Adding extra_sans option to load balancer to allow custom SAN entries on the certificate

Adding support for restarting nginx on the load balancer
Added better support for knowing when certificates are written. This helps the master restart the apiserver appropriately.

cluster/juju/layers/kubernetes-master/reactive/kubernetes_master.py

@@ -469,17 +469,17 @@ def send_data(tls):
     tls.request_server_cert(common_name, sans, certificate_name)
 
 
-@when('config.changed', 'certificates.available')
+@when('config.changed.extra_sans', 'certificates.available')
 def update_certificate(tls):
-    # I using the config.changed flag instead of something more
-    # specific to try and catch ip changes. Being a little
-    # spammy here is ok because the cert layer checks for
-    # changes to the cert before issuing a new one
+    # Using the config.changed.extra_sans flag to catch changes.
+    # IP changes will take ~5 minutes or so to propagate, but
+    # it will update.
     send_data(tls)
 
 
 @when('certificates.server.cert.available',
-      'kubernetes-master.components.started')
+      'kubernetes-master.components.started',
+      'tls_client.server.certificate.written')
 def kick_api_server(tls):
     # need to be idempotent and don't want to kick the api server
     # without need
@@ -487,6 +487,7 @@ def kick_api_server(tls):
         # certificate changed, so restart the api server
         hookenv.log("Certificate information changed, restarting api server")
         set_state('kube-apiserver.do-restart')
+    remove_state('tls_client.server.certificate.written')
 
 
 @when('kubernetes-master.components.started')