Ability to define SSL certificates duration and SSL key size (#3482)

* Ability to specify ssl certificate duration and ssl key size - etcd/secrets * Ability to specify ssl certificate duration and ssl key size - helm/contiv + fix contiv missing copy certs generation script
2026-03-27 22:05:11 -02:30 · 2018-10-09 13:43:30 +02:00
parent c825f4d180
commit 2ab2f3a0a3
9 changed files with 42 additions and 28 deletions
--- a/roles/kubernetes-apps/helm/tasks/gen_helm_tiller_certs.yml
+++ b/roles/kubernetes-apps/helm/tasks/gen_helm_tiller_certs.yml
@@ -18,8 +18,8 @@
 - name: Gen_helm_tiller_certs | Copy certs generation script
  run_once: yes
  delegate_to: "{{groups['kube-master'][0]}}"
-  copy:
-    src: "helm-make-ssl.sh"
+  template:
+    src: "helm-make-ssl.sh.j2"
    dest: "{{ helm_script_dir }}/helm-make-ssl.sh"
    mode: 0700

--- a/roles/kubernetes-apps/helm/templates/helm-make-ssl.sh.j2
+++ b/roles/kubernetes-apps/helm/templates/helm-make-ssl.sh.j2
@@ -45,7 +45,7 @@ if [ -e "$SSLDIR/ca-key.pem" ]; then
    cp $SSLDIR/{ca.pem,ca-key.pem} .
 else
    openssl genrsa -out ca-key.pem 4096 > /dev/null 2>&1
-    openssl req -x509 -new -nodes -key ca-key.pem -days 36500 -out ca.pem -subj "/CN=tiller-ca" > /dev/null 2>&1
+    openssl req -x509 -new -nodes -key ca-key.pem -days {{certificates_duration}} -out ca.pem -subj "/CN=tiller-ca" > /dev/null 2>&1
 fi

 gen_key_and_cert() {
@@ -53,7 +53,7 @@ gen_key_and_cert() {
    local subject=$2
    openssl genrsa -out ${name}-key.pem 4096 > /dev/null 2>&1
    openssl req -new -key ${name}-key.pem -sha256 -out ${name}.csr -subj "${subject}" > /dev/null 2>&1
-    openssl x509 -req -in ${name}.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out ${name}.pem -days 36500 > /dev/null 2>&1
+    openssl x509 -req -in ${name}.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out ${name}.pem -days {{certificates_duration}} > /dev/null 2>&1
 }

 #Generate cert and key for Tiller if they don't exist