commit c984e880647770a3e9726962489de46798114817
author Ivan Berezovskiy <iberezovskiy@mirantis.com> Wed Mar 13 19:32:42 2019 +0400
committer Ivan Berezovskiy <iberezovskiy@mirantis.com> Mon Mar 18 19:20:50 2019 +0400
tree 58632f82da6a847165ff36336ed448579a59a50b
parent 990ba40fa38873fe1a321f16612797d096acc7ec

Prevent conflict of kdt certs for CFG and KDT nodes

Change-Id: I4b8b9d7d30cd39ae4619b88406b0e891fb8b0d69
Related-prod: #PROD-28243 (PROD:28243)

salt/minion/cert/etcd_server_single.yml

diff --git a/salt/minion/cert/etcd_server_single.yml b/salt/minion/cert/etcd_server_single.yml
index d333fb8..fb5aa18 100644
--- a/salt/minion/cert/etcd_server_single.yml
+++ b/salt/minion/cert/etcd_server_single.yml
@@ -7,7 +7,7 @@
           authority: ${_param:salt_minion_ca_authority}
           common_name: ${linux:system:name}
           signing_policy: cert_open
-          alternative_names: IP:127.0.0.1,IP:${_param:cluster_local_address},DNS:${linux:system:name},DNS:${linux:network:fqdn}
+          alternative_names: IP:127.0.0.1,IP:${_param:single_address},DNS:${linux:system:name},DNS:${linux:network:fqdn}
           extended_key_usage: serverAuth,clientAuth
           key_usage: "digitalSignature,nonRepudiation,keyEncipherment"
           key_file: /var/lib/etcd/etcd-server.key

salt/minion/cert/kdt_k8s_client_single.yml

diff --git a/salt/minion/cert/kdt_k8s_client_single.yml b/salt/minion/cert/kdt_k8s_client_single.yml
index 4d6cbcc..d84dfcf 100644
--- a/salt/minion/cert/kdt_k8s_client_single.yml
+++ b/salt/minion/cert/kdt_k8s_client_single.yml
@@ -11,7 +11,7 @@
           common_name: system:node:${linux:system:name}
           organization_name: system:nodes
           signing_policy: cert_client
-          alternative_names: IP:${_param:kdt_control_address},IP:${_param:kdt_k8s_internal_api_address}
+          alternative_names: IP:${_param:single_address},IP:${_param:kdt_k8s_internal_api_address}
         kdt_k8s_client_fqdn:
           host: ${_param:salt_minion_ca_host}
           authority: ${_param:salt_minion_ca_authority}
@@ -21,7 +21,7 @@
           common_name: system:node:${linux:system:name}.${_param:cluster_domain}
           organization_name: system:nodes
           signing_policy: cert_client
-          alternative_names: IP:${_param:kdt_control_address},IP:${_param:kdt_k8s_internal_api_address}
+          alternative_names: IP:${_param:single_address},IP:${_param:kdt_k8s_internal_api_address}
         kdt_k8s_proxy:
           host: ${_param:salt_minion_ca_host}
           authority: ${_param:salt_minion_ca_authority}
@@ -30,7 +30,7 @@
           ca_file: /etc/kubernetes/ssl/ca-kubernetes.crt
           common_name: system:kube-proxy
           signing_policy: cert_client
-          alternative_names: IP:${_param:kdt_control_address},IP:${_param:kdt_k8s_internal_api_address}
+          alternative_names: IP:${_param:single_address},IP:${_param:kdt_k8s_internal_api_address}
         kdt_k8s_scheduler:
           host: ${_param:salt_minion_ca_host}
           authority: ${_param:salt_minion_ca_authority}
@@ -39,7 +39,7 @@
           ca_file: /etc/kubernetes/ssl/ca-kubernetes.crt
           common_name: system:kube-scheduler
           signing_policy: cert_client
-          alternative_names: IP:${_param:kdt_control_address},IP:${_param:kdt_k8s_internal_api_address}
+          alternative_names: IP:${_param:single_address},IP:${_param:kdt_k8s_internal_api_address}
         kdt_k8s_controller_manager:
           host: ${_param:salt_minion_ca_host}
           authority: ${_param:salt_minion_ca_authority}
@@ -48,7 +48,7 @@
           ca_file: /etc/kubernetes/ssl/ca-kubernetes.crt
           common_name: system:kube-controller-manager
           signing_policy: cert_client
-          alternative_names: IP:${_param:kdt_control_address},IP:${_param:kdt_k8s_internal_api_address}
+          alternative_names: IP:${_param:single_address},IP:${_param:kdt_k8s_internal_api_address}
         kdt_k8s_aggregator_proxy:
           host: ${_param:salt_minion_ca_host}
           authority: ${_param:salt_minion_ca_authority}
@@ -57,4 +57,4 @@
           ca_file: /etc/kubernetes/ssl/ca-kubernetes.crt
           common_name: system:kube-controller-manager
           signing_policy: cert_client
-          alternative_names: IP:${_param:kdt_control_address},IP:${_param:kdt_k8s_internal_api_address}
+          alternative_names: IP:${_param:single_address},IP:${_param:kdt_k8s_internal_api_address}

salt/minion/cert/kdt_k8s_server_single.yml

diff --git a/salt/minion/cert/kdt_k8s_server_single.yml b/salt/minion/cert/kdt_k8s_server_single.yml
index f586a14..7b7028a 100644
--- a/salt/minion/cert/kdt_k8s_server_single.yml
+++ b/salt/minion/cert/kdt_k8s_server_single.yml
@@ -2,12 +2,12 @@
   salt:
     minion:
       cert:
-        kdt_k8s_server:
+        kdt_k8s_server_single:
           host: ${_param:salt_minion_ca_host}
           authority: ${_param:salt_minion_ca_authority}
           common_name: kubernetes-server
-          key_file: /srv/salt/env/${_param:salt_master_base_environment}/_certs/kdt/kubernetes-server.key
-          cert_file: /srv/salt/env/${_param:salt_master_base_environment}/_certs/kdt/kubernetes-server.crt
-          all_file: /srv/salt/env/${_param:salt_master_base_environment}/_certs/kdt/kubernetes-server.pem
+          key_file: /srv/salt/env/${_param:salt_master_base_environment}/_certs/kdt_single/kubernetes-server.key
+          cert_file: /srv/salt/env/${_param:salt_master_base_environment}/_certs/kdt_single/kubernetes-server.crt
+          all_file: /srv/salt/env/${_param:salt_master_base_environment}/_certs/kdt_single/kubernetes-server.pem
           signing_policy: cert_server
-          alternative_names: IP:${_param:kdt_control_address},IP:${_param:kdt_k8s_internal_api_address}
+          alternative_names: IP:${_param:single_address},IP:${_param:kdt_k8s_internal_api_address}