Ability to define SSL certificates duration and SSL key size (#3482)

* Ability to specify ssl certificate duration and ssl key size - etcd/secrets

* Ability to specify ssl certificate duration and ssl key size - helm/contiv + fix contiv missing copy certs generation script
This commit is contained in:
Erwan Miran 2018-10-09 13:43:30 +02:00 committed by k8s-ci-robot
parent c825f4d180
commit 2ab2f3a0a3
9 changed files with 42 additions and 28 deletions

View file

@ -41,8 +41,8 @@
- inventory_hostname == groups['etcd'][0]
- name: Gen_certs | copy certs generation script
copy:
src: "make-ssl-etcd.sh"
template:
src: "make-ssl-etcd.sh.j2"
dest: "{{ etcd_script_dir }}/make-ssl-etcd.sh"
mode: 0700
run_once: yes

View file

@ -64,8 +64,8 @@ if [ -e "$SSLDIR/ca-key.pem" ]; then
# Reuse existing CA
cp $SSLDIR/{ca.pem,ca-key.pem} .
else
openssl genrsa -out ca-key.pem 2048 > /dev/null 2>&1
openssl req -x509 -new -nodes -key ca-key.pem -days 36500 -out ca.pem -subj "/CN=etcd-ca" > /dev/null 2>&1
openssl genrsa -out ca-key.pem {{certificates_key_size}} > /dev/null 2>&1
openssl req -x509 -new -nodes -key ca-key.pem -days {{certificates_duration}} -out ca.pem -subj "/CN=etcd-ca" > /dev/null 2>&1
fi
# ETCD member
@ -73,14 +73,14 @@ if [ -n "$MASTERS" ]; then
for host in $MASTERS; do
cn="${host%%.*}"
# Member key
openssl genrsa -out member-${host}-key.pem 2048 > /dev/null 2>&1
openssl genrsa -out member-${host}-key.pem {{certificates_key_size}} > /dev/null 2>&1
openssl req -new -key member-${host}-key.pem -out member-${host}.csr -subj "/CN=etcd-member-${cn}" -config ${CONFIG} > /dev/null 2>&1
openssl x509 -req -in member-${host}.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out member-${host}.pem -days 36500 -extensions ssl_client -extfile ${CONFIG} > /dev/null 2>&1
openssl x509 -req -in member-${host}.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out member-${host}.pem -days {{certificates_duration}} -extensions ssl_client -extfile ${CONFIG} > /dev/null 2>&1
# Admin key
openssl genrsa -out admin-${host}-key.pem 2048 > /dev/null 2>&1
openssl genrsa -out admin-${host}-key.pem {{certificates_key_size}} > /dev/null 2>&1
openssl req -new -key admin-${host}-key.pem -out admin-${host}.csr -subj "/CN=etcd-admin-${cn}" > /dev/null 2>&1
openssl x509 -req -in admin-${host}.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out admin-${host}.pem -days 36500 -extensions ssl_client -extfile ${CONFIG} > /dev/null 2>&1
openssl x509 -req -in admin-${host}.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out admin-${host}.pem -days {{certificates_duration}} -extensions ssl_client -extfile ${CONFIG} > /dev/null 2>&1
done
fi
@ -88,9 +88,9 @@ fi
if [ -n "$HOSTS" ]; then
for host in $HOSTS; do
cn="${host%%.*}"
openssl genrsa -out node-${host}-key.pem 2048 > /dev/null 2>&1
openssl genrsa -out node-${host}-key.pem {{certificates_key_size}} > /dev/null 2>&1
openssl req -new -key node-${host}-key.pem -out node-${host}.csr -subj "/CN=etcd-node-${cn}" > /dev/null 2>&1
openssl x509 -req -in node-${host}.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out node-${host}.pem -days 36500 -extensions ssl_client -extfile ${CONFIG} > /dev/null 2>&1
openssl x509 -req -in node-${host}.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out node-${host}.pem -days {{certificates_duration}} -extensions ssl_client -extfile ${CONFIG} > /dev/null 2>&1
done
fi

View file

@ -18,8 +18,8 @@
- name: Gen_helm_tiller_certs | Copy certs generation script
run_once: yes
delegate_to: "{{groups['kube-master'][0]}}"
copy:
src: "helm-make-ssl.sh"
template:
src: "helm-make-ssl.sh.j2"
dest: "{{ helm_script_dir }}/helm-make-ssl.sh"
mode: 0700

View file

@ -45,7 +45,7 @@ if [ -e "$SSLDIR/ca-key.pem" ]; then
cp $SSLDIR/{ca.pem,ca-key.pem} .
else
openssl genrsa -out ca-key.pem 4096 > /dev/null 2>&1
openssl req -x509 -new -nodes -key ca-key.pem -days 36500 -out ca.pem -subj "/CN=tiller-ca" > /dev/null 2>&1
openssl req -x509 -new -nodes -key ca-key.pem -days {{certificates_duration}} -out ca.pem -subj "/CN=tiller-ca" > /dev/null 2>&1
fi
gen_key_and_cert() {
@ -53,7 +53,7 @@ gen_key_and_cert() {
local subject=$2
openssl genrsa -out ${name}-key.pem 4096 > /dev/null 2>&1
openssl req -new -key ${name}-key.pem -sha256 -out ${name}.csr -subj "${subject}" > /dev/null 2>&1
openssl x509 -req -in ${name}.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out ${name}.pem -days 36500 > /dev/null 2>&1
openssl x509 -req -in ${name}.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out ${name}.pem -days {{certificates_duration}} > /dev/null 2>&1
}
#Generate cert and key for Tiller if they don't exist

View file

@ -37,8 +37,8 @@
when: gen_certs|default(false)
- name: Gen_certs | copy certs generation script
copy:
src: "make-ssl.sh"
template:
src: "make-ssl.sh.j2"
dest: "{{ kube_script_dir }}/make-ssl.sh"
mode: 0700
run_once: yes

View file

@ -68,8 +68,8 @@ if [ -e "$SSLDIR/ca-key.pem" ]; then
# Reuse existing CA
cp $SSLDIR/{ca.pem,ca-key.pem} .
else
openssl genrsa -out ca-key.pem 2048 > /dev/null 2>&1
openssl req -x509 -new -nodes -key ca-key.pem -days 36500 -out ca.pem -subj "/CN=kube-ca" > /dev/null 2>&1
openssl genrsa -out ca-key.pem {{certificates_key_size}} > /dev/null 2>&1
openssl req -x509 -new -nodes -key ca-key.pem -days {{certificates_duration}} -out ca.pem -subj "/CN=kube-ca" > /dev/null 2>&1
fi
# Front proxy client CA
@ -77,24 +77,24 @@ if [ -e "$SSLDIR/front-proxy-ca-key.pem" ]; then
# Reuse existing front proxy CA
cp $SSLDIR/{front-proxy-ca.pem,front-proxy-ca-key.pem} .
else
openssl genrsa -out front-proxy-ca-key.pem 2048 > /dev/null 2>&1
openssl req -x509 -new -nodes -key front-proxy-ca-key.pem -days 36500 -out front-proxy-ca.pem -subj "/CN=front-proxy-ca" > /dev/null 2>&1
openssl genrsa -out front-proxy-ca-key.pem {{certificates_key_size}} > /dev/null 2>&1
openssl req -x509 -new -nodes -key front-proxy-ca-key.pem -days {{certificates_duration}} -out front-proxy-ca.pem -subj "/CN=front-proxy-ca" > /dev/null 2>&1
fi
gen_key_and_cert() {
local name=$1
local subject=$2
openssl genrsa -out ${name}-key.pem 2048 > /dev/null 2>&1
openssl genrsa -out ${name}-key.pem {{certificates_key_size}} > /dev/null 2>&1
openssl req -new -key ${name}-key.pem -out ${name}.csr -subj "${subject}" -config ${CONFIG} > /dev/null 2>&1
openssl x509 -req -in ${name}.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out ${name}.pem -days 36500 -extensions v3_req -extfile ${CONFIG} > /dev/null 2>&1
openssl x509 -req -in ${name}.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out ${name}.pem -days {{certificates_duration}} -extensions v3_req -extfile ${CONFIG} > /dev/null 2>&1
}
gen_key_and_cert_front_proxy() {
local name=$1
local subject=$2
openssl genrsa -out ${name}-key.pem 2048 > /dev/null 2>&1
openssl genrsa -out ${name}-key.pem {{certificates_key_size}} > /dev/null 2>&1
openssl req -new -key ${name}-key.pem -out ${name}.csr -subj "${subject}" -config ${CONFIG} > /dev/null 2>&1
openssl x509 -req -in ${name}.csr -CA front-proxy-ca.pem -CAkey front-proxy-ca-key.pem -CAcreateserial -out ${name}.pem -days 36500 -extensions v3_req -extfile ${CONFIG} > /dev/null 2>&1
openssl x509 -req -in ${name}.csr -CA front-proxy-ca.pem -CAkey front-proxy-ca-key.pem -CAcreateserial -out ${name}.pem -days {{certificates_duration}} -extensions v3_req -extfile ${CONFIG} > /dev/null 2>&1
}
# Admins
@ -107,7 +107,7 @@ if [ -n "$MASTERS" ]; then
fi
# Generate dedicated service account signing key if one doesn't exist
if ! [ -e "$SSLDIR/apiserver-key.pem" ] && ! [ -e "$SSLDIR/service-account-key.pem" ]; then
openssl genrsa -out service-account-key.pem 2048 > /dev/null 2>&1
openssl genrsa -out service-account-key.pem {{certificates_key_size}} > /dev/null 2>&1
fi
# kube-apiserver

View file

@ -439,3 +439,6 @@ podsecuritypolicy_enabled: false
etcd_heartbeat_interval: "250"
etcd_election_timeout: "5000"
etcd_snapshot_count: "10000"
certificates_key_size: 2048
certificates_duration: 36500

View file

@ -86,8 +86,19 @@
register: contiv_manifests_results
when: inventory_hostname in groups['kube-master']
- name: Contiv | Copy certs generation script
template:
src: "generate-certificate.sh.j2"
dest: "/var/contiv/generate-certificate.sh"
mode: 0700
when:
- contiv_enable_api_proxy
- contiv_generate_certificate
delegate_to: "{{ groups['kube-master'][0] }}"
run_once: true
- name: Contiv | Generate contiv-api-proxy certificates
script: generate-certificate.sh
script: /var/contiv/generate-certificate.sh
args:
creates: /var/contiv/auth_proxy_key.pem
when:

View file

@ -16,8 +16,8 @@ mkdir -p "$PREFIX"
rm -f $KEY_PATH
rm -f $CERT_PATH
openssl genrsa -out $KEY_PATH 2048 >/dev/null 2>&1
openssl req -new -x509 -sha256 -days 36500 \
openssl genrsa -out $KEY_PATH {{certificates_key_size}} >/dev/null 2>&1
openssl req -new -x509 -sha256 -days {{certificates_duration}} \
-key $KEY_PATH \
-out $CERT_PATH \
-subj "/C=US/ST=CA/L=San Jose/O=CPSG/OU=IT Department/CN=auth-local.cisco.com"