From 9934a0ace4a2a35463bf9c933eab9ab2b71a139a Mon Sep 17 00:00:00 2001
From: Jeff Mendoza <jeffmendoza@live.com>
Date: Tue, 18 Nov 2014 14:10:50 -0800
Subject: [PATCH] Update cert generation for Azure.

---
 cluster/saltbase/salt/generate-cert/init.sls  |  3 +++
 .../salt/generate-cert/make-ca-cert.sh        | 19 ++++++++++++++++---
 2 files changed, 19 insertions(+), 3 deletions(-)

diff --git a/cluster/saltbase/salt/generate-cert/init.sls b/cluster/saltbase/salt/generate-cert/init.sls
index 604685a5269..cfe53747b1e 100644
--- a/cluster/saltbase/salt/generate-cert/init.sls
+++ b/cluster/saltbase/salt/generate-cert/init.sls
@@ -5,6 +5,9 @@
   {% if grains.cloud == 'aws' %}
     {% set cert_ip='_use_aws_external_ip_' %}
   {% endif %}
+  {% if grains.cloud == 'azure' %}
+    {% set cert_ip='_use_azure_dns_name_' %}
+  {% endif %}
   {% if grains.cloud == 'vagrant' %}
     {% set cert_ip=grains.ip_interfaces.eth1[0] %}
   {% endif %}
diff --git a/cluster/saltbase/salt/generate-cert/make-ca-cert.sh b/cluster/saltbase/salt/generate-cert/make-ca-cert.sh
index eb6fa3d7161..84ee7859a8a 100755
--- a/cluster/saltbase/salt/generate-cert/make-ca-cert.sh
+++ b/cluster/saltbase/salt/generate-cert/make-ca-cert.sh
@@ -24,6 +24,8 @@ cert_group=kube-cert
 
 mkdir -p "$cert_dir"
 
+use_cn=false
+
 # TODO: Add support for discovery on other providers?
 if [ "$cert_ip" == "_use_gce_external_ip_" ]; then
   cert_ip=$(curl -s -H Metadata-Flavor:Google http://metadata.google.internal./computeMetadata/v1/instance/network-interfaces/0/access-configs/0/external-ip)
@@ -33,6 +35,11 @@ if [ "$cert_ip" == "_use_aws_external_ip_" ]; then
   cert_ip=$(curl -s http://169.254.169.254/latest/meta-data/public-ipv4)
 fi
 
+if [ "$cert_ip" == "_use_azure_dns_name_" ]; then
+  cert_ip=$(hostname -f | awk -F. '{ print $2 }').cloudapp.net
+  use_cn=true
+fi
+
 tmpdir=$(mktemp -d --tmpdir kubernetes_cacert.XXXXXX)
 trap 'rm -rf "${tmpdir}"' EXIT
 cd "${tmpdir}"
@@ -55,10 +62,16 @@ tar xzf easy-rsa.tar.gz > /dev/null 2>&1
 cd easy-rsa-master/easyrsa3
 ./easyrsa init-pki > /dev/null 2>&1
 ./easyrsa --batch build-ca nopass > /dev/null 2>&1
-./easyrsa --subject-alt-name=IP:$cert_ip build-server-full kubernetes-master nopass > /dev/null 2>&1
+if [ $use_cn = "true" ]; then
+    ./easyrsa build-server-full $cert_ip nopass > /dev/null 2>&1
+    cp -p pki/issued/$cert_ip.crt "${cert_dir}/server.cert" > /dev/null 2>&1
+    cp -p pki/private/$cert_ip.key "${cert_dir}/server.key" > /dev/null 2>&1
+else
+    ./easyrsa --subject-alt-name=IP:$cert_ip build-server-full kubernetes-master nopass > /dev/null 2>&1
+    cp -p pki/issued/kubernetes-master.crt "${cert_dir}/server.cert" > /dev/null 2>&1
+    cp -p pki/private/kubernetes-master.key "${cert_dir}/server.key" > /dev/null 2>&1
+fi
 ./easyrsa build-client-full kubecfg nopass > /dev/null 2>&1
-cp -p pki/issued/kubernetes-master.crt "${cert_dir}/server.cert" > /dev/null 2>&1
-cp -p pki/private/kubernetes-master.key "${cert_dir}/server.key" > /dev/null 2>&1
 cp -p pki/ca.crt "${cert_dir}/ca.crt"
 cp -p pki/issued/kubecfg.crt "${cert_dir}/kubecfg.crt"
 cp -p pki/private/kubecfg.key "${cert_dir}/kubecfg.key"