support forced custom ips and names in cert

add multiple gw workaround for cert

defaults/main.yaml

@@ -12,6 +12,9 @@ postgresql_ssl: true
 postgresql_ssl_keep_nonssl_endpoint: false
 postgresql_self_signed_cert: true
 postgresql_self_signed_cert_name: "cert"
+postgresql_cacert_force_append_ips: []
+postgresql_cacert_force_append_names: []
+postgresql_cacert_multiple_default_gw_workaround: false
 
 ## WAL-G backup and restore options
 postgresql_wal_g_install: false

tasks/cacert.yaml

@@ -86,16 +86,38 @@
         postgresql_server_subject_alt_ips: "{{ groups[postgresql_play_group] | default([]) | map('extract', hostvars, ['ansible_default_ipv4', 'address']) | map('regex_replace', '^', 'IP:') | list }}"
       when: hostvars[inventory_hostname]['ansible_default_ipv4']['address'] is defined
 
+    - name: Generate PostgreSQL subject_alt_ips from default ipv4 address
+      set_fact:
+        postgresql_server_subject_alt_ips: "{{ groups[postgresql_play_group] | default([]) | map('extract', hostvars, ['ansible_default_ipv4', 'address']) | map('regex_replace', '^', 'IP:') | list }}"
+      when:
+        - hostvars[inventory_hostname]['ansible_default_ipv4']['address'] is defined
+        - not postgresql_cacert_multiple_default_gw_workaround
+
+    - name: Generate PostgreSQL subject_alt_ips from ansible_all_ipv4_addresses
+      set_fact:
+        postgresql_server_subject_alt_ips_all_ipv4: "{{ groups[postgresql_play_group] | default([]) | map('extract', hostvars, ['ansible_all_ipv4_addresses']) | flatten | map('regex_replace', '^', 'IP:') | list }}"
+      when: hostvars[inventory_hostname]['ansible_all_ipv4_addresses'] is defined
+
     - name: Generate PostgreSQL subject_alt_names
       set_fact:
         postgresql_server_subject_alt_names: "{{ groups[postgresql_play_group] | default([]) | map('extract', hostvars, ['inventory_hostname']) | map('regex_replace', '^', 'DNS:') | list }}"
 
+    - name: Generate PostgreSQL subject_alt_ips from postgresql_cacert_force_append_ips
+      set_fact:
+        postgresql_server_subject_alt_ips_force_append: "{{ postgresql_cacert_force_append_ips | map('regex_replace', '^', 'IP:') | list }}"
+      when: postgresql_cacert_force_append_ips is defined
+
+    - name: Generate PostgreSQL subject_alt_names from postgresql_cacert_force_append_names
+      set_fact:
+        postgresql_server_subject_alt_names_force_append: "{{ postgresql_cacert_force_append_names | map('regex_replace', '^', 'DNS:') | list }}"
+      when: postgresql_cacert_force_append_names is defined
+
     - name: Generate an OpenSSL Certificate Signing Request for client
       community.crypto.openssl_csr:
         path: "{{ postgresql_ssl_path }}/{{ postgresql_self_signed_cert_name }}.csr"
         privatekey_path: "{{ postgresql_ssl_path }}/{{ postgresql_self_signed_cert_name }}.key"
         common_name: "{{ postgresql_self_signed_cert_name }}"
-        subject_alt_name: "{{ postgresql_server_subject_alt_ips | default([]) + postgresql_server_subject_alt_names | default([]) + postgresql_agent_subject_alt_ips | default([]) + postgresql_agent_subject_alt_names | default([]) + postgresql_server_subject_alt_ips_from_ansible_host | default([]) + postgresql_agent_subject_alt_ips_from_ansible_host | default([]) }}"
+        subject_alt_name: "{{ postgresql_server_subject_alt_ips | default([]) + postgresql_server_subject_alt_names | default([]) + postgresql_agent_subject_alt_ips | default([]) + postgresql_agent_subject_alt_names | default([]) + postgresql_server_subject_alt_ips_from_ansible_host | default([]) + postgresql_agent_subject_alt_ips_from_ansible_host | default([]) + postgresql_server_subject_alt_ips_all_ipv4 | default([]) + postgresql_server_subject_alt_ips_force_append | default([]) + postgresql_server_subject_alt_names_force_append | default([]) }}"
         owner: postgres
         group: postgres
       register: postgresql_csr