kube-up: Support multiple additional IPs for SSL cert

And pass the public IP when setting up AWS

cluster/aws/util.sh

@@ -958,7 +958,7 @@ function start-master() {
 
   # We have to make sure that the cert is valid for API_SERVERS
   # i.e. we likely have to pass ELB name / elastic IP in future
-  create-certs "${MASTER_INTERNAL_IP}"
+  create-certs "${KUBE_MASTER_IP}" "${MASTER_INTERNAL_IP}"
 
   # This key is no longer needed, and this enables us to get under the 16KB size limit
   KUBECFG_CERT_BASE64=""

cluster/common.sh

@@ -660,16 +660,18 @@ function sha1sum-file() {
 #   KUBECFG_CERT_BASE64
 #   KUBECFG_KEY_BASE64
 function create-certs {
-  local -r cert_ip="${1}"
+  local -r primary_cn="${1}"
 
   # Determine extra certificate names for master
   local octets=($(echo "${SERVICE_CLUSTER_IP_RANGE}" | sed -e 's|/.*||' -e 's/\./ /g'))
   ((octets[3]+=1))
   local -r service_ip=$(echo "${octets[*]}" | sed 's/ /./g')
   local sans=""
-  if [[ -n "${cert_ip}" ]]; then
+  for extra in $@; do
-    sans="IP:${cert_ip},"
+    if [[ -n "${extra}" ]]; then
-  fi
+      sans="${sans}IP:${extra},"
+    fi
+  done
   sans="${sans}IP:${service_ip},DNS:kubernetes,DNS:kubernetes.default,DNS:kubernetes.default.svc,DNS:kubernetes.default.svc.${DNS_DOMAIN},DNS:${MASTER_NAME}"
 
   echo "Generating certs for alternate-names: ${sans}"
@@ -682,7 +684,7 @@ function create-certs {
     tar xzf easy-rsa.tar.gz
     cd easy-rsa-master/easyrsa3
     ./easyrsa init-pki
-    ./easyrsa --batch "--req-cn=${cert_ip}@$(date +%s)" build-ca nopass
+    ./easyrsa --batch "--req-cn=${primary_cn}@$(date +%s)" build-ca nopass
     ./easyrsa --subject-alt-name="${sans}" build-server-full "${MASTER_NAME}" nopass
     ./easyrsa build-client-full kubelet nopass
     ./easyrsa build-client-full kubecfg nopass) &>${cert_create_debug_output} || {