From b8e974fb9ff223b2bfcb27c3f8e9eef398eecfee Mon Sep 17 00:00:00 2001
From: Bertrand Lanson <bertrand.lanson@protonmail.com>
Date: Sun, 18 Jun 2023 14:34:42 +0200
Subject: [PATCH] added ip_san for external IP in to be able to define ip
 addresses in vault (issue with consul pointing to cname when resolving dns)

---
 README.md                                         | 1 +
 defaults/main.yml                                 | 1 +
 molecule/default/tests/test_default.py            | 4 ++--
 molecule/with_custom_config/tests/test_default.py | 4 ++--
 templates/vault_cert.pem.tpl.j2                   | 2 +-
 templates/vault_key.pem.tpl.j2                    | 2 +-
 6 files changed, 8 insertions(+), 6 deletions(-)

diff --git a/README.md b/README.md
index ef0133d..7a8aa10 100644
--- a/README.md
+++ b/README.md
@@ -62,6 +62,7 @@ This variable defines where to copy the private keys upon renewal. Default to `/
 renew_vault_certificates_info: # by default, set to:
   issuer_path: pki/issue/your-issuer
   common_name: vault01.example.com
+  ip_addr: "192.168.1.1"
   ttl: 90d
   include_consul_service: false
 ```
diff --git a/defaults/main.yml b/defaults/main.yml
index c81ae35..99374c7 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -12,6 +12,7 @@ renew_vault_certificates_key_dest: /opt/vault/tls/key.pem
 renew_vault_certificates_info:
   issuer_path: pki/issue/your-issuer
   common_name: vault01.example.com
+  ip_addr: "192.168.1.1"
   ttl: 90d
   include_consul_service: false
 renew_vault_certificates_consul_service_name: vault.service.consul
diff --git a/molecule/default/tests/test_default.py b/molecule/default/tests/test_default.py
index 0e8f5ff..4392887 100644
--- a/molecule/default/tests/test_default.py
+++ b/molecule/default/tests/test_default.py
@@ -25,8 +25,8 @@ def test_template_files(host):
         assert file.user == "vault"
         assert file.group == "vault"
         assert file.mode == 0o600
-    assert vault_cert_pem_tpl.content_string == '{{ with secret "pki/issue/your-issuer" "common_name=vault01.example.com" "ttl=90d" "alt_names=localhost" "ip_sans=127.0.0.1" }}\n{{ .Data.certificate }}\n{{ .Data.issuing_ca }}\n{{ end }}\n'
-    assert vault_key_pem_tpl.content_string == '{{ with secret "pki/issue/your-issuer" "common_name=vault01.example.com" "ttl=90d" "alt_names=localhost" "ip_sans=127.0.0.1" }}\n{{ .Data.private_key }}\n{{ end }}\n'
+    assert vault_cert_pem_tpl.content_string == '{{ with secret "pki/issue/your-issuer" "common_name=vault01.example.com" "ttl=90d" "alt_names=localhost" "ip_sans=127.0.0.1,192.168.1.1" }}\n{{ .Data.certificate }}\n{{ .Data.issuing_ca }}\n{{ end }}\n'
+    assert vault_key_pem_tpl.content_string == '{{ with secret "pki/issue/your-issuer" "common_name=vault01.example.com" "ttl=90d" "alt_names=localhost" "ip_sans=127.0.0.1,192.168.1.1" }}\n{{ .Data.private_key }}\n{{ end }}\n'
 
 def test_vault_certs_service_file(host):
     """Validate vault-certs service file."""
diff --git a/molecule/with_custom_config/tests/test_default.py b/molecule/with_custom_config/tests/test_default.py
index 4fad31e..6460b92 100644
--- a/molecule/with_custom_config/tests/test_default.py
+++ b/molecule/with_custom_config/tests/test_default.py
@@ -25,8 +25,8 @@ def test_template_files(host):
         assert file.user == "vault"
         assert file.group == "vault"
         assert file.mode == 0o600
-    assert vault_cert_pem_tpl.content_string == '{{ with secret "pki/issue/vault-issuer" "common_name=vault01.example.com" "ttl=90d" "alt_names=localhost,vault.service.consul,active.vault.service.consul,standby.vault.service.consul" "ip_sans=127.0.0.1" }}\n{{ .Data.certificate }}\n{{ .Data.issuing_ca }}\n{{ end }}\n'
-    assert vault_key_pem_tpl.content_string == '{{ with secret "pki/issue/vault-issuer" "common_name=vault01.example.com" "ttl=90d" "alt_names=localhost,vault.service.consul,active.vault.service.consul,standby.vault.service.consul" "ip_sans=127.0.0.1" }}\n{{ .Data.private_key }}\n{{ end }}\n'
+    assert vault_cert_pem_tpl.content_string == '{{ with secret "pki/issue/vault-issuer" "common_name=vault01.example.com" "ttl=90d" "alt_names=localhost,vault.service.consul,active.vault.service.consul,standby.vault.service.consul" "ip_sans=127.0.0.1,192.168.1.1" }}\n{{ .Data.certificate }}\n{{ .Data.issuing_ca }}\n{{ end }}\n'
+    assert vault_key_pem_tpl.content_string == '{{ with secret "pki/issue/vault-issuer" "common_name=vault01.example.com" "ttl=90d" "alt_names=localhost,vault.service.consul,active.vault.service.consul,standby.vault.service.consul" "ip_sans=127.0.0.1,192.168.1.1" }}\n{{ .Data.private_key }}\n{{ end }}\n'
 
 def test_vault_certs_service_file(host):
     """Validate vault-certs service file."""
diff --git a/templates/vault_cert.pem.tpl.j2 b/templates/vault_cert.pem.tpl.j2
index f102c3e..052a58c 100644
--- a/templates/vault_cert.pem.tpl.j2
+++ b/templates/vault_cert.pem.tpl.j2
@@ -1,4 +1,4 @@
-{% raw %}{{ with secret {% endraw %}"{{ renew_vault_certificates_info['issuer_path'] }}" "common_name={{ renew_vault_certificates_info['common_name'] }}" "ttl={{ renew_vault_certificates_info['ttl'] }}" "alt_names=localhost{% if renew_vault_certificates_info['include_consul_service'] %},{{ renew_vault_certificates_consul_service_name }},active.{{ renew_vault_certificates_consul_service_name }},standby.{{ renew_vault_certificates_consul_service_name }}{% endif %}" "ip_sans=127.0.0.1"{% raw %} }}{% endraw %}
+{% raw %}{{ with secret {% endraw %}"{{ renew_vault_certificates_info['issuer_path'] }}" "common_name={{ renew_vault_certificates_info['common_name'] }}" "ttl={{ renew_vault_certificates_info['ttl'] }}" "alt_names=localhost{% if renew_vault_certificates_info['include_consul_service'] %},{{ renew_vault_certificates_consul_service_name }},active.{{ renew_vault_certificates_consul_service_name }},standby.{{ renew_vault_certificates_consul_service_name }}{% endif %}" "ip_sans=127.0.0.1,{{ renew_vault_certificates_info['ip_addr']}}"{% raw %} }}{% endraw %}
 
 {% raw %}{{ .Data.certificate }}{% endraw %}
 
diff --git a/templates/vault_key.pem.tpl.j2 b/templates/vault_key.pem.tpl.j2
index cbd9c69..38e56b5 100644
--- a/templates/vault_key.pem.tpl.j2
+++ b/templates/vault_key.pem.tpl.j2
@@ -1,4 +1,4 @@
-{% raw %}{{ with secret {% endraw %}"{{ renew_vault_certificates_info['issuer_path'] }}" "common_name={{ renew_vault_certificates_info['common_name'] }}" "ttl={{ renew_vault_certificates_info['ttl'] }}" "alt_names=localhost{% if renew_vault_certificates_info['include_consul_service'] %},{{ renew_vault_certificates_consul_service_name }},active.{{ renew_vault_certificates_consul_service_name }},standby.{{ renew_vault_certificates_consul_service_name }}{% endif %}" "ip_sans=127.0.0.1"{% raw %} }}{% endraw %}
+{% raw %}{{ with secret {% endraw %}"{{ renew_vault_certificates_info['issuer_path'] }}" "common_name={{ renew_vault_certificates_info['common_name'] }}" "ttl={{ renew_vault_certificates_info['ttl'] }}" "alt_names=localhost{% if renew_vault_certificates_info['include_consul_service'] %},{{ renew_vault_certificates_consul_service_name }},active.{{ renew_vault_certificates_consul_service_name }},standby.{{ renew_vault_certificates_consul_service_name }}{% endif %}" "ip_sans=127.0.0.1,{{ renew_vault_certificates_info['ip_addr']}}"{% raw %} }}{% endraw %}
 
 {% raw %}{{ .Data.private_key }}{% endraw %}