[k8s-fedora-atomic] fix multimaster cluster

Same fix as CoreOS for Fedora which enable multimaster with
TLS and ETCD Load balancer.

Closes-Bug: #1679724
Change-Id: I45b62a20f0a89ebd1494ad61021384fc7a416e8e

magnum/drivers/common/templates/kubernetes/fragments/make-cert.sh

@@ -44,6 +44,11 @@ MASTER_HOSTNAME=${MASTER_HOSTNAME:-}
 if [[ -n "${MASTER_HOSTNAME}" ]]; then
     sans="${sans},DNS:${MASTER_HOSTNAME}"
 fi
+
+if [[ -n "${ETCD_LB_VIP}" ]]; then
+    sans="${sans},IP:${ETCD_LB_VIP}"
+fi
+
 sans="${sans},IP:127.0.0.1"
 
 KUBE_SERVICE_IP=$(echo $PORTAL_NETWORK_CIDR | awk 'BEGIN{FS="[./]"; OFS="."}{print $1,$2,$3,$4 + 1}')

magnum/drivers/common/templates/kubernetes/fragments/write-heat-params-master.yaml

@@ -45,3 +45,4 @@ write_files:
       INSECURE_REGISTRY_URL="$INSECURE_REGISTRY_URL"
       SYSTEM_PODS_INITIAL_DELAY="$SYSTEM_PODS_INITIAL_DELAY"
       SYSTEM_PODS_TIMEOUT="$SYSTEM_PODS_TIMEOUT"
+      ETCD_LB_VIP="$ETCD_LB_VIP"

magnum/drivers/k8s_fedora_atomic_v1/templates/kubecluster.yaml

@@ -349,7 +349,7 @@ resources:
     properties:
       fixed_subnet: {get_attr: [network, fixed_subnet]}
       external_network: {get_param: external_network}
-      protocol: HTTP
+      protocol: {get_param: loadbalancing_protocol}
       port: 2379
 
   ######################################################################
@@ -485,6 +485,7 @@ resources:
           trust_id: {get_param: trust_id}
           auth_url: {get_param: auth_url}
           insecure_registry_url: {get_param: insecure_registry_url}
+          etcd_lb_vip: {get_attr: [etcd_lb, address]}
 
   ######################################################################
   #

magnum/drivers/k8s_fedora_atomic_v1/templates/kubemaster.yaml

@@ -221,6 +221,12 @@ parameters:
     type: string
     description: insecure registry url
 
+  etcd_lb_vip:
+    type: string
+    description: >
+      etcd lb vip private used to generate certs on master.
+    default: ""
+
 resources:
 
   master_wait_handle:
@@ -300,6 +306,7 @@ resources:
             "$TRUSTEE_PASSWORD": {get_param: trustee_password}
             "$TRUST_ID": {get_param: trust_id}
             "$INSECURE_REGISTRY_URL": {get_param: insecure_registry_url}
+            "$ETCD_LB_VIP": {get_param: etcd_lb_vip}
 
   make_cert:
     type: OS::Heat::SoftwareConfig

magnum/drivers/k8s_fedora_ironic_v1/templates/kubecluster.yaml

@@ -334,7 +334,7 @@ resources:
     properties:
       fixed_subnet: {get_param: fixed_subnet}
       external_network: {get_param: external_network}
-      protocol: HTTP
+      protocol: {get_param: loadbalancing_protocol}
       port: 2379
 
   ######################################################################
@@ -473,6 +473,7 @@ resources:
           auth_url: {get_param: auth_url}
           insecure_registry_url: {get_param: insecure_registry_url}
           wc_curl_cli: {get_attr: [master_wait_handle, curl_cli]}
+          etcd_lb_vip: {get_attr: [etcd_lb, address]}
 
   ######################################################################
   #

magnum/drivers/k8s_fedora_ironic_v1/templates/kubemaster.yaml

@@ -221,6 +221,12 @@ parameters:
     description : >
       Wait condition notify command for Master.
 
+  etcd_lb_vip:
+    type: string
+    description: >
+      etcd lb vip private used to generate certs on master.
+    default: ""
+
 resources:
 
   ######################################################################
@@ -288,6 +294,7 @@ resources:
             "$TRUST_ID": {get_param: trust_id}
             "$INSECURE_REGISTRY_URL": {get_param: insecure_registry_url}
             "$ENABLE_CINDER": "False"
+            "$ETCD_LB_VIP": {get_param: etcd_lb_vip}
 
   make_cert:
     type: OS::Heat::SoftwareConfig