From 242edd14ff80318ce7a112383c21ee8713d35252 Mon Sep 17 00:00:00 2001
From: "Tom M." <tom.mbrt@googlemail.com>
Date: Fri, 26 Jul 2024 03:49:23 +0200
Subject: [PATCH] Fix etcd certificate to acces address as SAN (#11388)

---
 roles/etcd/templates/openssl.conf.j2 | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/roles/etcd/templates/openssl.conf.j2 b/roles/etcd/templates/openssl.conf.j2
index f6681a145..b4a2d43d6 100644
--- a/roles/etcd/templates/openssl.conf.j2
+++ b/roles/etcd/templates/openssl.conf.j2
@@ -25,6 +25,11 @@ authorityKeyIdentifier=keyid:always,issuer
 [alt_names]
 DNS.1 = localhost
 {% for host in groups['etcd'] %}
+{% if hostvars[host]['etcd_access_address'] is defined and not (hostvars[host]['etcd_access_address'] | ansible.utils.ipaddr) %}
+{# If defined, the address which etcd uses to access its members must be included in the SAN, otherwise etcd will fail with a TLS error upon startup. #}
+DNS.{{ counter["dns"] }} = {{ hostvars[host]['etcd_access_address'] }}{{ increment(counter, 'dns') }}
+{% endif %}
+{# This will always expand to inventory_hostname, which can be a completely arbitrary name, that etcd will not know or care about, hence this line is (probably) redundant. #}
 DNS.{{ counter["dns"] }} = {{ host }}{{ increment(counter, 'dns') }}
 {% endfor %}
 {% if apiserver_loadbalancer_domain_name is defined %}
-- 
GitLab