add system groups to certificates

2017-02-20 17:11:51 +01:00 · 2017-02-20 17:11:51 +01:00 · 3843742e30
commit 3843742e30
parent 29d32e4125
1 changed files with 7 additions and 2 deletions
--- a/roles/kubernetes/secrets/files/make-ssl.sh
+++ b/roles/kubernetes/secrets/files/make-ssl.sh
@ -85,8 +85,8 @@ if [ -n "$MASTERS" ]; then
        cn="${host%%.*}"
        # admin key
        openssl genrsa -out admin-${host}-key.pem 2048 > /dev/null 2>&1
-        openssl req -new -key admin-${host}-key.pem -out admin-${host}.csr -subj "/CN=kube-admin-${cn}" > /dev/null 2>&1
+        openssl req -new -key admin-${host}-key.pem -out admin-${host}.csr -subj "/CN=kube-admin-${cn}/O=system:masters" > /dev/null 2>&1
-        openssl x509 -req -in admin-${host}.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out admin-${host}.pem -days 3650 > /dev/null 2>&1
+        openssl x509 -req -in admin-${host}.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out admin-${host}.pem -days 365 > /dev/null 2>&1
    done
 fi
@ -96,8 +96,13 @@ if [ -n "$HOSTS" ]; then
        cn="${host%%.*}"
        # node key
        openssl genrsa -out node-${host}-key.pem 2048 > /dev/null 2>&1
 <<<<<<< 24b9734e1ae72abeb39d9cef1b6a374867810c46
        openssl req -new -key node-${host}-key.pem -out node-${host}.csr -subj "/CN=kube-node-${cn}" > /dev/null 2>&1
        openssl x509 -req -in node-${host}.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out node-${host}.pem -days 3650 > /dev/null 2>&1
 =======
        openssl req -new -key node-${host}-key.pem -out node-${host}.csr -subj "/CN=kube-node-${cn}/O=system:node" > /dev/null 2>&1
        openssl x509 -req -in node-${host}.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out node-${host}.pem -days 365 > /dev/null 2>&1
 >>>>>>> add system groups to certificates
    done
 fi