Skip to content

Commit

Permalink
Merge branch 'w/2.1/bugfix/do-not-overwrite-private-key' into tmp/oct…
Browse files Browse the repository at this point in the history 
…opus/w/2.2/bugfix/do-not-overwrite-private-key
  • Loading branch information
@bert-e
bert-e committed Aug 21, 2020
2 parents b111f0b + dbfd224 commit 0a2f6a5
Show file tree
Hide file tree
Showing 13 changed files with 77 additions and 26 deletions.
8 changes: 6 additions & 2 deletions salt/metalk8s/kubernetes/apiserver/certs/etcd-client.sls
View file
Original file line number Diff line number Diff line change
@@ -1,11 +1,13 @@
{%- from "metalk8s/map.jinja" import etcd with context %}
{%- set private_key_path = "/etc/kubernetes/pki/apiserver-etcd-client.key" %}
include:
- metalk8s.internal.m2crypto
Create apiserver etcd client private key:
x509.private_key_managed:
- name: /etc/kubernetes/pki/apiserver-etcd-client.key
- name: {{ private_key_path }}
- bits: 2048
- verbose: False
- user: root
Expand All @@ -15,11 +17,13 @@ Create apiserver etcd client private key:
- dir_mode: 755
- require:
- metalk8s_package_manager: Install m2crypto
- unless:
- test -f "{{ private_key_path }}"
Generate apiserver etcd client certificate:
x509.certificate_managed:
- name: /etc/kubernetes/pki/apiserver-etcd-client.crt
- public_key: /etc/kubernetes/pki/apiserver-etcd-client.key
- public_key: {{ private_key_path }}
- ca_server: {{ pillar['metalk8s']['ca']['minion'] }}
- signing_policy: {{ etcd.cert.apiserver_client_signing_policy }}
- CN: kube-apiserver-etcd-client
Expand Down
8 changes: 6 additions & 2 deletions salt/metalk8s/kubernetes/apiserver/certs/front-proxy-client.sls
View file
Original file line number Diff line number Diff line change
@@ -1,11 +1,13 @@
{%- from "metalk8s/map.jinja" import front_proxy with context %}
{%- set private_key_path = "/etc/kubernetes/pki/front-proxy-client.key" %}
include:
- metalk8s.internal.m2crypto
Create front proxy client private key:
x509.private_key_managed:
- name: /etc/kubernetes/pki/front-proxy-client.key
- name: {{ private_key_path }}
- bits: 2048
- verbose: False
- user: root
Expand All @@ -15,11 +17,13 @@ Create front proxy client private key:
- dir_mode: 755
- require:
- metalk8s_package_manager: Install m2crypto
- unless:
- test -f "{{ private_key_path }}"
Generate front proxy client certificate:
x509.certificate_managed:
- name: /etc/kubernetes/pki/front-proxy-client.crt
- public_key: /etc/kubernetes/pki/front-proxy-client.key
- public_key: {{ private_key_path }}
- ca_server: {{ pillar['metalk8s']['ca']['minion'] }}
- signing_policy: {{ front_proxy.cert.client_signing_policy }}
- CN: front-proxy-client
Expand Down
8 changes: 6 additions & 2 deletions salt/metalk8s/kubernetes/apiserver/certs/kubelet-client.sls
View file
Original file line number Diff line number Diff line change
@@ -1,11 +1,13 @@
{%- from "metalk8s/map.jinja" import kube_api with context %}
{%- set private_key_path = "/etc/kubernetes/pki/apiserver-kubelet-client.key" %}
include:
- metalk8s.internal.m2crypto
Create kube-apiserver kubelet client private key:
x509.private_key_managed:
- name: /etc/kubernetes/pki/apiserver-kubelet-client.key
- name: {{ private_key_path }}
- bits: 2048
- verbose: False
- user: root
Expand All @@ -15,11 +17,13 @@ Create kube-apiserver kubelet client private key:
- dir_mode: 755
- require:
- metalk8s_package_manager: Install m2crypto
- unless:
- test -f "{{ private_key_path }}"
Generate kube-apiserver kubelet client certificate:
x509.certificate_managed:
- name: /etc/kubernetes/pki/apiserver-kubelet-client.crt
- public_key: /etc/kubernetes/pki/apiserver-kubelet-client.key
- public_key: {{ private_key_path }}
- ca_server: {{ pillar['metalk8s']['ca']['minion'] }}
- signing_policy: {{ kube_api.cert.client_signing_policy }}
- CN: kube-apiserver-kubelet-client
Expand Down
7 changes: 5 additions & 2 deletions salt/metalk8s/kubernetes/apiserver/certs/server.sls
View file
Original file line number Diff line number Diff line change
@@ -1,13 +1,14 @@
{%- from "metalk8s/map.jinja" import kube_api with context %}
{%- set kubernetes_service_ip = salt.metalk8s_network.get_kubernetes_service_ip() %}
{%- set private_key_path = "/etc/kubernetes/pki/apiserver.key" %}
include:
- metalk8s.internal.m2crypto
Create kube-apiserver private key:
x509.private_key_managed:
- name: /etc/kubernetes/pki/apiserver.key
- name: {{ private_key_path }}
- bits: 2048
- verbose: False
- user: root
Expand All @@ -17,6 +18,8 @@ Create kube-apiserver private key:
- dir_mode: 755
- require:
- metalk8s_package_manager: Install m2crypto
- unless:
- test -f "{{ private_key_path }}"
{% set certSANs = [
grains['fqdn'],
Expand All @@ -33,7 +36,7 @@ Create kube-apiserver private key:
Generate kube-apiserver certificate:
x509.certificate_managed:
- name: /etc/kubernetes/pki/apiserver.crt
- public_key: /etc/kubernetes/pki/apiserver.key
- public_key: {{ private_key_path }}
- ca_server: {{ pillar['metalk8s']['ca']['minion'] }}
- signing_policy: {{ kube_api.cert.server_signing_policy }}
- CN: kube-apiserver
Expand Down
8 changes: 6 additions & 2 deletions salt/metalk8s/kubernetes/ca/etcd/installed.sls
View file
Original file line number Diff line number Diff line change
@@ -1,11 +1,13 @@
{%- from "metalk8s/map.jinja" import etcd with context %}
{%- set private_key_path = "/etc/kubernetes/pki/etcd/ca.key" %}
include:
- metalk8s.internal.m2crypto
Create etcd CA private key:
x509.private_key_managed:
- name: /etc/kubernetes/pki/etcd/ca.key
- name: {{ private_key_path }}
- bits: 4096
- verbose: False
- user: root
Expand All @@ -15,11 +17,13 @@ Create etcd CA private key:
- dir_mode: 755
- require:
- metalk8s_package_manager: Install m2crypto
- unless:
- test -f "{{ private_key_path }}"
Generate etcd CA certificate:
x509.certificate_managed:
- name: /etc/kubernetes/pki/etcd/ca.crt
- signing_private_key: /etc/kubernetes/pki/etcd/ca.key
- signing_private_key: {{ private_key_path }}
- CN: etcd-ca
- keyUsage: "critical digitalSignature, keyEncipherment, keyCertSign"
- basicConstraints: "critical CA:true"
Expand Down
8 changes: 6 additions & 2 deletions salt/metalk8s/kubernetes/ca/front-proxy/installed.sls
View file
Original file line number Diff line number Diff line change
@@ -1,11 +1,13 @@
{%- from "metalk8s/map.jinja" import front_proxy with context %}
{%- set private_key_path = "/etc/kubernetes/pki/front-proxy-ca.key" %}
include:
- metalk8s.internal.m2crypto
Create front proxy CA private key:
x509.private_key_managed:
- name: /etc/kubernetes/pki/front-proxy-ca.key
- name: {{ private_key_path }}
- bits: 4096
- verbose: False
- user: root
Expand All @@ -15,11 +17,13 @@ Create front proxy CA private key:
- dir_mode: 755
- require:
- metalk8s_package_manager: Install m2crypto
- unless:
- test -f "{{ private_key_path }}"
Generate front proxy CA certificate:
x509.certificate_managed:
- name: /etc/kubernetes/pki/front-proxy-ca.crt
- signing_private_key: /etc/kubernetes/pki/front-proxy-ca.key
- signing_private_key: {{ private_key_path }}
- CN: front-proxy-ca
- keyUsage: "critical digitalSignature, keyEncipherment, keyCertSign"
- basicConstraints: "critical CA:true"
Expand Down
8 changes: 6 additions & 2 deletions salt/metalk8s/kubernetes/ca/kubernetes/installed.sls
View file
Original file line number Diff line number Diff line change
@@ -1,11 +1,13 @@
{%- from "metalk8s/map.jinja" import ca with context %}
{%- set private_key_path = "/etc/kubernetes/pki/ca.key" %}
include:
- metalk8s.internal.m2crypto
Create CA private key:
x509.private_key_managed:
- name: /etc/kubernetes/pki/ca.key
- name: {{ private_key_path }}
- bits: 4096
- verbose: False
- user: root
Expand All @@ -15,11 +17,13 @@ Create CA private key:
- dir_mode: 755
- require:
- metalk8s_package_manager: Install m2crypto
- unless:
- test -f "{{ private_key_path }}"
Generate CA certificate:
x509.certificate_managed:
- name: /etc/kubernetes/pki/ca.crt
- signing_private_key: /etc/kubernetes/pki/ca.key
- signing_private_key: {{ private_key_path }}
- CN: kubernetes
- keyUsage: "critical digitalSignature, keyEncipherment, keyCertSign"
- basicConstraints: "critical CA:true"
Expand Down
8 changes: 6 additions & 2 deletions salt/metalk8s/kubernetes/etcd/certs/healthcheck-client.sls
View file
Original file line number Diff line number Diff line change
@@ -1,11 +1,13 @@
{%- from "metalk8s/map.jinja" import etcd with context %}
{%- set private_key_path = "/etc/kubernetes/pki/etcd/healthcheck-client.key" %}
include:
- metalk8s.internal.m2crypto
Create etcd healthcheck client private key:
x509.private_key_managed:
- name: /etc/kubernetes/pki/etcd/healthcheck-client.key
- name: {{ private_key_path }}
- bits: 2048
- verbose: False
- user: root
Expand All @@ -15,11 +17,13 @@ Create etcd healthcheck client private key:
- dir_mode: 755
- require:
- metalk8s_package_manager: Install m2crypto
- unless:
- test -f "{{ private_key_path }}"
Generate etcd healthcheck client certificate:
x509.certificate_managed:
- name: /etc/kubernetes/pki/etcd/healthcheck-client.crt
- public_key: /etc/kubernetes/pki/etcd/healthcheck-client.key
- public_key: {{ private_key_path }}
- ca_server: {{ pillar['metalk8s']['ca']['minion'] }}
- signing_policy: {{ etcd.cert.healthcheck_client_signing_policy }}
- CN: kube-etcd-healthcheck-client
Expand Down
8 changes: 6 additions & 2 deletions salt/metalk8s/kubernetes/etcd/certs/peer.sls
View file
Original file line number Diff line number Diff line change
@@ -1,11 +1,13 @@
{%- from "metalk8s/map.jinja" import etcd with context %}
{%- set private_key_path = "/etc/kubernetes/pki/etcd/peer.key" %}
include:
- metalk8s.internal.m2crypto
Create etcd peer private key:
x509.private_key_managed:
- name: /etc/kubernetes/pki/etcd/peer.key
- name: {{ private_key_path }}
- bits: 2048
- verbose: False
- user: root
Expand All @@ -15,11 +17,13 @@ Create etcd peer private key:
- dir_mode: 755
- require:
- metalk8s_package_manager: Install m2crypto
- unless:
- test -f "{{ private_key_path }}"
Generate etcd peer certificate:
x509.certificate_managed:
- name: /etc/kubernetes/pki/etcd/peer.crt
- public_key: /etc/kubernetes/pki/etcd/peer.key
- public_key: {{ private_key_path }}
- ca_server: {{ pillar['metalk8s']['ca']['minion'] }}
- signing_policy: {{ etcd.cert.peer_signing_policy }}
- CN: "{{ grains['fqdn'] }}"
Expand Down
8 changes: 6 additions & 2 deletions salt/metalk8s/kubernetes/etcd/certs/server.sls
View file
Original file line number Diff line number Diff line change
@@ -1,11 +1,13 @@
{%- from "metalk8s/map.jinja" import etcd with context %}
{%- set private_key_path = "/etc/kubernetes/pki/etcd/server.key" %}
include:
- metalk8s.internal.m2crypto
Create etcd server private key:
x509.private_key_managed:
- name: /etc/kubernetes/pki/etcd/server.key
- name: {{ private_key_path }}
- bits: 2048
- verbose: False
- user: root
Expand All @@ -15,11 +17,13 @@ Create etcd server private key:
- dir_mode: 755
- require:
- metalk8s_package_manager: Install m2crypto
- unless:
- test -f "{{ private_key_path }}"
Generate etcd server certificate:
x509.certificate_managed:
- name: /etc/kubernetes/pki/etcd/server.crt
- public_key: /etc/kubernetes/pki/etcd/server.key
- public_key: {{ private_key_path }}
- ca_server: {{ pillar['metalk8s']['ca']['minion'] }}
- signing_policy: {{ etcd.cert.server_signing_policy }}
- CN: "{{ grains['fqdn'] }}"
Expand Down
8 changes: 6 additions & 2 deletions salt/metalk8s/kubernetes/sa/installed.sls
View file
Original file line number Diff line number Diff line change
@@ -1,9 +1,11 @@
{%- set private_key_path = "/etc/kubernetes/pki/sa.key" %}

include:
- metalk8s.internal.m2crypto

Create SA private key:
x509.private_key_managed:
- name: /etc/kubernetes/pki/sa.key
- name: {{ private_key_path }}
- bits: 2048
- verbose: False
- user: root
Expand All @@ -13,11 +15,13 @@ Create SA private key:
- dir_mode: 755
- require:
- metalk8s_package_manager: Install m2crypto
- unless:
- test -f "{{ private_key_path }}"
Store SA public key:
file.managed:
- name: /etc/kubernetes/pki/sa.pub
- contents: __slot__:salt:x509.get_public_key("/etc/kubernetes/pki/sa.key")
- contents: __slot__:salt:x509.get_public_key("{{ private_key_path }}")
- user: root
- group: root
- mode: 644
Expand Down
8 changes: 6 additions & 2 deletions salt/metalk8s/salt/master/certs/etcd-client.sls
View file
Original file line number Diff line number Diff line change
@@ -1,11 +1,13 @@
{%- from "metalk8s/map.jinja" import etcd with context %}
{%- set private_key_path = "/etc/kubernetes/pki/etcd/salt-master-etcd-client.key" %}
include:
- metalk8s.internal.m2crypto
Create salt master etcd client private key:
x509.private_key_managed:
- name: /etc/kubernetes/pki/etcd/salt-master-etcd-client.key
- name: {{ private_key_path }}
- bits: 2048
- verbose: False
- user: root
Expand All @@ -15,11 +17,13 @@ Create salt master etcd client private key:
- dir_mode: 755
- require:
- metalk8s_package_manager: Install m2crypto
- unless:
- test -f "{{ private_key_path }}"
Generate salt master etcd client certificate:
x509.certificate_managed:
- name: /etc/kubernetes/pki/etcd/salt-master-etcd-client.crt
- public_key: /etc/kubernetes/pki/etcd/salt-master-etcd-client.key
- public_key: {{ private_key_path }}
- ca_server: {{ pillar['metalk8s']['ca']['minion'] }}
- signing_policy: {{ etcd.cert.apiserver_client_signing_policy }}
- CN: etcd-salt-master-client
Expand Down
8 changes: 6 additions & 2 deletions salt/metalk8s/salt/master/certs/salt-api.sls
View file
Original file line number Diff line number Diff line change
@@ -1,11 +1,13 @@
{%- from "metalk8s/map.jinja" import kube_api with context %}
{%- set private_key_path = "/etc/salt/pki/api/salt-api.key" %}
include:
- metalk8s.internal.m2crypto
Create Salt API private key:
x509.private_key_managed:
- name: /etc/salt/pki/api/salt-api.key
- name: {{ private_key_path }}
- bits: 2048
- verbose: False
- user: root
Expand All @@ -15,6 +17,8 @@ Create Salt API private key:
- dir_mode: 755
- require:
- metalk8s_package_manager: Install m2crypto
- unless:
- test -f "{{ private_key_path }}"
{% set certSANs = [
grains['fqdn'],
Expand All @@ -29,7 +33,7 @@ Create Salt API private key:
Generate Salt API certificate:
x509.certificate_managed:
- name: /etc/salt/pki/api/salt-api.crt
- public_key: /etc/salt/pki/api/salt-api.key
- public_key: {{ private_key_path }}
{%- if salt.config.get('file_client') != 'local' %}
- ca_server: {{ pillar['metalk8s']['ca']['minion'] }}
{%- endif %}
Expand Down

0 comments on commit 0a2f6a5

Please sign in to comment.