From 356515222a9543b8dedc376aff9a58f01852673c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A9mi=20de=20Passmoilesel?=
 <remipassmoilesel@users.noreply.github.com>
Date: Tue, 17 Oct 2017 12:06:07 +0200
Subject: [PATCH] Add possibility to insert more ip adresses in certificates
 (#1678)

* Add possibility to insert more ip adresses in certificates

* Add newline at end of files

* Move supp ip parameters to k8s-cluster group file

* Add supplementary addresses in kubeadm master role

* Improve openssl indexes
---
 inventory/group_vars/k8s-cluster.yml               | 4 ++++
 roles/kubernetes/master/tasks/kubeadm-setup.yml    | 8 ++++++--
 roles/kubernetes/secrets/templates/openssl.conf.j2 | 6 ++++++
 3 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/inventory/group_vars/k8s-cluster.yml b/inventory/group_vars/k8s-cluster.yml
index 9c6a281a0..8071f5d76 100644
--- a/inventory/group_vars/k8s-cluster.yml
+++ b/inventory/group_vars/k8s-cluster.yml
@@ -170,3 +170,7 @@ istio_enabled: false
 # A comma separated list of levels of node allocatable enforcement to be enforced by kubelet.
 # Acceptible options are 'pods', 'system-reserved', 'kube-reserved' and ''. Default is "".
 # kubelet_enforce_node_allocatable: pods
+
+## Supplementary addresses that can be added in kubernetes ssl keys.
+## That can be usefull for example to setup a keepalived virtual IP
+# supplementary_addresses_in_ssl_keys: [10.0.0.1, 10.0.0.2, 10.0.0.3]
diff --git a/roles/kubernetes/master/tasks/kubeadm-setup.yml b/roles/kubernetes/master/tasks/kubeadm-setup.yml
index 9e716aa2d..b861961dc 100644
--- a/roles/kubernetes/master/tasks/kubeadm-setup.yml
+++ b/roles/kubernetes/master/tasks/kubeadm-setup.yml
@@ -54,8 +54,12 @@
       {%- if hostvars[host]['access_ip'] is defined %}{{ hostvars[host]['access_ip'] }}{% endif %}
       {{ hostvars[host]['ip'] | default(hostvars[host]['ansible_default_ipv4']['address']) }}
       {%- endfor %}
-  tags:
-    - facts
+      {% if supplementary_addresses_in_ssl_keys is defined %}
+      {% for addr in supplementary_addresses_in_ssl_keys %}
+      {{ addr }}
+      {% endfor %}
+      {% endif %}
+  tags: facts
 
 - name: kubeadm | Copy etcd cert dir under k8s cert dir
   command: "cp -TR {{ etcd_cert_dir }} {{ kube_config_dir }}/ssl/etcd"
diff --git a/roles/kubernetes/secrets/templates/openssl.conf.j2 b/roles/kubernetes/secrets/templates/openssl.conf.j2
index d3164286e..d998d4cb3 100644
--- a/roles/kubernetes/secrets/templates/openssl.conf.j2
+++ b/roles/kubernetes/secrets/templates/openssl.conf.j2
@@ -26,3 +26,9 @@ IP.{{ 2 * loop.index }} = {{ hostvars[host]['ip'] | default(hostvars[host]['ansi
 {% set idx =  groups['kube-master'] | length | int * 2 + 1 %}
 IP.{{ idx }} = {{ kube_apiserver_ip }}
 IP.{{ idx + 1 }} = 127.0.0.1
+{% if supplementary_addresses_in_ssl_keys is defined %}
+{% set is = idx + 1 %}
+{% for addr in supplementary_addresses_in_ssl_keys %}
+IP.{{ is + loop.index }} = {{ addr }}
+{% endfor %}
+{% endif %}
-- 
GitLab