Skip to content
Snippets Groups Projects
Unverified Commit 14012869 authored by Matthew Mosesohn's avatar Matthew Mosesohn Committed by GitHub
Browse files

Add support for cert alt names for etcd (#2139)

* Add support for cert alt names for etcd

* Update gen_certs_vault.yml
parent fd04c142
No related branches found
No related tags found
No related merge requests found
......@@ -8,6 +8,13 @@ etcd_data_dir: "/var/lib/etcd"
etcd_config_dir: /etc/ssl/etcd
etcd_cert_dir: "{{ etcd_config_dir }}/ssl"
etcd_cert_group: root
# Note: This does not set up DNS entries. It simply adds the following DNS
# entries to the certificate
etcd_cert_alt_names:
- "etcd.{{ system_namespace }}.svc.{{ dns_domain }}"
- "etcd.{{ system_namespace }}.svc"
- "etcd.{{ system_namespace }}"
- "etcd"
etcd_script_dir: "{{ bin_dir }}/etcd-scripts"
......
......@@ -13,7 +13,7 @@
- include: ../../vault/tasks/shared/issue_cert.yml
vars:
issue_cert_common_name: "etcd:master:{{ item.rsplit('/', 1)[1].rsplit('.', 1)[0] }}"
issue_cert_alt_names: "{{ groups.etcd + ['localhost'] }}"
issue_cert_alt_names: "{{ groups['etcd'] + ['localhost'] + (etcd_cert_alt_names)|default() }}"
issue_cert_copy_ca: "{{ item == etcd_master_certs_needed|first }}"
issue_cert_file_group: "{{ etcd_cert_group }}"
issue_cert_file_owner: kube
......
......@@ -31,6 +31,10 @@ DNS.{{ 1 + loop.index }} = {{ host }}
{% set idx = groups['etcd'] | length | int + 2 %}
DNS.{{ idx | string }} = {{ apiserver_loadbalancer_domain_name }}
{% endif %}
{% set idx = groups['etcd'] | length | int + 3 %}
{%- for etcd_alt_name in etcd_cert_alt_names -%}
DNS.{{ idx + 1 + loop.index }} = {{ etcd_alt_name }}
{%- endfor -%}
{% for host in groups['etcd'] %}
IP.{{ 2 * loop.index - 1 }} = {{ hostvars[host]['access_ip'] | default(hostvars[host]['ansible_default_ipv4']['address']) }}
IP.{{ 2 * loop.index }} = {{ hostvars[host]['ip'] | default(hostvars[host]['ansible_default_ipv4']['address']) }}
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment