{ kube_config_dir }}/{{ inventory_hostname }}-openssl.conf -d {{ kube_cert_dir }}"
+  environment:
+    - HOSTS: "{{ inventory_hostname }}"
+  delegate_to: "{{ groups['kube-master']|first }}"
+  when: gen_certs|default(false) and inventory_hostname in groups['k8s-cluster']
+  notify: set secret_changed
+
 - set_fact:
     all_master_certs: "['ca-key.pem',
                        'apiserver.pem',
diff --git a/roles/kubernetes/secrets/templates/openssl.conf.j2 b/roles/kubernetes/secrets/templates/openssl-master.conf.j2
similarity index 100%
rename from roles/kubernetes/secrets/templates/openssl.conf.j2
rename to roles/kubernetes/secrets/templates/openssl-master.conf.j2
diff --git a/roles/kubernetes/secrets/templates/openssl-node.conf.j2 b/roles/kubernetes/secrets/templates/openssl-node.conf.j2
new file mode 100644
index 000000000..610764a5b
--- /dev/null
+++ b/roles/kubernetes/secrets/templates/openssl-node.conf.j2
@@ -0,0 +1,16 @@
+{% set counter = {'dns': 2,'ip': 1,} %}{% macro increment(dct, key, inc=1)%}{% if dct.update({key: dct[key] + inc}) %} {% endif %}{% endmacro %}[req]
+req_extensions = v3_req
+distinguished_name = req_distinguished_name
+[req_distinguished_name]
+[ v3_req ]
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+subjectAltName = @alt_names
+[alt_names]
+DNS.1 = localhost
+DNS.{{ counter["dns"] }} = {{ inventory_hostname }}{{ increment(counter, 'dns') }}
+{% if hostvars[inventory_hostname]['access_ip'] is defined  %}
+IP.{{ counter["ip"] }} = {{ hostvars[inventory_hostname]['access_ip'] }}{{ increment(counter, 'ip') }}
+{% endif %}
+IP.{{ counter["ip"] }} = {{ hostvars[inventory_hostname]['ip'] | default(hostvars[inventory_hostname]['ansible_default_ipv4']['address']) }}{{ increment(counter, 'ip') }}
+IP.{{ counter["ip"] }} = 127.0.0.1