richard
/
kubespray
mirror of https://github.com/kubernetes-sigs/kubespray.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
7839 Commits
34 Branches
82 Tags
155 MiB
Tree: 99c6a884a9
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '99c6a884a9'
${ noResults }
kubespray/roles/etcd/templates/openssl.conf.j2

50 lines
2.2 KiB
Raw Normal View History

Update openssl.conf to count better and work with Jinja 2.9
7 years ago
Add etcd TLS support
8 years ago
Fix etcd certificate to acces address as SAN (#11388)
7 months ago
Update openssl.conf to count better and work with Jinja 2.9
7 years ago
Add etcd TLS support
8 years ago
Update openssl.conf to count better and work with Jinja 2.9
7 years ago
Add etcd TLS support
8 years ago
Fix DNS entries in etcd's openssl.conf by adding a newline. (#2208) DNS entries generated from 'etcd_cert_alt_names' variable in etcd's openssl.conf are not terminated by a newline. This fixes issue #2207.
7 years ago
Update openssl.conf to count better and work with Jinja 2.9
7 years ago
Fix DNS entries in etcd's openssl.conf by adding a newline. (#2208) DNS entries generated from 'etcd_cert_alt_names' variable in etcd's openssl.conf are not terminated by a newline. This fixes issue #2207.
7 years ago
Add etcd TLS support
8 years ago
Update openssl.conf to count better and work with Jinja 2.9
7 years ago
Remove hard dependence on facts for all nodes (#4304) * Remove hard dependence on facts for all nodes * Update main.yaml * Update main.yaml
6 years ago
Add etcd TLS support
8 years ago
Add documentation about having HA for etcd
6 years ago
Update openssl.conf to count better and work with Jinja 2.9
7 years ago
  1. {% set counter = {'dns': 2,'ip': 1,} %}{% macro increment(dct, key, inc=1)%}{% if dct.update({key: dct[key] + inc}) %} {% endif %}{% endmacro %}[req]
  2. req_extensions = v3_req
  3. distinguished_name = req_distinguished_name
  5. [req_distinguished_name]
  7. [ v3_req ]
  8. basicConstraints = CA:FALSE
  9. keyUsage = nonRepudiation, digitalSignature, keyEncipherment
  10. subjectAltName = @alt_names
  12. [ ssl_client ]
  13. extendedKeyUsage = clientAuth, serverAuth
  14. basicConstraints = CA:FALSE
  15. subjectKeyIdentifier=hash
  16. authorityKeyIdentifier=keyid,issuer
  17. subjectAltName = @alt_names
  19. [ v3_ca ]
  20. basicConstraints = CA:TRUE
  21. keyUsage = nonRepudiation, digitalSignature, keyEncipherment
  22. subjectAltName = @alt_names
  23. authorityKeyIdentifier=keyid:always,issuer
  25. [alt_names]
  26. DNS.1 = localhost
  27. {% for host in groups['etcd'] %}
  28. {% if hostvars[host]['etcd_access_address'] is defined and not (hostvars[host]['etcd_access_address'] | ansible.utils.ipaddr) %}
  29. {# If defined, the address which etcd uses to access its members must be included in the SAN, otherwise etcd will fail with a TLS error upon startup. #}
  30. DNS.{{ counter["dns"] }} = {{ hostvars[host]['etcd_access_address'] }}{{ increment(counter, 'dns') }}
  31. {% endif %}
  32. {# This will always expand to inventory_hostname, which can be a completely arbitrary name, that etcd will not know or care about, hence this line is (probably) redundant. #}
  33. DNS.{{ counter["dns"] }} = {{ host }}{{ increment(counter, 'dns') }}
  34. {% endfor %}
  35. {% if apiserver_loadbalancer_domain_name is defined %}
  36. DNS.{{ counter["dns"] }} = {{ apiserver_loadbalancer_domain_name }}{{ increment(counter, 'dns') }}
  37. {% endif %}
  38. {% for etcd_alt_name in etcd_cert_alt_names %}
  39. DNS.{{ counter["dns"] }} = {{ etcd_alt_name }}{{ increment(counter, 'dns') }}
  40. {% endfor %}
  41. {% for host in groups['etcd'] %}
  42. {% if hostvars[host]['access_ip'] is defined %}
  43. IP.{{ counter["ip"] }} = {{ hostvars[host]['access_ip'] }}{{ increment(counter, 'ip') }}
  44. {% endif %}
  45. IP.{{ counter["ip"] }} = {{ hostvars[host]['ip'] | default(fallback_ips[host]) }}{{ increment(counter, 'ip') }}
  46. {% endfor %}
  47. {% for cert_alt_ip in etcd_cert_alt_ips %}
  48. IP.{{ counter["ip"] }} = {{ cert_alt_ip }}{{ increment(counter, 'ip') }}
  49. {% endfor %}
  50. IP.{{ counter["ip"] }} = 127.0.0.1