From 73e8af34af6443df6fdfdca2a4c4dcbe702b5976 Mon Sep 17 00:00:00 2001
From: Mike Wilson <knobby@burntsheep.com>
Date: Wed, 11 Oct 2017 17:20:48 -0400
Subject: [PATCH 1/3] Adding config option to add additional SANs to the
 master's certificate. Regenerate certificate if data on certificate changes.
 This includes IP address and SANs. Restart API server after updating
 certificate.

---
 .../juju/layers/kubernetes-master/config.yaml |  6 ++++
 .../reactive/kubernetes_master.py             | 28 ++++++++++++++++++-
 2 files changed, 33 insertions(+), 1 deletion(-)

diff --git a/cluster/juju/layers/kubernetes-master/config.yaml b/cluster/juju/layers/kubernetes-master/config.yaml
index c328a43751c..73857e05958 100644
--- a/cluster/juju/layers/kubernetes-master/config.yaml
+++ b/cluster/juju/layers/kubernetes-master/config.yaml
@@ -7,6 +7,12 @@ options:
     type: string
     default: cluster.local
     description: The local domain for cluster dns
+  extra_sans:
+    type: string
+    default: ""
+    description: |
+      Space-separated list of extra SAN entries to add to the x509 certificate
+      created for the master nodes.
   service-cidr:
     type: string
     default: 10.152.183.0/24
diff --git a/cluster/juju/layers/kubernetes-master/reactive/kubernetes_master.py b/cluster/juju/layers/kubernetes-master/reactive/kubernetes_master.py
index b6430637d47..1b5b83967ab 100644
--- a/cluster/juju/layers/kubernetes-master/reactive/kubernetes_master.py
+++ b/cluster/juju/layers/kubernetes-master/reactive/kubernetes_master.py
@@ -356,7 +356,7 @@ def start_master(etcd):
                        'Configuring the Kubernetes master services.')
     freeze_service_cidr()
     if not etcd.get_connection_string():
-        # etcd is not returning a connection string. This hapens when
+        # etcd is not returning a connection string. This happens when
         # the master unit disconnects from etcd and is ready to terminate.
         # No point in trying to start master services and fail. Just return.
         return
@@ -457,12 +457,38 @@ def send_data(tls):
         'kubernetes.default.svc',
         'kubernetes.default.svc.{0}'.format(domain)
     ]
+
+    # maybe they have extra names they want as SANs
+    extra_sans = hookenv.config('extra_sans')
+    if extra_sans and not extra_sans == "":
+      sans.extend(extra_sans.split())
+
     # Create a path safe name by removing path characters from the unit name.
     certificate_name = hookenv.local_unit().replace('/', '_')
     # Request a server cert with this information.
     tls.request_server_cert(common_name, sans, certificate_name)
 
 
+@when('config.changed', 'certificates.available')
+def update_certificate(tls):
+    # I using the config.changed flag instead of something more
+    # specific to try and catch ip changes. Being a little
+    # spammy here is ok because the cert layer checks for
+    # changes to the cert before issuing a new one
+    send_data(tls)
+
+
+@when('certificates.server.cert.available',
+      'kubernetes-master.components.started')
+def kick_api_server(tls):
+    # need to be idempotent and don't want to kick the api server
+    # without need
+    if data_changed('cert', tls.get_server_cert()):
+        # certificate changed, so restart the api server
+        hookenv.log("Certificate information changed, restarting api server")
+        set_state('kube-apiserver.do-restart')
+
+
 @when('kubernetes-master.components.started')
 def configure_cdk_addons():
     ''' Configure CDK addons '''

From d0a88264d8fc0ba7869600752c6b0401093b8892 Mon Sep 17 00:00:00 2001
From: Mike Wilson <knobby@burntsheep.com>
Date: Thu, 19 Oct 2017 19:39:09 -0400
Subject: [PATCH 2/3] Fixing spacing issue

---
 .../juju/layers/kubernetes-master/reactive/kubernetes_master.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cluster/juju/layers/kubernetes-master/reactive/kubernetes_master.py b/cluster/juju/layers/kubernetes-master/reactive/kubernetes_master.py
index 1b5b83967ab..cf98583b72d 100644
--- a/cluster/juju/layers/kubernetes-master/reactive/kubernetes_master.py
+++ b/cluster/juju/layers/kubernetes-master/reactive/kubernetes_master.py
@@ -461,7 +461,7 @@ def send_data(tls):
     # maybe they have extra names they want as SANs
     extra_sans = hookenv.config('extra_sans')
     if extra_sans and not extra_sans == "":
-      sans.extend(extra_sans.split())
+        sans.extend(extra_sans.split())
 
     # Create a path safe name by removing path characters from the unit name.
     certificate_name = hookenv.local_unit().replace('/', '_')

From 16036c3fd4936ba4595bc188ea7bb75a8684e1b0 Mon Sep 17 00:00:00 2001
From: Mike Wilson <knobby@burntsheep.com>
Date: Fri, 20 Oct 2017 10:38:26 -0400
Subject: [PATCH 3/3] Change config.changed to config.changed.extra_sans so we
 only try to update certificates when the SAN entries change

---
 .../juju/layers/kubernetes-master/reactive/kubernetes_master.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cluster/juju/layers/kubernetes-master/reactive/kubernetes_master.py b/cluster/juju/layers/kubernetes-master/reactive/kubernetes_master.py
index cf98583b72d..223d32b8a0b 100644
--- a/cluster/juju/layers/kubernetes-master/reactive/kubernetes_master.py
+++ b/cluster/juju/layers/kubernetes-master/reactive/kubernetes_master.py
@@ -469,7 +469,7 @@ def send_data(tls):
     tls.request_server_cert(common_name, sans, certificate_name)
 
 
-@when('config.changed', 'certificates.available')
+@when('config.changed.extra_sans', 'certificates.available')
 def update_certificate(tls):
     # I using the config.changed flag instead of something more
     # specific to try and catch ip changes. Being a little