From 3c5d984f2755583367a2313bd273a0b58683814a Mon Sep 17 00:00:00 2001
From: Danila Balagansky <dbalagansky@me.com>
Date: Tue, 4 Jul 2023 11:06:53 +0300
Subject: [PATCH] Fix generating certificate SANs

With `haproxy_bind_*_lb_vip_address` set, use `*_lb_vip_address` for SAN
instead.

Change-Id: I33fc820be583bfaf7f9bee5233f0e0b99805144a
---
 vars/main.yml | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/vars/main.yml b/vars/main.yml
index 4e3b53d..ad10d4d 100644
--- a/vars/main.yml
+++ b/vars/main.yml
@@ -27,12 +27,19 @@ _haproxy_pki_certificates: |
   {% set _pki_certs = [] %}
   {% for vip in haproxy_tls_vip_binds %}
   {% set _vip_interface = vip['interface'] | default('') %}
+  {% set san = 'DNS:' ~ ansible_facts['hostname'] ~  ',DNS:' ~ ansible_facts['fqdn'] ~ ',' ~ (vip['address'] | ansible.utils.ipaddr) | ternary('IP:', 'DNS:') ~ vip['address'] %}
+  {% if vip['address'] == haproxy_bind_internal_lb_vip_address %}
+  {%   set san = san ~ (internal_lb_vip_address | ansible.utils.ipaddr) | ternary('', ',DNS:' ~ internal_lb_vip_address) %}
+  {% endif %}
+  {% if vip['address'] == haproxy_bind_external_lb_vip_address %}
+  {%   set san = san ~ (external_lb_vip_address | ansible.utils.ipaddr) | ternary('', ',DNS:' ~ external_lb_vip_address) %}
+  {% endif %}
   {% set _ = _pki_certs.append(
       {
         'name': 'haproxy_' ~ ansible_facts['hostname'] ~ '-' ~ (_vip_interface is truthy) | ternary(vip['address'] ~ '-' ~ _vip_interface, vip['address']),
         'provider': 'ownca',
         'cn': ansible_facts['hostname'],
-        'san': 'DNS:' ~ ansible_facts['hostname'] ~  ',DNS:' ~ ansible_facts['fqdn'] ~ ',' ~ (vip['address'] | ansible.utils.ipaddr) | ternary('IP:', 'DNS:') ~ vip['address'],
+        'san': san,
         'signed_by': haproxy_pki_intermediate_cert_name,
       }
     ) %}