*: include 127.0.0.1 and localhost in etcd peer SAN

[hexfusion]

The etcd peer SAN does not include localhost/127.0.0.1 this is a problem if you would like to use this cert as a client from say inside the container.

As the peer is the only cert with TLS Web Client Authentication we really need to include this.

peer

 X509v3 Extended Key Usage: 
                TLS Web Client Authentication, TLS Web Server Authentication

X509v3 Subject Alternative Name: 
                DNS:sbatsche-etcd-0.devcluster.openshift.com, DNS:sbatsche.devcluster.openshift.com, IP Address:10.0.15.187

server

X509v3 Extended Key Usage: 
              TLS Web Server Authentication

X509v3 Subject Alternative Name: 
                DNS:localhost, DNS:etcd.kube-system.svc, DNS:etcd.kube-system.svc.cluster.local, DNS:sbatsche-etcd-0.devcluster.openshift.com, IP Address:10.0.15.187, IP Address:127.0.0.1

Separate issue also I am seeing what appears to be a client attempting to use the server cert

2019-01-17T13:10:11.150313341+00:00 stderr F 2019-01-17 13:10:11.150277 I | embed: rejected connection from "127.0.0.1:37686" (error "tls: failed to verify client's certificate: x509: certificate specifies an incompatible key usage", ServerName "")

[openshift-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: hexfusion
To fully approve this pull request, please assign additional approvers.
We suggest the following additional approver: smarterclayton

If they are not already assigned, you can assign the PR to them by writing /assign @smarterclayton in a comment when ready.

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[hexfusion]

/test unit

[cgwalters]

And yet another PR trips over the need to replicate every config change into the renderer unit tests.

Anyways as far as the code; I'm not an expert in this - found this page in a quick Google search.

Could use more details on this bit:

this is a problem if you would like to use this cert as a client from say inside the container.

And specifically I think we need an argument this is a 4.0 exception.

[ashcrow]

And specifically I think we need an argument this is a 4.0 exception.

Agreed

[openshift-ci-robot]

@hexfusion: The following tests failed, say /retest to rerun them all:

Test name	Commit	Details	Rerun command
ci/prow/unit	b928456	link	/test unit
ci/prow/e2e-aws	b928456	link	/test e2e-aws
ci/prow/e2e-aws-op	b928456	link	/test e2e-aws-op

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[abhinavdahiya]

And yet another PR trips over the need to replicate every config change into the renderer unit tests.

go ./pkg/controller/template/... -u

[hexfusion]

And yet another PR trips over the need to replicate every config change into the renderer unit tests.

go ./pkg/controller/template/... -u

Aha I will keep this in mind from now on. running some additional tests to make sure this is needed.

[hexfusion]

I think I jumped the gun on this going to close and review further, thanks for the input.

[cgwalters]

#322 (comment) was confusing me...I thought there was a program to run, but the command is actually:

$ go test ./pkg/controller/template/... -u