Create client certificates per server with SAN values

[AblionGE]

Description

Currently, the client certificate that is created by the kubetool is shared between all controller nodes without any SAN (Subject Alternative Name). Checking etcd logs when the "master" etcd controller goes down show the following error:

rejected connection from "10.10.10.104:43816" (error "remote error: tls: bad certificate", ServerName "")

Because of that error, it's not possible anymore to call Kubernetes cluster using kubectl until the etcd node is back.

The fix implemented simply creates one client certificate per K8S controller node with SAN fields with correct values (DNS name and IP). After a few etcd failover tests, the etcd cluster continues to work and kubectl is working, too.

Environment

• Kubernetes version: 1.15.0
• etcd version: 3.4.3
• CentOS Linux release 7.6.1810 (Core)

[codecov-io]

Codecov Report

Merging #382 into master will not change coverage.
The diff coverage is n/a.

@@          Coverage Diff          @@
##           master   #382   +/-   ##
=====================================
  Coverage       0%     0%           
=====================================
  Files           2      2           
  Lines          44     44           
=====================================
  Misses         44     44

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update e554f39...36b65ab. Read the comment docs.

[sanfrancrisko]

Validated this change works with kubetool:

ruby kube_tool.rb -o ubuntu -v 1.17.0 -r docker -c cilium -p 1.7.0 -i kube-master:172.17.10.101,kube-replica-master-01:172.17.10.210,kube-replica-master-02:172.17.10.220 -t 127.0.20.20 -a 127.0.10.10 -d true