AWS: Configure SSL certificate alternate-names

GCE does this in its per-provider scripts; this does the same for AWS and lets
other providers do the same; I believe kube2sky requires 10.0.0.1 as a SAN.

cluster/saltbase/salt/generate-cert/init.sls

@@ -1,3 +1,4 @@
+{% set master_extra_sans=grains.get('master_extra_sans', '') %}
 {% if grains.cloud is defined %}
   {% if grains.cloud == 'gce' %}
     {% set cert_ip='_use_gce_external_ip_' %}
@@ -35,7 +36,7 @@ kubernetes-cert:
     - unless: test -f /srv/kubernetes/server.cert
     - source: salt://generate-cert/{{certgen}}
 {% if cert_ip is defined %}
-    - args: {{cert_ip}}
+    - args: {{cert_ip}} {{master_extra_sans}}
     - require:
       - pkg: curl
 {% endif %}

cluster/saltbase/salt/generate-cert/make-ca-cert.sh

@@ -19,6 +19,7 @@ set -o nounset
 set -o pipefail
 
 cert_ip=$1
+extra_sans=${2:-}
 cert_dir=/srv/kubernetes
 cert_group=kube-cert
 
@@ -40,6 +41,11 @@ if [ "$cert_ip" == "_use_azure_dns_name_" ]; then
   use_cn=true
 fi
 
+sans="IP:${cert_ip}"
+if [[ -n "${extra_sans}" ]]; then
+  sans="${sans},${extra_sans}"
+fi
+
 tmpdir=$(mktemp -d --tmpdir kubernetes_cacert.XXXXXX)
 trap 'rm -rf "${tmpdir}"' EXIT
 cd "${tmpdir}"
@@ -67,7 +73,7 @@ if [ $use_cn = "true" ]; then
     cp -p pki/issued/$cert_ip.crt "${cert_dir}/server.cert" > /dev/null 2>&1
     cp -p pki/private/$cert_ip.key "${cert_dir}/server.key" > /dev/null 2>&1
 else
-    ./easyrsa --subject-alt-name=IP:$cert_ip build-server-full kubernetes-master nopass > /dev/null 2>&1
+    ./easyrsa --subject-alt-name="${sans}" build-server-full kubernetes-master nopass > /dev/null 2>&1
     cp -p pki/issued/kubernetes-master.crt "${cert_dir}/server.cert" > /dev/null 2>&1
     cp -p pki/private/kubernetes-master.key "${cert_dir}/server.key" > /dev/null 2>&1
 fi