Ability to define SSL certificates duration and SSL key size (#3482)

* Ability to specify ssl certificate duration and ssl key size - etcd/secrets

* Ability to specify ssl certificate duration and ssl key size - helm/contiv + fix contiv missing copy certs generation script

roles/kubernetes/secrets/tasks/gen_certs_script.yml

@@ -37,8 +37,8 @@
   when: gen_certs|default(false)
 
 - name: Gen_certs | copy certs generation script
-  copy:
-    src: "make-ssl.sh"
+  template:
+    src: "make-ssl.sh.j2"
     dest: "{{ kube_script_dir }}/make-ssl.sh"
     mode: 0700
   run_once: yes

roles/kubernetes/secrets/templates/make-ssl.sh.j2

@@ -68,8 +68,8 @@ if [ -e "$SSLDIR/ca-key.pem" ]; then
     # Reuse existing CA
     cp $SSLDIR/{ca.pem,ca-key.pem} .
 else
-    openssl genrsa -out ca-key.pem 2048 > /dev/null 2>&1
-    openssl req -x509 -new -nodes -key ca-key.pem -days 36500 -out ca.pem -subj "/CN=kube-ca" > /dev/null 2>&1
+    openssl genrsa -out ca-key.pem {{certificates_key_size}} > /dev/null 2>&1
+    openssl req -x509 -new -nodes -key ca-key.pem -days {{certificates_duration}} -out ca.pem -subj "/CN=kube-ca" > /dev/null 2>&1
 fi
 
 # Front proxy client CA
@@ -77,24 +77,24 @@ if [ -e "$SSLDIR/front-proxy-ca-key.pem" ]; then
     # Reuse existing front proxy CA
     cp $SSLDIR/{front-proxy-ca.pem,front-proxy-ca-key.pem} .
 else
-    openssl genrsa -out front-proxy-ca-key.pem 2048 > /dev/null 2>&1
-    openssl req -x509 -new -nodes -key front-proxy-ca-key.pem -days 36500 -out front-proxy-ca.pem -subj "/CN=front-proxy-ca" > /dev/null 2>&1
+    openssl genrsa -out front-proxy-ca-key.pem {{certificates_key_size}} > /dev/null 2>&1
+    openssl req -x509 -new -nodes -key front-proxy-ca-key.pem -days {{certificates_duration}} -out front-proxy-ca.pem -subj "/CN=front-proxy-ca" > /dev/null 2>&1
 fi
 
 gen_key_and_cert() {
     local name=$1
     local subject=$2
-    openssl genrsa -out ${name}-key.pem 2048 > /dev/null 2>&1
+    openssl genrsa -out ${name}-key.pem {{certificates_key_size}} > /dev/null 2>&1
     openssl req -new -key ${name}-key.pem -out ${name}.csr -subj "${subject}" -config ${CONFIG} > /dev/null 2>&1
-    openssl x509 -req -in ${name}.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out ${name}.pem -days 36500 -extensions v3_req -extfile ${CONFIG} > /dev/null 2>&1
+    openssl x509 -req -in ${name}.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out ${name}.pem -days {{certificates_duration}} -extensions v3_req -extfile ${CONFIG} > /dev/null 2>&1
 }
 
 gen_key_and_cert_front_proxy() {
     local name=$1
     local subject=$2
-    openssl genrsa -out ${name}-key.pem 2048 > /dev/null 2>&1
+    openssl genrsa -out ${name}-key.pem {{certificates_key_size}} > /dev/null 2>&1
     openssl req -new -key ${name}-key.pem -out ${name}.csr -subj "${subject}" -config ${CONFIG} > /dev/null 2>&1
-    openssl x509 -req -in ${name}.csr -CA front-proxy-ca.pem -CAkey front-proxy-ca-key.pem -CAcreateserial -out ${name}.pem -days 36500 -extensions v3_req -extfile ${CONFIG} > /dev/null 2>&1
+    openssl x509 -req -in ${name}.csr -CA front-proxy-ca.pem -CAkey front-proxy-ca-key.pem -CAcreateserial -out ${name}.pem -days {{certificates_duration}} -extensions v3_req -extfile ${CONFIG} > /dev/null 2>&1
 }
 
 # Admins
@@ -107,7 +107,7 @@ if [ -n "$MASTERS" ]; then
     fi
     # Generate dedicated service account signing key if one doesn't exist
     if ! [ -e "$SSLDIR/apiserver-key.pem" ] && ! [ -e "$SSLDIR/service-account-key.pem" ]; then
-        openssl genrsa -out service-account-key.pem 2048 > /dev/null 2>&1
+        openssl genrsa -out service-account-key.pem {{certificates_key_size}} > /dev/null 2>&1
     fi
 
     # kube-apiserver