AWS: Configure SSL certificate alternate-names

GCE does this in its per-provider scripts; this does the same for AWS and lets
other providers do the same; I believe kube2sky requires 10.0.0.1 as a SAN.

cluster/aws/templates/salt-master.sh

@@ -44,6 +44,12 @@ if [[ -n "${KUBELET_ROOT}" ]]; then
 EOF
 fi
 
+if [[ -n "${MASTER_EXTRA_SANS}" ]]; then
+  cat <<EOF >>/etc/salt/minion.d/grains.conf
+  master_extra_sans: '$(echo "$MASTER_EXTRA_SANS" | sed -e "s/'/''/g")'
+EOF
+fi
+
 # Auto accept all keys from minions that try to join
 mkdir -p /etc/salt/master.d
 cat <<EOF >/etc/salt/master.d/auto-accept.conf

cluster/aws/util.sh

@@ -770,6 +770,13 @@ function kube-up {
   # Get or create master persistent volume
   ensure-master-pd
 
+  # Determine extra certificate names for master
+  octets=($(echo "$SERVICE_CLUSTER_IP_RANGE" | sed -e 's|/.*||' -e 's/\./ /g'))
+  ((octets[3]+=1))
+  service_ip=$(echo "${octets[*]}" | sed 's/ /./g')
+  MASTER_EXTRA_SANS="IP:${service_ip},DNS:kubernetes,DNS:kubernetes.default,DNS:kubernetes.default.svc,DNS:kubernetes.default.svc.${DNS_DOMAIN},DNS:${MASTER_NAME}"
+
+
   (
     # We pipe this to the ami as a startup script in the user-data field.  Requires a compatible ami
     echo "#! /bin/bash"
@@ -800,6 +807,7 @@ function kube-up {
     echo "readonly KUBELET_TOKEN='${KUBELET_TOKEN}'"
     echo "readonly KUBE_PROXY_TOKEN='${KUBE_PROXY_TOKEN}'"
     echo "readonly DOCKER_STORAGE='${DOCKER_STORAGE:-}'"
+    echo "readonly MASTER_EXTRA_SANS='${MASTER_EXTRA_SANS:-}'"
     grep -v "^#" "${KUBE_ROOT}/cluster/aws/templates/common.sh"
     grep -v "^#" "${KUBE_ROOT}/cluster/aws/templates/format-disks.sh"
     grep -v "^#" "${KUBE_ROOT}/cluster/aws/templates/setup-master-pd.sh"

cluster/saltbase/salt/generate-cert/init.sls

@@ -1,3 +1,4 @@
+{% set master_extra_sans=grains.get('master_extra_sans', '') %}
 {% if grains.cloud is defined %}
   {% if grains.cloud == 'gce' %}
     {% set cert_ip='_use_gce_external_ip_' %}
@@ -35,7 +36,7 @@ kubernetes-cert:
     - unless: test -f /srv/kubernetes/server.cert
     - source: salt://generate-cert/{{certgen}}
 {% if cert_ip is defined %}
-    - args: {{cert_ip}}
+    - args: {{cert_ip}} {{master_extra_sans}}
     - require:
       - pkg: curl
 {% endif %}

cluster/saltbase/salt/generate-cert/make-ca-cert.sh

@@ -19,6 +19,7 @@ set -o nounset
 set -o pipefail
 
 cert_ip=$1
+extra_sans=${2:-}
 cert_dir=/srv/kubernetes
 cert_group=kube-cert
 
@@ -40,6 +41,11 @@ if [ "$cert_ip" == "_use_azure_dns_name_" ]; then
   use_cn=true
 fi
 
+sans="IP:${cert_ip}"
+if [[ -n "${extra_sans}" ]]; then
+  sans="${sans},${extra_sans}"
+fi
+
 tmpdir=$(mktemp -d --tmpdir kubernetes_cacert.XXXXXX)
 trap 'rm -rf "${tmpdir}"' EXIT
 cd "${tmpdir}"
@@ -67,7 +73,7 @@ if [ $use_cn = "true" ]; then
     cp -p pki/issued/$cert_ip.crt "${cert_dir}/server.cert" > /dev/null 2>&1
     cp -p pki/private/$cert_ip.key "${cert_dir}/server.key" > /dev/null 2>&1
 else
-    ./easyrsa --subject-alt-name=IP:$cert_ip build-server-full kubernetes-master nopass > /dev/null 2>&1
+    ./easyrsa --subject-alt-name="${sans}" build-server-full kubernetes-master nopass > /dev/null 2>&1
     cp -p pki/issued/kubernetes-master.crt "${cert_dir}/server.cert" > /dev/null 2>&1
     cp -p pki/private/kubernetes-master.key "${cert_dir}/server.key" > /dev/null 2>&1
 fi