Ability to define SSL certificates duration and SSL key size (#3482)

* Ability to specify ssl certificate duration and ssl key size - etcd/secrets

* Ability to specify ssl certificate duration and ssl key size - helm/contiv + fix contiv missing copy certs generation script

roles/etcd/tasks/gen_certs_script.yml

@@ -41,8 +41,8 @@
     - inventory_hostname == groups['etcd'][0]
 
 - name: Gen_certs | copy certs generation script
-  copy:
+  template:
-    src: "make-ssl-etcd.sh"
+    src: "make-ssl-etcd.sh.j2"
     dest: "{{ etcd_script_dir }}/make-ssl-etcd.sh"
     mode: 0700
   run_once: yes

roles/etcd/templates/make-ssl-etcd.sh.j2

@@ -64,8 +64,8 @@ if [ -e "$SSLDIR/ca-key.pem" ]; then
     # Reuse existing CA
     cp $SSLDIR/{ca.pem,ca-key.pem} .
 else
-    openssl genrsa -out ca-key.pem 2048 > /dev/null 2>&1
+    openssl genrsa -out ca-key.pem {{certificates_key_size}} > /dev/null 2>&1
-    openssl req -x509 -new -nodes -key ca-key.pem -days 36500 -out ca.pem -subj "/CN=etcd-ca" > /dev/null 2>&1
+    openssl req -x509 -new -nodes -key ca-key.pem -days {{certificates_duration}} -out ca.pem -subj "/CN=etcd-ca" > /dev/null 2>&1
 fi
 
 # ETCD member
@@ -73,14 +73,14 @@ if [ -n "$MASTERS" ]; then
     for host in $MASTERS; do
         cn="${host%%.*}"
         # Member key
-        openssl genrsa -out member-${host}-key.pem 2048 > /dev/null 2>&1
+        openssl genrsa -out member-${host}-key.pem {{certificates_key_size}} > /dev/null 2>&1
         openssl req -new -key member-${host}-key.pem -out member-${host}.csr -subj "/CN=etcd-member-${cn}" -config ${CONFIG} > /dev/null 2>&1
-        openssl x509 -req -in member-${host}.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out member-${host}.pem -days 36500 -extensions ssl_client -extfile ${CONFIG} > /dev/null 2>&1
+        openssl x509 -req -in member-${host}.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out member-${host}.pem -days {{certificates_duration}} -extensions ssl_client -extfile ${CONFIG} > /dev/null 2>&1
 
         # Admin key
-        openssl genrsa -out admin-${host}-key.pem 2048 > /dev/null 2>&1
+        openssl genrsa -out admin-${host}-key.pem {{certificates_key_size}} > /dev/null 2>&1
         openssl req -new -key admin-${host}-key.pem -out admin-${host}.csr -subj "/CN=etcd-admin-${cn}" > /dev/null 2>&1
-        openssl x509 -req -in admin-${host}.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out admin-${host}.pem -days 36500 -extensions ssl_client  -extfile ${CONFIG} > /dev/null 2>&1
+        openssl x509 -req -in admin-${host}.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out admin-${host}.pem -days {{certificates_duration}} -extensions ssl_client  -extfile ${CONFIG} > /dev/null 2>&1
     done
 fi
 
@@ -88,9 +88,9 @@ fi
 if [ -n "$HOSTS" ]; then
     for host in $HOSTS; do
         cn="${host%%.*}"
-        openssl genrsa -out node-${host}-key.pem 2048 > /dev/null 2>&1
+        openssl genrsa -out node-${host}-key.pem {{certificates_key_size}} > /dev/null 2>&1
         openssl req -new -key node-${host}-key.pem -out node-${host}.csr -subj "/CN=etcd-node-${cn}" > /dev/null 2>&1
-        openssl x509 -req -in node-${host}.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out node-${host}.pem -days 36500 -extensions ssl_client  -extfile ${CONFIG} > /dev/null 2>&1
+        openssl x509 -req -in node-${host}.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out node-${host}.pem -days {{certificates_duration}} -extensions ssl_client  -extfile ${CONFIG} > /dev/null 2>&1
     done
 fi
 

roles/kubernetes-apps/helm/tasks/gen_helm_tiller_certs.yml

@@ -18,8 +18,8 @@
 - name: Gen_helm_tiller_certs | Copy certs generation script
   run_once: yes
   delegate_to: "{{groups['kube-master'][0]}}"
-  copy:
+  template:
-    src: "helm-make-ssl.sh"
+    src: "helm-make-ssl.sh.j2"
     dest: "{{ helm_script_dir }}/helm-make-ssl.sh"
     mode: 0700
 

roles/kubernetes-apps/helm/templates/helm-make-ssl.sh.j2

@@ -45,7 +45,7 @@ if [ -e "$SSLDIR/ca-key.pem" ]; then
     cp $SSLDIR/{ca.pem,ca-key.pem} .
 else
     openssl genrsa -out ca-key.pem 4096 > /dev/null 2>&1
-    openssl req -x509 -new -nodes -key ca-key.pem -days 36500 -out ca.pem -subj "/CN=tiller-ca" > /dev/null 2>&1
+    openssl req -x509 -new -nodes -key ca-key.pem -days {{certificates_duration}} -out ca.pem -subj "/CN=tiller-ca" > /dev/null 2>&1
 fi
 
 gen_key_and_cert() {
@@ -53,7 +53,7 @@ gen_key_and_cert() {
     local subject=$2
     openssl genrsa -out ${name}-key.pem 4096 > /dev/null 2>&1
     openssl req -new -key ${name}-key.pem -sha256 -out ${name}.csr -subj "${subject}" > /dev/null 2>&1
-    openssl x509 -req -in ${name}.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out ${name}.pem -days 36500 > /dev/null 2>&1
+    openssl x509 -req -in ${name}.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out ${name}.pem -days {{certificates_duration}} > /dev/null 2>&1
 }
 
 #Generate cert and key for Tiller if they don't exist

roles/kubernetes/secrets/tasks/gen_certs_script.yml

@@ -37,8 +37,8 @@
   when: gen_certs|default(false)
 
 - name: Gen_certs | copy certs generation script
-  copy:
+  template:
-    src: "make-ssl.sh"
+    src: "make-ssl.sh.j2"
     dest: "{{ kube_script_dir }}/make-ssl.sh"
     mode: 0700
   run_once: yes

roles/kubernetes/secrets/templates/make-ssl.sh.j2

@@ -68,8 +68,8 @@ if [ -e "$SSLDIR/ca-key.pem" ]; then
     # Reuse existing CA
     cp $SSLDIR/{ca.pem,ca-key.pem} .
 else
-    openssl genrsa -out ca-key.pem 2048 > /dev/null 2>&1
+    openssl genrsa -out ca-key.pem {{certificates_key_size}} > /dev/null 2>&1
-    openssl req -x509 -new -nodes -key ca-key.pem -days 36500 -out ca.pem -subj "/CN=kube-ca" > /dev/null 2>&1
+    openssl req -x509 -new -nodes -key ca-key.pem -days {{certificates_duration}} -out ca.pem -subj "/CN=kube-ca" > /dev/null 2>&1
 fi
 
 # Front proxy client CA
@@ -77,24 +77,24 @@ if [ -e "$SSLDIR/front-proxy-ca-key.pem" ]; then
     # Reuse existing front proxy CA
     cp $SSLDIR/{front-proxy-ca.pem,front-proxy-ca-key.pem} .
 else
-    openssl genrsa -out front-proxy-ca-key.pem 2048 > /dev/null 2>&1
+    openssl genrsa -out front-proxy-ca-key.pem {{certificates_key_size}} > /dev/null 2>&1
-    openssl req -x509 -new -nodes -key front-proxy-ca-key.pem -days 36500 -out front-proxy-ca.pem -subj "/CN=front-proxy-ca" > /dev/null 2>&1
+    openssl req -x509 -new -nodes -key front-proxy-ca-key.pem -days {{certificates_duration}} -out front-proxy-ca.pem -subj "/CN=front-proxy-ca" > /dev/null 2>&1
 fi
 
 gen_key_and_cert() {
     local name=$1
     local subject=$2
-    openssl genrsa -out ${name}-key.pem 2048 > /dev/null 2>&1
+    openssl genrsa -out ${name}-key.pem {{certificates_key_size}} > /dev/null 2>&1
     openssl req -new -key ${name}-key.pem -out ${name}.csr -subj "${subject}" -config ${CONFIG} > /dev/null 2>&1
-    openssl x509 -req -in ${name}.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out ${name}.pem -days 36500 -extensions v3_req -extfile ${CONFIG} > /dev/null 2>&1
+    openssl x509 -req -in ${name}.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out ${name}.pem -days {{certificates_duration}} -extensions v3_req -extfile ${CONFIG} > /dev/null 2>&1
 }
 
 gen_key_and_cert_front_proxy() {
     local name=$1
     local subject=$2
-    openssl genrsa -out ${name}-key.pem 2048 > /dev/null 2>&1
+    openssl genrsa -out ${name}-key.pem {{certificates_key_size}} > /dev/null 2>&1
     openssl req -new -key ${name}-key.pem -out ${name}.csr -subj "${subject}" -config ${CONFIG} > /dev/null 2>&1
-    openssl x509 -req -in ${name}.csr -CA front-proxy-ca.pem -CAkey front-proxy-ca-key.pem -CAcreateserial -out ${name}.pem -days 36500 -extensions v3_req -extfile ${CONFIG} > /dev/null 2>&1
+    openssl x509 -req -in ${name}.csr -CA front-proxy-ca.pem -CAkey front-proxy-ca-key.pem -CAcreateserial -out ${name}.pem -days {{certificates_duration}} -extensions v3_req -extfile ${CONFIG} > /dev/null 2>&1
 }
 
 # Admins
@@ -107,7 +107,7 @@ if [ -n "$MASTERS" ]; then
     fi
     # Generate dedicated service account signing key if one doesn't exist
     if ! [ -e "$SSLDIR/apiserver-key.pem" ] && ! [ -e "$SSLDIR/service-account-key.pem" ]; then
-        openssl genrsa -out service-account-key.pem 2048 > /dev/null 2>&1
+        openssl genrsa -out service-account-key.pem {{certificates_key_size}} > /dev/null 2>&1
     fi
 
     # kube-apiserver

roles/kubespray-defaults/defaults/main.yaml

@@ -439,3 +439,6 @@ podsecuritypolicy_enabled: false
 etcd_heartbeat_interval: "250"
 etcd_election_timeout: "5000"
 etcd_snapshot_count: "10000"
+
+certificates_key_size: 2048
+certificates_duration: 36500

roles/network_plugin/contiv/tasks/main.yml

@@ -86,8 +86,19 @@
   register: contiv_manifests_results
   when: inventory_hostname in groups['kube-master']
 
+- name: Contiv | Copy certs generation script
+  template:
+    src: "generate-certificate.sh.j2"
+    dest: "/var/contiv/generate-certificate.sh"
+    mode: 0700
+  when:
+    - contiv_enable_api_proxy
+    - contiv_generate_certificate
+  delegate_to: "{{ groups['kube-master'][0] }}"
+  run_once: true
+
 - name: Contiv | Generate contiv-api-proxy certificates
-  script: generate-certificate.sh
+  script: /var/contiv/generate-certificate.sh
   args:
     creates: /var/contiv/auth_proxy_key.pem
   when:

roles/network_plugin/contiv/templates/generate-certificate.sh.j2

@@ -16,8 +16,8 @@ mkdir -p "$PREFIX"
 rm -f $KEY_PATH
 rm -f $CERT_PATH
 
-openssl genrsa -out $KEY_PATH 2048 >/dev/null 2>&1
+openssl genrsa -out $KEY_PATH {{certificates_key_size}} >/dev/null 2>&1
-openssl req -new -x509 -sha256 -days 36500 \
+openssl req -new -x509 -sha256 -days {{certificates_duration}} \
 	-key $KEY_PATH \
 	-out $CERT_PATH \
 	-subj "/C=US/ST=CA/L=San Jose/O=CPSG/OU=IT Department/CN=auth-local.cisco.com"