From f52584a715069fc8575ec4b3107ec799b677c6ae Mon Sep 17 00:00:00 2001
From: rptaylor <rptaylor@uvic.ca>
Date: Mon, 8 Apr 2019 08:10:35 -0700
Subject: [PATCH] robust handling of API server SANs (#4435)

* robust handling of API server SANs

* use apiserver_loadbalancer_domain_name if it is defined, according to PR 3977
---
 .../kubernetes/master/tasks/kubeadm-setup.yml | 38 ++++++++-----------
 .../templates/kubeadm-config.v1alpha1.yaml.j2 |  2 +-
 .../templates/kubeadm-config.v1alpha2.yaml.j2 |  2 +-
 .../templates/kubeadm-config.v1alpha3.yaml.j2 |  2 +-
 .../templates/kubeadm-config.v1beta1.yaml.j2  |  2 +-
 5 files changed, 19 insertions(+), 27 deletions(-)

diff --git a/roles/kubernetes/master/tasks/kubeadm-setup.yml b/roles/kubernetes/master/tasks/kubeadm-setup.yml
index 0e4184568..87124b133 100644
--- a/roles/kubernetes/master/tasks/kubeadm-setup.yml
+++ b/roles/kubernetes/master/tasks/kubeadm-setup.yml
@@ -45,29 +45,21 @@
 
 - name: kubeadm | aggregate all SANs
   set_fact:
-    apiserver_sans: >-
-      kubernetes
-      kubernetes.default
-      kubernetes.default.svc
-      kubernetes.default.svc.{{ dns_domain }}
-      {{ kube_apiserver_ip }}
-      localhost
-      127.0.0.1
-      {{ ' '.join(groups['kube-master']) }}
-      {%- if loadbalancer_apiserver is defined %}
-      {{ apiserver_loadbalancer_domain_name }}
-      {% endif %}
-      {% for host in groups['kube-master'] -%}
-      {%- if hostvars[host]['access_ip'] is defined %}
-      {{ hostvars[host]['access_ip'] }}
-      {% endif %}
-      {{ hostvars[host]['ip'] | default(fallback_ips[host]) }}
-      {%- endfor %}
-      {% if supplementary_addresses_in_ssl_keys is defined -%}
-      {% for addr in supplementary_addresses_in_ssl_keys %}
-      {{ addr }}
-      {% endfor %}
-      {%- endif %}
+    apiserver_sans: "{{ (sans_base + groups['kube-master'] + sans_lb + sans_supp + sans_access_ip + sans_ip + sans_address) | unique }}"
+  vars:
+    sans_base:
+      - "kubernetes"
+      - "kubernetes.default"
+      - "kubernetes.default.svc"
+      - "kubernetes.default.svc.{{ dns_domain }}"
+      - "{{ kube_apiserver_ip }}"
+      - "localhost"
+      - "127.0.0.1"
+    sans_lb: "{{ [apiserver_loadbalancer_domain_name] if apiserver_loadbalancer_domain_name is defined else [] }}"
+    sans_supp: "{{ supplementary_addresses_in_ssl_keys if supplementary_addresses_in_ssl_keys is defined else [] }}"
+    sans_access_ip: "{{ groups['kube-master'] | map('extract', hostvars, 'access_ip') | list | select('defined') | list }}"
+    sans_ip: "{{ groups['kube-master'] | map('extract', hostvars, 'ip') | list | select('defined') | list }}"
+    sans_address: "{{ groups['kube-master'] | map('extract', hostvars, ['ansible_default_ipv4', 'address']) | list | select('defined') | list }}"
   tags: facts
 
 - name: kubeadm | Copy etcd cert dir under k8s cert dir
diff --git a/roles/kubernetes/master/templates/kubeadm-config.v1alpha1.yaml.j2 b/roles/kubernetes/master/templates/kubeadm-config.v1alpha1.yaml.j2
index f6138dd6b..e4dd7cbdc 100644
--- a/roles/kubernetes/master/templates/kubeadm-config.v1alpha1.yaml.j2
+++ b/roles/kubernetes/master/templates/kubeadm-config.v1alpha1.yaml.j2
@@ -193,7 +193,7 @@ apiServerExtraVolumes:
 {% endif %}
 {% endif %}
 apiServerCertSANs:
-{% for san in  apiserver_sans.split() | unique %}
+{% for san in apiserver_sans %}
   - {{ san }}
 {% endfor %}
 certificatesDir: {{ kube_cert_dir }}
diff --git a/roles/kubernetes/master/templates/kubeadm-config.v1alpha2.yaml.j2 b/roles/kubernetes/master/templates/kubeadm-config.v1alpha2.yaml.j2
index 79fe63dbd..5663e8a7c 100644
--- a/roles/kubernetes/master/templates/kubeadm-config.v1alpha2.yaml.j2
+++ b/roles/kubernetes/master/templates/kubeadm-config.v1alpha2.yaml.j2
@@ -211,7 +211,7 @@ schedulerExtraArgs:
 {% endfor %}
 {% endif %}
 apiServerCertSANs:
-{% for san in apiserver_sans.split() | unique %}
+{% for san in apiserver_sans %}
   - {{ san }}
 {% endfor %}
 certificatesDir: {{ kube_cert_dir }}
diff --git a/roles/kubernetes/master/templates/kubeadm-config.v1alpha3.yaml.j2 b/roles/kubernetes/master/templates/kubeadm-config.v1alpha3.yaml.j2
index befdaa1af..43ae27e5b 100644
--- a/roles/kubernetes/master/templates/kubeadm-config.v1alpha3.yaml.j2
+++ b/roles/kubernetes/master/templates/kubeadm-config.v1alpha3.yaml.j2
@@ -43,7 +43,7 @@ controlPlaneEndpoint: {{ kubeadm_config_api_fqdn }}:{{ loadbalancer_apiserver.po
 controlPlaneEndpoint: {{ ip | default(fallback_ips[inventory_hostname]) }}:{{ kube_apiserver_port }}
 {% endif %}
 apiServerCertSANs:
-{% for san in apiserver_sans.split() | unique %}
+{% for san in apiserver_sans %}
   - {{ san }}
 {% endfor %}
 certificatesDir: {{ kube_cert_dir }}
diff --git a/roles/kubernetes/master/templates/kubeadm-config.v1beta1.yaml.j2 b/roles/kubernetes/master/templates/kubeadm-config.v1beta1.yaml.j2
index 2d7daccd6..eec4f32f7 100644
--- a/roles/kubernetes/master/templates/kubeadm-config.v1beta1.yaml.j2
+++ b/roles/kubernetes/master/templates/kubeadm-config.v1beta1.yaml.j2
@@ -176,7 +176,7 @@ apiServer:
 {% endif %}
 {% endif %}
   certSANs:
-{% for san in apiserver_sans.split() | unique %}
+{% for san in apiserver_sans %}
   - {{ san }}
 {% endfor %}
   timeoutForControlPlane: 5m0s