c12s-kubespray/roles/etcd/templates/openssl.conf.j2

{% set counter = {'dns': 2,'ip': 1,} %}{% macro increment(dct, key, inc=1)%}{% if dct.update({key: dct[key] + inc}) %} {% endif %}{% endmacro %}[req]
req_extensions = v3_req
distinguished_name = req_distinguished_name

[req_distinguished_name]

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names

[ ssl_client ]
extendedKeyUsage = clientAuth, serverAuth
basicConstraints = CA:FALSE
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
subjectAltName = @alt_names

[ v3_ca ]
basicConstraints = CA:TRUE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
authorityKeyIdentifier=keyid:always,issuer

[alt_names]
DNS.1 = localhost
{% for host in groups['etcd'] %}
DNS.{{ counter["dns"] }} = {{ host }}{{ increment(counter, 'dns') }}
{% endfor %}
{% if apiserver_loadbalancer_domain_name is defined %}
DNS.{{ counter["dns"] }} = {{ apiserver_loadbalancer_domain_name }}{{ increment(counter, 'dns') }}
{% endif %}
{% for etcd_alt_name in etcd_cert_alt_names %}
DNS.{{ counter["dns"] }} = {{ etcd_alt_name }}{{ increment(counter, 'dns') }}
{% endfor %}
{% for host in groups['etcd'] %}
{% if hostvars[host]['access_ip'] is defined  %}
IP.{{ counter["ip"] }} = {{ hostvars[host]['access_ip'] }}{{ increment(counter, 'ip') }}
{% endif %}
IP.{{ counter["ip"] }} = {{ hostvars[host]['ip'] | default(fallback_ips[host]) }}{{ increment(counter, 'ip') }}
{% endfor %}
{% for cert_alt_ip in etcd_cert_alt_ips %}
IP.{{ counter["ip"] }} = {{ cert_alt_ip }}{{ increment(counter, 'ip') }}
{% endfor %}
IP.{{ counter["ip"] }} = 127.0.0.1
Update openssl.conf to count better and work with Jinja 2.9 2018-03-28 15:42:12 +00:00			`{% set counter = {'dns': 2,'ip': 1,} %}{% macro increment(dct, key, inc=1)%}{% if dct.update({key: dct[key] + inc}) %} {% endif %}{% endmacro %}[req]`
Add etcd TLS support 2016-11-09 10:44:41 +00:00			`req_extensions = v3_req`
			`distinguished_name = req_distinguished_name`

			`[req_distinguished_name]`

			`[ v3_req ]`
			`basicConstraints = CA:FALSE`
			`keyUsage = nonRepudiation, digitalSignature, keyEncipherment`
			`subjectAltName = @alt_names`

			`[ ssl_client ]`
			`extendedKeyUsage = clientAuth, serverAuth`
			`basicConstraints = CA:FALSE`
			`subjectKeyIdentifier=hash`
			`authorityKeyIdentifier=keyid,issuer`
			`subjectAltName = @alt_names`

			`[ v3_ca ]`
			`basicConstraints = CA:TRUE`
			`keyUsage = nonRepudiation, digitalSignature, keyEncipherment`
			`subjectAltName = @alt_names`
			`authorityKeyIdentifier=keyid:always,issuer`

			`[alt_names]`
			`DNS.1 = localhost`
			`{% for host in groups['etcd'] %}`
Update openssl.conf to count better and work with Jinja 2.9 2018-03-28 15:42:12 +00:00			`DNS.{{ counter["dns"] }} = {{ host }}{{ increment(counter, 'dns') }}`
Add etcd TLS support 2016-11-09 10:44:41 +00:00			`{% endfor %}`
Update openssl.conf to count better and work with Jinja 2.9 2018-03-28 15:42:12 +00:00			`{% if apiserver_loadbalancer_domain_name is defined %}`
			`DNS.{{ counter["dns"] }} = {{ apiserver_loadbalancer_domain_name }}{{ increment(counter, 'dns') }}`
Add etcd TLS support 2016-11-09 10:44:41 +00:00			`{% endif %}`
Fix DNS entries in etcd's openssl.conf by adding a newline. (#2208) DNS entries generated from 'etcd_cert_alt_names' variable in etcd's openssl.conf are not terminated by a newline. This fixes issue #2207. 2018-01-30 13:26:58 +00:00			`{% for etcd_alt_name in etcd_cert_alt_names %}`
Update openssl.conf to count better and work with Jinja 2.9 2018-03-28 15:42:12 +00:00			`DNS.{{ counter["dns"] }} = {{ etcd_alt_name }}{{ increment(counter, 'dns') }}`
Fix DNS entries in etcd's openssl.conf by adding a newline. (#2208) DNS entries generated from 'etcd_cert_alt_names' variable in etcd's openssl.conf are not terminated by a newline. This fixes issue #2207. 2018-01-30 13:26:58 +00:00			`{% endfor %}`
Add etcd TLS support 2016-11-09 10:44:41 +00:00			`{% for host in groups['etcd'] %}`
Update openssl.conf to count better and work with Jinja 2.9 2018-03-28 15:42:12 +00:00			`{% if hostvars[host]['access_ip'] is defined %}`
			`IP.{{ counter["ip"] }} = {{ hostvars[host]['access_ip'] }}{{ increment(counter, 'ip') }}`
			`{% endif %}`
Remove hard dependence on facts for all nodes (#4304) * Remove hard dependence on facts for all nodes * Update main.yaml * Update main.yaml 2019-03-05 11:04:39 +00:00			`IP.{{ counter["ip"] }} = {{ hostvars[host]['ip'] \| default(fallback_ips[host]) }}{{ increment(counter, 'ip') }}`
Add etcd TLS support 2016-11-09 10:44:41 +00:00			`{% endfor %}`
Add documentation about having HA for etcd 2018-08-31 12:34:13 +00:00			`{% for cert_alt_ip in etcd_cert_alt_ips %}`
			`IP.{{ counter["ip"] }} = {{ cert_alt_ip }}{{ increment(counter, 'ip') }}`
			`{% endfor %}`
Update openssl.conf to count better and work with Jinja 2.9 2018-03-28 15:42:12 +00:00			`IP.{{ counter["ip"] }} = 127.0.0.1`