Skip to content

Commit

Permalink
salt: Do not overwrite private key if they already exists
Browse files Browse the repository at this point in the history 
In our salt states we generate a bunch of private key for certificates,
those private key are only needed to generate these certificates and we
do not really care about the length of the key, so if the key already
exists do not generate a new one and take this one even if it's not the
expected key length
  • Loading branch information
@TeddyAndrieux
TeddyAndrieux committed Aug 21, 2020
1 parent 6cac5df commit aef9e89
Show file tree
Hide file tree
Showing 13 changed files with 77 additions and 26 deletions.
8 changes: 6 additions & 2 deletions salt/metalk8s/kubernetes/apiserver/certs/etcd-client.sls
View file
Original file line number Diff line number Diff line change
@@ -1,11 +1,13 @@
{%- from "metalk8s/map.jinja" import etcd with context %}
{%- set private_key_path = "/etc/kubernetes/pki/apiserver-etcd-client.key" %}
include:
- metalk8s.internal.m2crypto
Create apiserver etcd client private key:
x509.private_key_managed:
- name: /etc/kubernetes/pki/apiserver-etcd-client.key
- name: {{ private_key_path }}
- bits: 2048
- verbose: False
- user: root
Expand All @@ -15,11 +17,13 @@ Create apiserver etcd client private key:
- dir_mode: 755
- require:
- metalk8s_package_manager: Install m2crypto
- unless:
- test -f "{{ private_key_path }}"
Generate apiserver etcd client certificate:
x509.certificate_managed:
- name: /etc/kubernetes/pki/apiserver-etcd-client.crt
- public_key: /etc/kubernetes/pki/apiserver-etcd-client.key
- public_key: {{ private_key_path }}
- ca_server: {{ pillar['metalk8s']['ca']['minion'] }}
- signing_policy: {{ etcd.cert.apiserver_client_signing_policy }}
- CN: kube-apiserver-etcd-client
Expand Down
8 changes: 6 additions & 2 deletions salt/metalk8s/kubernetes/apiserver/certs/front-proxy-client.sls
View file
Original file line number Diff line number Diff line change
@@ -1,11 +1,13 @@
{%- from "metalk8s/map.jinja" import front_proxy with context %}
{%- set private_key_path = "/etc/kubernetes/pki/front-proxy-client.key" %}
include:
- metalk8s.internal.m2crypto
Create front proxy client private key:
x509.private_key_managed:
- name: /etc/kubernetes/pki/front-proxy-client.key
- name: {{ private_key_path }}
- bits: 2048
- verbose: False
- user: root
Expand All @@ -15,11 +17,13 @@ Create front proxy client private key:
- dir_mode: 755
- require:
- metalk8s_package_manager: Install m2crypto
- unless:
- test -f "{{ private_key_path }}"
Generate front proxy client certificate:
x509.certificate_managed:
- name: /etc/kubernetes/pki/front-proxy-client.crt
- public_key: /etc/kubernetes/pki/front-proxy-client.key
- public_key: {{ private_key_path }}
- ca_server: {{ pillar['metalk8s']['ca']['minion'] }}
- signing_policy: {{ front_proxy.cert.client_signing_policy }}
- CN: front-proxy-client
Expand Down
8 changes: 6 additions & 2 deletions salt/metalk8s/kubernetes/apiserver/certs/kubelet-client.sls
View file
Original file line number Diff line number Diff line change
@@ -1,11 +1,13 @@
{%- from "metalk8s/map.jinja" import kube_api with context %}
{%- set private_key_path = "/etc/kubernetes/pki/apiserver-kubelet-client.key" %}
include:
- metalk8s.internal.m2crypto
Create kube-apiserver kubelet client private key:
x509.private_key_managed:
- name: /etc/kubernetes/pki/apiserver-kubelet-client.key
- name: {{ private_key_path }}
- bits: 2048
- verbose: False
- user: root
Expand All @@ -15,11 +17,13 @@ Create kube-apiserver kubelet client private key:
- dir_mode: 755
- require:
- metalk8s_package_manager: Install m2crypto
- unless:
- test -f "{{ private_key_path }}"
Generate kube-apiserver kubelet client certificate:
x509.certificate_managed:
- name: /etc/kubernetes/pki/apiserver-kubelet-client.crt
- public_key: /etc/kubernetes/pki/apiserver-kubelet-client.key
- public_key: {{ private_key_path }}
- ca_server: {{ pillar['metalk8s']['ca']['minion'] }}
- signing_policy: {{ kube_api.cert.client_signing_policy }}
- CN: kube-apiserver-kubelet-client
Expand Down
7 changes: 5 additions & 2 deletions salt/metalk8s/kubernetes/apiserver/certs/server.sls
View file
Original file line number Diff line number Diff line change
@@ -1,13 +1,14 @@
{%- from "metalk8s/map.jinja" import kube_api with context %}
{%- set kubernetes_service_ip = salt.metalk8s_network.get_kubernetes_service_ip() %}
{%- set private_key_path = "/etc/kubernetes/pki/apiserver.key" %}
include:
- metalk8s.internal.m2crypto
Create kube-apiserver private key:
x509.private_key_managed:
- name: /etc/kubernetes/pki/apiserver.key
- name: {{ private_key_path }}
- bits: 2048
- verbose: False
- user: root
Expand All @@ -17,6 +18,8 @@ Create kube-apiserver private key:
- dir_mode: 755
- require:
- metalk8s_package_manager: Install m2crypto
- unless:
- test -f "{{ private_key_path }}"
{% set certSANs = [
grains['fqdn'],
Expand All @@ -33,7 +36,7 @@ Create kube-apiserver private key:
Generate kube-apiserver certificate:
x509.certificate_managed:
- name: /etc/kubernetes/pki/apiserver.crt
- public_key: /etc/kubernetes/pki/apiserver.key
- public_key: {{ private_key_path }}
- ca_server: {{ pillar['metalk8s']['ca']['minion'] }}
- signing_policy: {{ kube_api.cert.server_signing_policy }}
- CN: kube-apiserver
Expand Down
8 changes: 6 additions & 2 deletions salt/metalk8s/kubernetes/ca/etcd/installed.sls
View file
Original file line number Diff line number Diff line change
@@ -1,11 +1,13 @@
{%- from "metalk8s/map.jinja" import etcd with context %}
{%- set private_key_path = "/etc/kubernetes/pki/etcd/ca.key" %}
include:
- metalk8s.internal.m2crypto
Create etcd CA private key:
x509.private_key_managed:
- name: /etc/kubernetes/pki/etcd/ca.key
- name: {{ private_key_path }}
- bits: 4096
- verbose: False
- user: root
Expand All @@ -15,11 +17,13 @@ Create etcd CA private key:
- dir_mode: 755
- require:
- metalk8s_package_manager: Install m2crypto
- unless:
- test -f "{{ private_key_path }}"
Generate etcd CA certificate:
x509.certificate_managed:
- name: /etc/kubernetes/pki/etcd/ca.crt
- signing_private_key: /etc/kubernetes/pki/etcd/ca.key
- signing_private_key: {{ private_key_path }}
- CN: etcd-ca
- keyUsage: "critical digitalSignature, keyEncipherment, keyCertSign"
- basicConstraints: "critical CA:true"
Expand Down
8 changes: 6 additions & 2 deletions salt/metalk8s/kubernetes/ca/front-proxy/installed.sls
View file
Original file line number Diff line number Diff line change
@@ -1,11 +1,13 @@
{%- from "metalk8s/map.jinja" import front_proxy with context %}
{%- set private_key_path = "/etc/kubernetes/pki/front-proxy-ca.key" %}
include:
- metalk8s.internal.m2crypto
Create front proxy CA private key:
x509.private_key_managed:
- name: /etc/kubernetes/pki/front-proxy-ca.key
- name: {{ private_key_path }}
- bits: 4096
- verbose: False
- user: root
Expand All @@ -15,11 +17,13 @@ Create front proxy CA private key:
- dir_mode: 755
- require:
- metalk8s_package_manager: Install m2crypto
- unless:
- test -f "{{ private_key_path }}"
Generate front proxy CA certificate:
x509.certificate_managed:
- name: /etc/kubernetes/pki/front-proxy-ca.crt
- signing_private_key: /etc/kubernetes/pki/front-proxy-ca.key
- signing_private_key: {{ private_key_path }}
- CN: front-proxy-ca
- keyUsage: "critical digitalSignature, keyEncipherment, keyCertSign"
- basicConstraints: "critical CA:true"
Expand Down
8 changes: 6 additions & 2 deletions salt/metalk8s/kubernetes/ca/kubernetes/installed.sls
View file
Original file line number Diff line number Diff line change
@@ -1,11 +1,13 @@
{%- from "metalk8s/map.jinja" import ca with context %}
{%- set private_key_path = "/etc/kubernetes/pki/ca.key" %}
include:
- metalk8s.internal.m2crypto
Create CA private key:
x509.private_key_managed:
- name: /etc/kubernetes/pki/ca.key
- name: {{ private_key_path }}
- bits: 4096
- verbose: False
- user: root
Expand All @@ -15,11 +17,13 @@ Create CA private key:
- dir_mode: 755
- require:
- metalk8s_package_manager: Install m2crypto
- unless:
- test -f "{{ private_key_path }}"
Generate CA certificate:
x509.certificate_managed:
- name: /etc/kubernetes/pki/ca.crt
- signing_private_key: /etc/kubernetes/pki/ca.key
- signing_private_key: {{ private_key_path }}
- CN: kubernetes
- keyUsage: "critical digitalSignature, keyEncipherment, keyCertSign"
- basicConstraints: "critical CA:true"
Expand Down
8 changes: 6 additions & 2 deletions salt/metalk8s/kubernetes/etcd/certs/healthcheck-client.sls
View file
Original file line number Diff line number Diff line change
@@ -1,11 +1,13 @@
{%- from "metalk8s/map.jinja" import etcd with context %}
{%- set private_key_path = "/etc/kubernetes/pki/etcd/healthcheck-client.key" %}
include:
- metalk8s.internal.m2crypto
Create etcd healthcheck client private key:
x509.private_key_managed:
- name: /etc/kubernetes/pki/etcd/healthcheck-client.key
- name: {{ private_key_path }}
- bits: 2048
- verbose: False
- user: root
Expand All @@ -15,11 +17,13 @@ Create etcd healthcheck client private key:
- dir_mode: 755
- require:
- metalk8s_package_manager: Install m2crypto
- unless:
- test -f "{{ private_key_path }}"
Generate etcd healthcheck client certificate:
x509.certificate_managed:
- name: /etc/kubernetes/pki/etcd/healthcheck-client.crt
- public_key: /etc/kubernetes/pki/etcd/healthcheck-client.key
- public_key: {{ private_key_path }}
- ca_server: {{ pillar['metalk8s']['ca']['minion'] }}
- signing_policy: {{ etcd.cert.healthcheck_client_signing_policy }}
- CN: kube-etcd-healthcheck-client
Expand Down
8 changes: 6 additions & 2 deletions salt/metalk8s/kubernetes/etcd/certs/peer.sls
View file
Original file line number Diff line number Diff line change
@@ -1,11 +1,13 @@
{%- from "metalk8s/map.jinja" import etcd with context %}
{%- set private_key_path = "/etc/kubernetes/pki/etcd/peer.key" %}
include:
- metalk8s.internal.m2crypto
Create etcd peer private key:
x509.private_key_managed:
- name: /etc/kubernetes/pki/etcd/peer.key
- name: {{ private_key_path }}
- bits: 2048
- verbose: False
- user: root
Expand All @@ -15,11 +17,13 @@ Create etcd peer private key:
- dir_mode: 755
- require:
- metalk8s_package_manager: Install m2crypto
- unless:
- test -f "{{ private_key_path }}"
Generate etcd peer certificate:
x509.certificate_managed:
- name: /etc/kubernetes/pki/etcd/peer.crt
- public_key: /etc/kubernetes/pki/etcd/peer.key
- public_key: {{ private_key_path }}
- ca_server: {{ pillar['metalk8s']['ca']['minion'] }}
- signing_policy: {{ etcd.cert.peer_signing_policy }}
- CN: "{{ grains['fqdn'] }}"
Expand Down
8 changes: 6 additions & 2 deletions salt/metalk8s/kubernetes/etcd/certs/server.sls
View file
Original file line number Diff line number Diff line change
@@ -1,11 +1,13 @@
{%- from "metalk8s/map.jinja" import etcd with context %}
{%- set private_key_path = "/etc/kubernetes/pki/etcd/server.key" %}
include:
- metalk8s.internal.m2crypto
Create etcd server private key:
x509.private_key_managed:
- name: /etc/kubernetes/pki/etcd/server.key
- name: {{ private_key_path }}
- bits: 2048
- verbose: False
- user: root
Expand All @@ -15,11 +17,13 @@ Create etcd server private key:
- dir_mode: 755
- require:
- metalk8s_package_manager: Install m2crypto
- unless:
- test -f "{{ private_key_path }}"
Generate etcd server certificate:
x509.certificate_managed:
- name: /etc/kubernetes/pki/etcd/server.crt
- public_key: /etc/kubernetes/pki/etcd/server.key
- public_key: {{ private_key_path }}
- ca_server: {{ pillar['metalk8s']['ca']['minion'] }}
- signing_policy: {{ etcd.cert.server_signing_policy }}
- CN: "{{ grains['fqdn'] }}"
Expand Down
8 changes: 6 additions & 2 deletions salt/metalk8s/kubernetes/sa/installed.sls
View file
Original file line number Diff line number Diff line change
@@ -1,9 +1,11 @@
{%- set private_key_path = "/etc/kubernetes/pki/sa.key" %}

include:
- metalk8s.internal.m2crypto

Create SA private key:
x509.private_key_managed:
- name: /etc/kubernetes/pki/sa.key
- name: {{ private_key_path }}
- bits: 2048
- verbose: False
- user: root
Expand All @@ -13,11 +15,13 @@ Create SA private key:
- dir_mode: 755
- require:
- metalk8s_package_manager: Install m2crypto
- unless:
- test -f "{{ private_key_path }}"
Store SA public key:
file.managed:
- name: /etc/kubernetes/pki/sa.pub
- contents: __slot__:salt:x509.get_public_key("/etc/kubernetes/pki/sa.key")
- contents: __slot__:salt:x509.get_public_key("{{ private_key_path }}")
- user: root
- group: root
- mode: 644
Expand Down
8 changes: 6 additions & 2 deletions salt/metalk8s/salt/master/certs/etcd-client.sls
View file
Original file line number Diff line number Diff line change
@@ -1,11 +1,13 @@
{%- from "metalk8s/map.jinja" import etcd with context %}
{%- set private_key_path = "/etc/kubernetes/pki/etcd/salt-master-etcd-client.key" %}
include:
- metalk8s.internal.m2crypto
Create salt master etcd client private key:
x509.private_key_managed:
- name: /etc/kubernetes/pki/etcd/salt-master-etcd-client.key
- name: {{ private_key_path }}
- bits: 2048
- verbose: False
- user: root
Expand All @@ -15,11 +17,13 @@ Create salt master etcd client private key:
- dir_mode: 755
- require:
- metalk8s_package_manager: Install m2crypto
- unless:
- test -f "{{ private_key_path }}"
Generate salt master etcd client certificate:
x509.certificate_managed:
- name: /etc/kubernetes/pki/etcd/salt-master-etcd-client.crt
- public_key: /etc/kubernetes/pki/etcd/salt-master-etcd-client.key
- public_key: {{ private_key_path }}
- ca_server: {{ pillar['metalk8s']['ca']['minion'] }}
- signing_policy: {{ etcd.cert.apiserver_client_signing_policy }}
- CN: etcd-salt-master-client
Expand Down
8 changes: 6 additions & 2 deletions salt/metalk8s/salt/master/certs/salt-api.sls
View file
Original file line number Diff line number Diff line change
@@ -1,11 +1,13 @@
{%- from "metalk8s/map.jinja" import kube_api with context %}
{%- set private_key_path = "/etc/salt/pki/api/salt-api.key" %}
include:
- metalk8s.internal.m2crypto
Create Salt API private key:
x509.private_key_managed:
- name: /etc/salt/pki/api/salt-api.key
- name: {{ private_key_path }}
- bits: 2048
- verbose: False
- user: root
Expand All @@ -15,6 +17,8 @@ Create Salt API private key:
- dir_mode: 755
- require:
- metalk8s_package_manager: Install m2crypto
- unless:
- test -f "{{ private_key_path }}"
{% set certSANs = [
grains['fqdn'],
Expand All @@ -29,7 +33,7 @@ Create Salt API private key:
Generate Salt API certificate:
x509.certificate_managed:
- name: /etc/salt/pki/api/salt-api.crt
- public_key: /etc/salt/pki/api/salt-api.key
- public_key: {{ private_key_path }}
{%- if salt.config.get('file_client') != 'local' %}
- ca_server: {{ pillar['metalk8s']['ca']['minion'] }}
{%- endif %}
Expand Down

0 comments on commit aef9e89

Please sign in to comment.