Add support for cert alt names for etcd (#2139)

* Add support for cert alt names for etcd

* Update gen_certs_vault.yml

roles/etcd/defaults/main.yml

@@ -8,6 +8,13 @@ etcd_data_dir: "/var/lib/etcd"
 etcd_config_dir: /etc/ssl/etcd
 etcd_cert_dir: "{{ etcd_config_dir }}/ssl"
 etcd_cert_group: root
+# Note: This does not set up DNS entries. It simply adds the following DNS
+# entries to the certificate
+etcd_cert_alt_names:
+  - "etcd.{{ system_namespace }}.svc.{{ dns_domain }}"
+  - "etcd.{{ system_namespace }}.svc"
+  - "etcd.{{ system_namespace }}"
+  - "etcd"
 
 etcd_script_dir: "{{ bin_dir }}/etcd-scripts"
 

roles/etcd/tasks/gen_certs_vault.yml

@@ -13,7 +13,7 @@
 - include: ../../vault/tasks/shared/issue_cert.yml
   vars:
     issue_cert_common_name: "etcd:master:{{ item.rsplit('/', 1)[1].rsplit('.', 1)[0] }}"
-    issue_cert_alt_names: "{{ groups.etcd + ['localhost'] }}"
+    issue_cert_alt_names: "{{ groups['etcd'] + ['localhost'] + (etcd_cert_alt_names)|default() }}"
     issue_cert_copy_ca: "{{ item == etcd_master_certs_needed|first }}"
     issue_cert_file_group: "{{ etcd_cert_group }}"
     issue_cert_file_owner: kube

roles/etcd/templates/openssl.conf.j2

@@ -31,6 +31,10 @@ DNS.{{ 1 + loop.index }} = {{ host }}
 {% set idx =  groups['etcd'] | length | int + 2 %}
 DNS.{{ idx | string }} = {{ apiserver_loadbalancer_domain_name }}
 {% endif %}
+{% set idx =  groups['etcd'] | length | int + 3 %}
+{%- for etcd_alt_name in etcd_cert_alt_names -%}
+DNS.{{ idx + 1 + loop.index }} = {{ etcd_alt_name }}
+{%- endfor -%}
 {% for host in groups['etcd'] %}
 IP.{{ 2 * loop.index - 1 }} = {{ hostvars[host]['access_ip'] | default(hostvars[host]['ansible_default_ipv4']['address']) }}
 IP.{{ 2 * loop.index }} = {{ hostvars[host]['ip'] | default(hostvars[host]['ansible_default_ipv4']['address']) }}