Browse Source
Add subjectAltName to calico-apiserver certificate (#8907)
* Add AltName to calico-apiserver certificate
* fix support for centos7 openssl
pull/8937/head
vanyasvl
3 years ago
committed by
GitHub
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with
8 additions and
1 deletions
-
roles/network_plugin/calico/files/openssl.conf
-
roles/network_plugin/calico/templates/make-ssl-calico.sh.j2
|
|
|
@ -18,3 +18,10 @@ basicConstraints = CA:TRUE |
|
|
|
keyUsage = cRLSign, digitalSignature, keyCertSign |
|
|
|
subjectKeyIdentifier=hash |
|
|
|
authorityKeyIdentifier=keyid:always,issuer |
|
|
|
|
|
|
|
[ ssl_client_apiserver ] |
|
|
|
extendedKeyUsage = clientAuth, serverAuth |
|
|
|
basicConstraints = CA:FALSE |
|
|
|
subjectKeyIdentifier=hash |
|
|
|
authorityKeyIdentifier=keyid,issuer |
|
|
|
subjectAltName = DNS:calico-api.calico-apiserver.svc |
|
|
|
@ -87,7 +87,7 @@ elif [ $SERVICE == "apiserver" ]; then |
|
|
|
# calico-apiserver |
|
|
|
openssl genrsa -out apiserver.key {{certificates_key_size}} > /dev/null 2>&1 |
|
|
|
openssl req -new -key apiserver.key -out apiserver.csr -subj "/CN=calico-apiserver" -config ${CONFIG} > /dev/null 2>&1 |
|
|
|
openssl x509 -req -in apiserver.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out apiserver.crt -days {{certificates_duration}} -extensions ssl_client -extfile ${CONFIG} > /dev/null 2>&1 |
|
|
|
openssl x509 -req -in apiserver.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out apiserver.crt -days {{certificates_duration}} -extensions ssl_client_apiserver -extfile ${CONFIG} > /dev/null 2>&1 |
|
|
|
else |
|
|
|
echo "ERROR: the openssl configuration file is missing. option -s" |
|
|
|
exit 1 |
|
|
|
|
