Apiserver SAN supplementary addresses broken in 2.8.1

[headconnect]

Bug Report

Environment:

• Cloud provider or hardware configuration:
  vmware on-prem
  multi-master setup (two masters)

• OS (printf "$(uname -srm)\n$(cat /etc/os-release)\n"):
  ubuntu 16.04

• Version of Ansible (ansible --version):
  2.7.5

Kubespray version (commit) (git rev-parse --short HEAD):
tag 2.8.1 - issue with commit 2ac1c75 specifically change to roles/kubernetes/master/tasks/kubeadm-setup.yml
Issue not present in 2.8.0, was introduced with commit mentioned above.

Network plugin used:
N/A

Copy of your inventory file:
In group vars (example):

supplementary_addresses_in_ssl_keys
  - 192.168.4.40

Command used to invoke ansible:
(typical)

Output of ansible run:

TASK [kubernetes-apps/cluster_roles : PriorityClass | Create k8s-cluster-critical]
Fails due to certificat issue:
Get https://(ip-of-second-master):6443/api?timeout=32s: x509: certificate is valid for ..... and a list of IP addresses, specifically NOT INCLUDING the ip of the second master.

Manual verification upon reading the certificate SAN it has the IP of the second master as a DNS Name= field concatenated along with the supplementary_addresses_in_ssl_keys value, thus rendering both useless.

As a side note it also lists the IP of the first master as three seperate and identical IP Address= entries.

Summary
second (or more abstractly, the last) master IP will be concatenated with (likely the last) supplementary_addresses_in_ssl_keys address during the kubeadm | aggregate all SANs step, rendering supplementary_addresses_in_ssl_keys useless, and likely breaking all multi-master provisions which contain supplementary_addresses_in_ssl_keys.

Anything else do we need to know:

[KingJ]

I can reproduce this issue on a completely fresh cluster deployment using the master version of kubespray. This blocks the deployment at the kubeadm | Init other uninitialized masters task as all connectivity results in the certificate verification error in the original issue.

I see the exact same pattern of SAN entries in the certificate, i.e. missing the second master and with many duplicate entries for the first master.

[julienc23]

Confirmed. Same here.

[gabibbo97]

Confirmed

[gabibbo97]

Fixed by changing inside roles/kubernetes/master/tasks/kubeadm-setup.yml

- name: kubeadm | aggregate all SANs
  set_fact:
    apiserver_sans: >-
      kubernetes
      kubernetes.default
      kubernetes.default.svc
      kubernetes.default.svc.{{ dns_domain }}
      {{ kube_apiserver_ip }}
      localhost
      127.0.0.1
      {{ ' '.join(groups['kube-master']) }}
      {%- if loadbalancer_apiserver is defined %}
      {{ apiserver_loadbalancer_domain_name }}
      {% endif %}
      {% for host in groups['kube-master'] -%}
      {%- if hostvars[host]['access_ip'] is defined -%}
      {{ hostvars[host]['access_ip'] }}
      {% endif %}
      {{ hostvars[host]['ip'] | default(hostvars[host]['ansible_default_ipv4']['address']) }}
      {% endfor %}
      {%- if supplementary_addresses_in_ssl_keys is defined -%}
      {% for addr in supplementary_addresses_in_ssl_keys -%}
      {{ addr }}
      {% endfor %}
      {% endif %}
  tags: facts

[leoncamel]

Confirmed.

This patch works. 👍

[alexissellier]

Any chance you merge this patch to the branch release-2.8 >