diff options
| author | Jason DeTiberus <jdetiber@redhat.com> | 2015-10-16 11:28:42 -0400 |
|---|---|---|
| committer | Jason DeTiberus <jdetiber@redhat.com> | 2015-11-02 21:57:43 -0500 |
| commit | 02a6d993509ac395165c504dba7b92c4f2eb907c (patch) | |
| tree | 0ad5c437407025500cf7aef56386e8005dcda6cd /roles/etcd_ca/templates | |
| parent | fcbb48362afb6e9ed196d7833940877bbc0296ae (diff) | |
| download | openshift-02a6d993509ac395165c504dba7b92c4f2eb907c.tar.gz openshift-02a6d993509ac395165c504dba7b92c4f2eb907c.tar.bz2 openshift-02a6d993509ac395165c504dba7b92c4f2eb907c.tar.xz openshift-02a6d993509ac395165c504dba7b92c4f2eb907c.zip | |
Fix etcd cert generation when etcd_interface is defined
- Refactor certificate generation to properly accept overrides of etcd_interface
per host and set the certificate SANS and peer URLs properly.
- Add sanity checking to user-set values of etcd_interface to provide a better
error message
Diffstat (limited to 'roles/etcd_ca/templates')
| -rw-r--r-- | roles/etcd_ca/templates/openssl_append.j2 | 30 |
1 files changed, 15 insertions, 15 deletions
diff --git a/roles/etcd_ca/templates/openssl_append.j2 b/roles/etcd_ca/templates/openssl_append.j2 index de2adaead..f28316fc2 100644 --- a/roles/etcd_ca/templates/openssl_append.j2 +++ b/roles/etcd_ca/templates/openssl_append.j2 @@ -1,20 +1,20 @@ -[ etcd_v3_req ] +[ {{ etcd_req_ext }} ] basicConstraints = critical,CA:FALSE keyUsage = digitalSignature,keyEncipherment subjectAltName = ${ENV::SAN} -[ etcd_ca ] +[ {{ etcd_ca_name }} ] dir = {{ etcd_ca_dir }} -crl_dir = $dir/crl -database = $dir/index.txt -new_certs_dir = $dir/certs -certificate = $dir/ca.crt -serial = $dir/serial -private_key = $dir/ca.key -crl_number = $dir/crlnumber -x509_extensions = etcd_v3_ca_client -default_days = 365 +crl_dir = {{ etcd_ca_crl_dir }} +database = {{ etcd_ca_db }} +new_certs_dir = {{ etcd_ca_new_certs_dir }} +certificate = {{ etcd_ca_cert }} +serial = {{ etcd_ca_serial }} +private_key = {{ etcd_ca_key }} +crl_number = {{ etcd_ca_crl_number }} +x509_extensions = {{ etcd_ca_exts_client }} +default_days = {{ etcd_ca_default_days }} default_md = sha256 preserve = no name_opt = ca_default @@ -23,27 +23,27 @@ policy = policy_anything unique_subject = no copy_extensions = copy -[ etcd_v3_ca_self ] +[ {{ etcd_ca_exts_self }} ] authorityKeyIdentifier = keyid,issuer basicConstraints = critical,CA:TRUE,pathlen:0 keyUsage = critical,digitalSignature,keyEncipherment,keyCertSign subjectKeyIdentifier = hash -[ etcd_v3_ca_peer ] +[ {{ etcd_ca_exts_peer }} ] authorityKeyIdentifier = keyid,issuer:always basicConstraints = critical,CA:FALSE extendedKeyUsage = clientAuth,serverAuth keyUsage = digitalSignature,keyEncipherment subjectKeyIdentifier = hash -[ etcd_v3_ca_server ] +[ {{ etcd_ca_exts_server }} ] authorityKeyIdentifier = keyid,issuer:always basicConstraints = critical,CA:FALSE extendedKeyUsage = serverAuth keyUsage = digitalSignature,keyEncipherment subjectKeyIdentifier = hash -[ etcd_v3_ca_client ] +[ {{ etcd_ca_exts_client }} ] authorityKeyIdentifier = keyid,issuer:always basicConstraints = critical,CA:FALSE extendedKeyUsage = clientAuth |