From a4f752fb0279269c09213669029158271ec0998b Mon Sep 17 00:00:00 2001 From: vanyasvl Date: Mon, 6 Jun 2022 17:38:23 +0300 Subject: [PATCH] Add subjectAltName to calico-apiserver certificate (#8907) * Add AltName to calico-apiserver certificate * fix support for centos7 openssl --- roles/network_plugin/calico/files/openssl.conf | 7 +++++++ .../network_plugin/calico/templates/make-ssl-calico.sh.j2 | 2 +- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/roles/network_plugin/calico/files/openssl.conf b/roles/network_plugin/calico/files/openssl.conf index b1cf7bf8f..f4ba47da7 100644 --- a/roles/network_plugin/calico/files/openssl.conf +++ b/roles/network_plugin/calico/files/openssl.conf @@ -18,3 +18,10 @@ basicConstraints = CA:TRUE keyUsage = cRLSign, digitalSignature, keyCertSign subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer + +[ ssl_client_apiserver ] +extendedKeyUsage = clientAuth, serverAuth +basicConstraints = CA:FALSE +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer +subjectAltName = DNS:calico-api.calico-apiserver.svc diff --git a/roles/network_plugin/calico/templates/make-ssl-calico.sh.j2 b/roles/network_plugin/calico/templates/make-ssl-calico.sh.j2 index 93ff9f7b6..94b2022e7 100644 --- a/roles/network_plugin/calico/templates/make-ssl-calico.sh.j2 +++ b/roles/network_plugin/calico/templates/make-ssl-calico.sh.j2 @@ -87,7 +87,7 @@ elif [ $SERVICE == "apiserver" ]; then # calico-apiserver openssl genrsa -out apiserver.key {{certificates_key_size}} > /dev/null 2>&1 openssl req -new -key apiserver.key -out apiserver.csr -subj "/CN=calico-apiserver" -config ${CONFIG} > /dev/null 2>&1 - openssl x509 -req -in apiserver.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out apiserver.crt -days {{certificates_duration}} -extensions ssl_client -extfile ${CONFIG} > /dev/null 2>&1 + openssl x509 -req -in apiserver.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out apiserver.crt -days {{certificates_duration}} -extensions ssl_client_apiserver -extfile ${CONFIG} > /dev/null 2>&1 else echo "ERROR: the openssl configuration file is missing. option -s" exit 1