From 9ed1c7b9209609dbdd6b59cf5cd94cfb3a290d1c Mon Sep 17 00:00:00 2001
From: Alan Bishop <abishop@redhat.com>
Date: Mon, 13 Jun 2022 06:42:59 -0700
Subject: [PATCH] Restore missing SAN IP in etcd cert

This patch fixes a regression in the etcd cert that is used with
tls-everywhere. The etcd service makes cluster connections using
its IP address, so with tls-e the etcd cert needs to include its
address as a SAN IP. The SAN IP was inadvertently dropped when
cert generation was moved from puppet to an ansible role.

Resolves: rhbz#2096230
Change-Id: I28e268c58bf63aaa81a67f48ca492fe97d9a07e9
---
 deployment/etcd/etcd-container-puppet.yaml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/deployment/etcd/etcd-container-puppet.yaml b/deployment/etcd/etcd-container-puppet.yaml
index bc3c2b0b87..5c01f06479 100644
--- a/deployment/etcd/etcd-container-puppet.yaml
+++ b/deployment/etcd/etcd-container-puppet.yaml
@@ -314,6 +314,12 @@ outputs:
                                 template: "{{cloud_names.cloud_name_NETWORK}}"
                                 params:
                                   NETWORK: {get_param: [ServiceNetMap, EtcdNetwork]}
+                          # etcd3 expects to use IP addresses, so add a SAN IP to its cert
+                          ip:
+                            str_replace:
+                              template: "{{NETWORK_ip}}"
+                              params:
+                                NETWORK: {get_param: [ServiceNetMap, EtcdNetwork]}
                           principal:
                             str_replace:
                               template: "etcd/{{fqdn_$NETWORK}}@{{idm_realm}}"