diff options
| author | Jason DeTiberus <jdetiber@redhat.com> | 2015-07-10 14:46:43 -0400 |
|---|---|---|
| committer | Jason DeTiberus <jdetiber@redhat.com> | 2015-07-10 14:46:43 -0400 |
| commit | add3fbcce31e9db4ea8c76acb9c8579f20581912 (patch) | |
| tree | b2734a94adc7d6e05c49c348bf83b566960f01da /roles/etcd_ca/templates | |
| parent | 5991073262127e4b85e9b1cf4ad7f62fb2c7c345 (diff) | |
| download | openshift-add3fbcce31e9db4ea8c76acb9c8579f20581912.tar.gz openshift-add3fbcce31e9db4ea8c76acb9c8579f20581912.tar.bz2 openshift-add3fbcce31e9db4ea8c76acb9c8579f20581912.tar.xz openshift-add3fbcce31e9db4ea8c76acb9c8579f20581912.zip | |
Etcd role updates and playbook updates
- fix firewall conflict issues with co-located etcd and openshift hosts
- added os_firewall dependency to etcd role
- updated etcd template to better handle clustered and non-clustered installs
- added etcd_ca role
- generates a self-signed cert to manage etcd certificates, since etcd peer
certificates are required to be client and server certs and the openshift
ca will only generate client or server certs (not one authorized for
both).
- renamed openshift_etcd_certs role to etcd_certificates and updated it to
manage certificates generated from the CA managed by the etcd_ca role
- remove hard coded etcd_port in openshift_facts
- updates for the openshift-etcd common playbook
- removed etcd and openshift-etcd playbooks from the byo playbooks directory
- added a common playbook for setting etcd launch facts
- added an openshift-etcd common service playbook
- removed unused variables
- fixed tests for embedded_{etcd,dns,kube} in openshift_master
- removed old workaround for reloading systemd units
Diffstat (limited to 'roles/etcd_ca/templates')
| -rw-r--r-- | roles/etcd_ca/templates/openssl_append.j2 | 51 |
1 files changed, 51 insertions, 0 deletions
diff --git a/roles/etcd_ca/templates/openssl_append.j2 b/roles/etcd_ca/templates/openssl_append.j2 new file mode 100644 index 000000000..de2adaead --- /dev/null +++ b/roles/etcd_ca/templates/openssl_append.j2 @@ -0,0 +1,51 @@ + +[ etcd_v3_req ] +basicConstraints = critical,CA:FALSE +keyUsage = digitalSignature,keyEncipherment +subjectAltName = ${ENV::SAN} + +[ etcd_ca ] +dir = {{ etcd_ca_dir }} +crl_dir = $dir/crl +database = $dir/index.txt +new_certs_dir = $dir/certs +certificate = $dir/ca.crt +serial = $dir/serial +private_key = $dir/ca.key +crl_number = $dir/crlnumber +x509_extensions = etcd_v3_ca_client +default_days = 365 +default_md = sha256 +preserve = no +name_opt = ca_default +cert_opt = ca_default +policy = policy_anything +unique_subject = no +copy_extensions = copy + +[ etcd_v3_ca_self ] +authorityKeyIdentifier = keyid,issuer +basicConstraints = critical,CA:TRUE,pathlen:0 +keyUsage = critical,digitalSignature,keyEncipherment,keyCertSign +subjectKeyIdentifier = hash + +[ etcd_v3_ca_peer ] +authorityKeyIdentifier = keyid,issuer:always +basicConstraints = critical,CA:FALSE +extendedKeyUsage = clientAuth,serverAuth +keyUsage = digitalSignature,keyEncipherment +subjectKeyIdentifier = hash + +[ etcd_v3_ca_server ] +authorityKeyIdentifier = keyid,issuer:always +basicConstraints = critical,CA:FALSE +extendedKeyUsage = serverAuth +keyUsage = digitalSignature,keyEncipherment +subjectKeyIdentifier = hash + +[ etcd_v3_ca_client ] +authorityKeyIdentifier = keyid,issuer:always +basicConstraints = critical,CA:FALSE +extendedKeyUsage = clientAuth +keyUsage = digitalSignature,keyEncipherment +subjectKeyIdentifier = hash |