Ability to define SSL certificates duration and SSL key size (#3482)
* Ability to specify ssl certificate duration and ssl key size - etcd/secrets * Ability to specify ssl certificate duration and ssl key size - helm/contiv + fix contiv missing copy certs generation script
This commit is contained in:
parent
c825f4d180
commit
2ab2f3a0a3
9 changed files with 42 additions and 28 deletions
|
@ -41,8 +41,8 @@
|
|||
- inventory_hostname == groups['etcd'][0]
|
||||
|
||||
- name: Gen_certs | copy certs generation script
|
||||
copy:
|
||||
src: "make-ssl-etcd.sh"
|
||||
template:
|
||||
src: "make-ssl-etcd.sh.j2"
|
||||
dest: "{{ etcd_script_dir }}/make-ssl-etcd.sh"
|
||||
mode: 0700
|
||||
run_once: yes
|
||||
|
|
|
@ -64,8 +64,8 @@ if [ -e "$SSLDIR/ca-key.pem" ]; then
|
|||
# Reuse existing CA
|
||||
cp $SSLDIR/{ca.pem,ca-key.pem} .
|
||||
else
|
||||
openssl genrsa -out ca-key.pem 2048 > /dev/null 2>&1
|
||||
openssl req -x509 -new -nodes -key ca-key.pem -days 36500 -out ca.pem -subj "/CN=etcd-ca" > /dev/null 2>&1
|
||||
openssl genrsa -out ca-key.pem {{certificates_key_size}} > /dev/null 2>&1
|
||||
openssl req -x509 -new -nodes -key ca-key.pem -days {{certificates_duration}} -out ca.pem -subj "/CN=etcd-ca" > /dev/null 2>&1
|
||||
fi
|
||||
|
||||
# ETCD member
|
||||
|
@ -73,14 +73,14 @@ if [ -n "$MASTERS" ]; then
|
|||
for host in $MASTERS; do
|
||||
cn="${host%%.*}"
|
||||
# Member key
|
||||
openssl genrsa -out member-${host}-key.pem 2048 > /dev/null 2>&1
|
||||
openssl genrsa -out member-${host}-key.pem {{certificates_key_size}} > /dev/null 2>&1
|
||||
openssl req -new -key member-${host}-key.pem -out member-${host}.csr -subj "/CN=etcd-member-${cn}" -config ${CONFIG} > /dev/null 2>&1
|
||||
openssl x509 -req -in member-${host}.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out member-${host}.pem -days 36500 -extensions ssl_client -extfile ${CONFIG} > /dev/null 2>&1
|
||||
openssl x509 -req -in member-${host}.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out member-${host}.pem -days {{certificates_duration}} -extensions ssl_client -extfile ${CONFIG} > /dev/null 2>&1
|
||||
|
||||
# Admin key
|
||||
openssl genrsa -out admin-${host}-key.pem 2048 > /dev/null 2>&1
|
||||
openssl genrsa -out admin-${host}-key.pem {{certificates_key_size}} > /dev/null 2>&1
|
||||
openssl req -new -key admin-${host}-key.pem -out admin-${host}.csr -subj "/CN=etcd-admin-${cn}" > /dev/null 2>&1
|
||||
openssl x509 -req -in admin-${host}.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out admin-${host}.pem -days 36500 -extensions ssl_client -extfile ${CONFIG} > /dev/null 2>&1
|
||||
openssl x509 -req -in admin-${host}.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out admin-${host}.pem -days {{certificates_duration}} -extensions ssl_client -extfile ${CONFIG} > /dev/null 2>&1
|
||||
done
|
||||
fi
|
||||
|
||||
|
@ -88,9 +88,9 @@ fi
|
|||
if [ -n "$HOSTS" ]; then
|
||||
for host in $HOSTS; do
|
||||
cn="${host%%.*}"
|
||||
openssl genrsa -out node-${host}-key.pem 2048 > /dev/null 2>&1
|
||||
openssl genrsa -out node-${host}-key.pem {{certificates_key_size}} > /dev/null 2>&1
|
||||
openssl req -new -key node-${host}-key.pem -out node-${host}.csr -subj "/CN=etcd-node-${cn}" > /dev/null 2>&1
|
||||
openssl x509 -req -in node-${host}.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out node-${host}.pem -days 36500 -extensions ssl_client -extfile ${CONFIG} > /dev/null 2>&1
|
||||
openssl x509 -req -in node-${host}.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out node-${host}.pem -days {{certificates_duration}} -extensions ssl_client -extfile ${CONFIG} > /dev/null 2>&1
|
||||
done
|
||||
fi
|
||||
|
|
@ -18,8 +18,8 @@
|
|||
- name: Gen_helm_tiller_certs | Copy certs generation script
|
||||
run_once: yes
|
||||
delegate_to: "{{groups['kube-master'][0]}}"
|
||||
copy:
|
||||
src: "helm-make-ssl.sh"
|
||||
template:
|
||||
src: "helm-make-ssl.sh.j2"
|
||||
dest: "{{ helm_script_dir }}/helm-make-ssl.sh"
|
||||
mode: 0700
|
||||
|
||||
|
|
|
@ -45,7 +45,7 @@ if [ -e "$SSLDIR/ca-key.pem" ]; then
|
|||
cp $SSLDIR/{ca.pem,ca-key.pem} .
|
||||
else
|
||||
openssl genrsa -out ca-key.pem 4096 > /dev/null 2>&1
|
||||
openssl req -x509 -new -nodes -key ca-key.pem -days 36500 -out ca.pem -subj "/CN=tiller-ca" > /dev/null 2>&1
|
||||
openssl req -x509 -new -nodes -key ca-key.pem -days {{certificates_duration}} -out ca.pem -subj "/CN=tiller-ca" > /dev/null 2>&1
|
||||
fi
|
||||
|
||||
gen_key_and_cert() {
|
||||
|
@ -53,7 +53,7 @@ gen_key_and_cert() {
|
|||
local subject=$2
|
||||
openssl genrsa -out ${name}-key.pem 4096 > /dev/null 2>&1
|
||||
openssl req -new -key ${name}-key.pem -sha256 -out ${name}.csr -subj "${subject}" > /dev/null 2>&1
|
||||
openssl x509 -req -in ${name}.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out ${name}.pem -days 36500 > /dev/null 2>&1
|
||||
openssl x509 -req -in ${name}.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out ${name}.pem -days {{certificates_duration}} > /dev/null 2>&1
|
||||
}
|
||||
|
||||
#Generate cert and key for Tiller if they don't exist
|
|
@ -37,8 +37,8 @@
|
|||
when: gen_certs|default(false)
|
||||
|
||||
- name: Gen_certs | copy certs generation script
|
||||
copy:
|
||||
src: "make-ssl.sh"
|
||||
template:
|
||||
src: "make-ssl.sh.j2"
|
||||
dest: "{{ kube_script_dir }}/make-ssl.sh"
|
||||
mode: 0700
|
||||
run_once: yes
|
||||
|
|
|
@ -68,8 +68,8 @@ if [ -e "$SSLDIR/ca-key.pem" ]; then
|
|||
# Reuse existing CA
|
||||
cp $SSLDIR/{ca.pem,ca-key.pem} .
|
||||
else
|
||||
openssl genrsa -out ca-key.pem 2048 > /dev/null 2>&1
|
||||
openssl req -x509 -new -nodes -key ca-key.pem -days 36500 -out ca.pem -subj "/CN=kube-ca" > /dev/null 2>&1
|
||||
openssl genrsa -out ca-key.pem {{certificates_key_size}} > /dev/null 2>&1
|
||||
openssl req -x509 -new -nodes -key ca-key.pem -days {{certificates_duration}} -out ca.pem -subj "/CN=kube-ca" > /dev/null 2>&1
|
||||
fi
|
||||
|
||||
# Front proxy client CA
|
||||
|
@ -77,24 +77,24 @@ if [ -e "$SSLDIR/front-proxy-ca-key.pem" ]; then
|
|||
# Reuse existing front proxy CA
|
||||
cp $SSLDIR/{front-proxy-ca.pem,front-proxy-ca-key.pem} .
|
||||
else
|
||||
openssl genrsa -out front-proxy-ca-key.pem 2048 > /dev/null 2>&1
|
||||
openssl req -x509 -new -nodes -key front-proxy-ca-key.pem -days 36500 -out front-proxy-ca.pem -subj "/CN=front-proxy-ca" > /dev/null 2>&1
|
||||
openssl genrsa -out front-proxy-ca-key.pem {{certificates_key_size}} > /dev/null 2>&1
|
||||
openssl req -x509 -new -nodes -key front-proxy-ca-key.pem -days {{certificates_duration}} -out front-proxy-ca.pem -subj "/CN=front-proxy-ca" > /dev/null 2>&1
|
||||
fi
|
||||
|
||||
gen_key_and_cert() {
|
||||
local name=$1
|
||||
local subject=$2
|
||||
openssl genrsa -out ${name}-key.pem 2048 > /dev/null 2>&1
|
||||
openssl genrsa -out ${name}-key.pem {{certificates_key_size}} > /dev/null 2>&1
|
||||
openssl req -new -key ${name}-key.pem -out ${name}.csr -subj "${subject}" -config ${CONFIG} > /dev/null 2>&1
|
||||
openssl x509 -req -in ${name}.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out ${name}.pem -days 36500 -extensions v3_req -extfile ${CONFIG} > /dev/null 2>&1
|
||||
openssl x509 -req -in ${name}.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out ${name}.pem -days {{certificates_duration}} -extensions v3_req -extfile ${CONFIG} > /dev/null 2>&1
|
||||
}
|
||||
|
||||
gen_key_and_cert_front_proxy() {
|
||||
local name=$1
|
||||
local subject=$2
|
||||
openssl genrsa -out ${name}-key.pem 2048 > /dev/null 2>&1
|
||||
openssl genrsa -out ${name}-key.pem {{certificates_key_size}} > /dev/null 2>&1
|
||||
openssl req -new -key ${name}-key.pem -out ${name}.csr -subj "${subject}" -config ${CONFIG} > /dev/null 2>&1
|
||||
openssl x509 -req -in ${name}.csr -CA front-proxy-ca.pem -CAkey front-proxy-ca-key.pem -CAcreateserial -out ${name}.pem -days 36500 -extensions v3_req -extfile ${CONFIG} > /dev/null 2>&1
|
||||
openssl x509 -req -in ${name}.csr -CA front-proxy-ca.pem -CAkey front-proxy-ca-key.pem -CAcreateserial -out ${name}.pem -days {{certificates_duration}} -extensions v3_req -extfile ${CONFIG} > /dev/null 2>&1
|
||||
}
|
||||
|
||||
# Admins
|
||||
|
@ -107,7 +107,7 @@ if [ -n "$MASTERS" ]; then
|
|||
fi
|
||||
# Generate dedicated service account signing key if one doesn't exist
|
||||
if ! [ -e "$SSLDIR/apiserver-key.pem" ] && ! [ -e "$SSLDIR/service-account-key.pem" ]; then
|
||||
openssl genrsa -out service-account-key.pem 2048 > /dev/null 2>&1
|
||||
openssl genrsa -out service-account-key.pem {{certificates_key_size}} > /dev/null 2>&1
|
||||
fi
|
||||
|
||||
# kube-apiserver
|
|
@ -439,3 +439,6 @@ podsecuritypolicy_enabled: false
|
|||
etcd_heartbeat_interval: "250"
|
||||
etcd_election_timeout: "5000"
|
||||
etcd_snapshot_count: "10000"
|
||||
|
||||
certificates_key_size: 2048
|
||||
certificates_duration: 36500
|
||||
|
|
|
@ -86,8 +86,19 @@
|
|||
register: contiv_manifests_results
|
||||
when: inventory_hostname in groups['kube-master']
|
||||
|
||||
- name: Contiv | Copy certs generation script
|
||||
template:
|
||||
src: "generate-certificate.sh.j2"
|
||||
dest: "/var/contiv/generate-certificate.sh"
|
||||
mode: 0700
|
||||
when:
|
||||
- contiv_enable_api_proxy
|
||||
- contiv_generate_certificate
|
||||
delegate_to: "{{ groups['kube-master'][0] }}"
|
||||
run_once: true
|
||||
|
||||
- name: Contiv | Generate contiv-api-proxy certificates
|
||||
script: generate-certificate.sh
|
||||
script: /var/contiv/generate-certificate.sh
|
||||
args:
|
||||
creates: /var/contiv/auth_proxy_key.pem
|
||||
when:
|
||||
|
|
|
@ -16,8 +16,8 @@ mkdir -p "$PREFIX"
|
|||
rm -f $KEY_PATH
|
||||
rm -f $CERT_PATH
|
||||
|
||||
openssl genrsa -out $KEY_PATH 2048 >/dev/null 2>&1
|
||||
openssl req -new -x509 -sha256 -days 36500 \
|
||||
openssl genrsa -out $KEY_PATH {{certificates_key_size}} >/dev/null 2>&1
|
||||
openssl req -new -x509 -sha256 -days {{certificates_duration}} \
|
||||
-key $KEY_PATH \
|
||||
-out $CERT_PATH \
|
||||
-subj "/C=US/ST=CA/L=San Jose/O=CPSG/OU=IT Department/CN=auth-local.cisco.com"
|
Loading…
Reference in a new issue