From 288bb34fe311041a911bba9d43dfb75176ee43cd Mon Sep 17 00:00:00 2001
From: ArchiFleKs <kevin.lefevre@osones.io>
Date: Mon, 20 Feb 2017 15:57:25 +0100
Subject: [PATCH] Add Kubernetes API Service IP to x509 certificates

By default, API service with service account is accessible from inside
the cluster at the address 10.254.0.1. This IP should be added to SANS
when generating the certs.

Fixes-bug: #1660811
Change-Id: I214b4296bea55bb0c4015165c56fbd8ca3cebd39
---
 .../common/templates/kubernetes/fragments/make-cert.sh        | 4 ++++
 .../drivers/k8s_coreos_v1/templates/fragments/make-cert.yaml  | 4 ++++
 2 files changed, 8 insertions(+)

diff --git a/magnum/drivers/common/templates/kubernetes/fragments/make-cert.sh b/magnum/drivers/common/templates/kubernetes/fragments/make-cert.sh
index 3dd2c71a5c..21fc87963b 100644
--- a/magnum/drivers/common/templates/kubernetes/fragments/make-cert.sh
+++ b/magnum/drivers/common/templates/kubernetes/fragments/make-cert.sh
@@ -46,6 +46,10 @@ if [[ -n "${MASTER_HOSTNAME}" ]]; then
 fi
 sans="${sans},IP:127.0.0.1"
 
+KUBE_SERVICE_IP=$(echo $PORTAL_NETWORK_CIDR | awk 'BEGIN{FS="[./]"; OFS="."}{print $1,$2,$3,$4 + 1}')
+
+sans="${sans},IP:${KUBE_SERVICE_IP}"
+
 cert_dir=/srv/kubernetes
 cert_conf_dir=${cert_dir}/conf
 
diff --git a/magnum/drivers/k8s_coreos_v1/templates/fragments/make-cert.yaml b/magnum/drivers/k8s_coreos_v1/templates/fragments/make-cert.yaml
index 1c07ce7b8b..9a338ca6de 100644
--- a/magnum/drivers/k8s_coreos_v1/templates/fragments/make-cert.yaml
+++ b/magnum/drivers/k8s_coreos_v1/templates/fragments/make-cert.yaml
@@ -63,6 +63,10 @@ write_files:
       fi
       sans="${sans},IP:127.0.0.1"
 
+      KUBE_SERVICE_IP=$(echo $PORTAL_NETWORK_CIDR | awk 'BEGIN{FS="[./]"; OFS="."}{print $1,$2,$3,$4 + 1}')
+
+      sans="${sans},IP:${KUBE_SERVICE_IP}"
+
       cert_conf_dir=${KUBE_CERTS_PATH}/conf
 
       mkdir -p ${cert_conf_dir}