clustercfg: do not use SAN section if no SAN names

tools/clustercfg.py

@@ -51,9 +51,10 @@ class PKI(object):
             '-CA', self.cacert,
             '-CAkey', self.cakey,
             '-out', crt,
-            '-extensions', 'SAN', '-extfile', conf,
             '-days', str(days),
-        ])
+        ] + ([
+            '-extensions', 'SAN', '-extfile', conf,
+        ] if conf else []))
 
 
 class Subject(object):
@@ -92,10 +93,11 @@ def openssl_config(san):
     with open(os.path.join(local_root, 'cluster/openssl.cnf'), 'rb') as f:
         config = BytesIO(f.read())
 
-    config.seek(0, 2)
-    config.write(b'\n[SAN]\n')
-    for s in san:
-        config.write('subjectAltName=DNS:{}\n'.format(s).encode())
+    if san:
+        config.seek(0, 2)
+        config.write(b'\n[SAN]\n')
+        for s in san:
+            config.write('subjectAltName=DNS:{}\n'.format(s).encode())
 
     f = tempfile.NamedTemporaryFile(delete=False)
     path = f.name
@@ -205,8 +207,9 @@ def shared_cert(pki, c, fqdn, cert_name, subj, san=[], days=365):
         '-out', local_csr,
         '-subj', str(subj),
         '-config', local_config,
+    ] + ([
         '-reqexts', 'SAN',
-    ])
+    ] if san else []))
 
     pki.sign(local_csr, local_cert, local_config, days)
 
@@ -282,7 +285,6 @@ def admincreds(args):
     if not generate_cert:
         return configure_k8s(username, pki.cacert, local_cert, local_key)
 
-    local_config = openssl_config([])
     subj = Subject('system:masters', "Kubernetes Admin Account for {}".format(username), username)
 
     subprocess.check_call([
@@ -290,12 +292,9 @@ def admincreds(args):
         '-key', local_key,
         '-out', local_csr,
         '-subj', str(subj),
-        '-config', local_config,
-        '-reqexts', 'SAN',
     ])
 
-    pki.sign(local_csr, local_cert, local_config, 5)
-    os.remove(local_config)
+    pki.sign(local_csr, local_cert, None, 5)
 
     configure_k8s(username, pki.cacert, local_cert, local_key)