summaryrefslogtreecommitdiffstats
path: root/roles/etcd/templates
diff options
context:
space:
mode:
authorOpenShift Merge Robot <openshift-merge-robot@users.noreply.github.com>2017-09-21 14:24:43 -0700
committerGitHub <noreply@github.com>2017-09-21 14:24:43 -0700
commitee8252d536c4204b9e0c4a88d0899297caf39423 (patch)
tree9c92bb13a285058e5b20bc76f33cb5d58c91ba9d /roles/etcd/templates
parent505764651b3f8279ffe8881e9b26851d1dd14258 (diff)
parent99745a04223f2ed8111b5eb4b49d2bcfec9e678f (diff)
downloadopenshift-ee8252d536c4204b9e0c4a88d0899297caf39423.tar.gz
openshift-ee8252d536c4204b9e0c4a88d0899297caf39423.tar.bz2
openshift-ee8252d536c4204b9e0c4a88d0899297caf39423.tar.xz
openshift-ee8252d536c4204b9e0c4a88d0899297caf39423.zip
Merge pull request #5371 from ingvagabund/consolidate-etcd-certs-roles
Automatic merge from submit-queue consolidate etcd certs roles This is a starter for consolidation of all etcd like roles into a single `etcd` action-based role. I have intentionally started with the simplest one to demonstrate the steps needed to make it so and to make the review easy enough for everyone.
Diffstat (limited to 'roles/etcd/templates')
-rw-r--r--roles/etcd/templates/openssl_append.j251
1 files changed, 51 insertions, 0 deletions
diff --git a/roles/etcd/templates/openssl_append.j2 b/roles/etcd/templates/openssl_append.j2
new file mode 100644
index 000000000..f28316fc2
--- /dev/null
+++ b/roles/etcd/templates/openssl_append.j2
@@ -0,0 +1,51 @@
+
+[ {{ etcd_req_ext }} ]
+basicConstraints = critical,CA:FALSE
+keyUsage = digitalSignature,keyEncipherment
+subjectAltName = ${ENV::SAN}
+
+[ {{ etcd_ca_name }} ]
+dir = {{ etcd_ca_dir }}
+crl_dir = {{ etcd_ca_crl_dir }}
+database = {{ etcd_ca_db }}
+new_certs_dir = {{ etcd_ca_new_certs_dir }}
+certificate = {{ etcd_ca_cert }}
+serial = {{ etcd_ca_serial }}
+private_key = {{ etcd_ca_key }}
+crl_number = {{ etcd_ca_crl_number }}
+x509_extensions = {{ etcd_ca_exts_client }}
+default_days = {{ etcd_ca_default_days }}
+default_md = sha256
+preserve = no
+name_opt = ca_default
+cert_opt = ca_default
+policy = policy_anything
+unique_subject = no
+copy_extensions = copy
+
+[ {{ etcd_ca_exts_self }} ]
+authorityKeyIdentifier = keyid,issuer
+basicConstraints = critical,CA:TRUE,pathlen:0
+keyUsage = critical,digitalSignature,keyEncipherment,keyCertSign
+subjectKeyIdentifier = hash
+
+[ {{ etcd_ca_exts_peer }} ]
+authorityKeyIdentifier = keyid,issuer:always
+basicConstraints = critical,CA:FALSE
+extendedKeyUsage = clientAuth,serverAuth
+keyUsage = digitalSignature,keyEncipherment
+subjectKeyIdentifier = hash
+
+[ {{ etcd_ca_exts_server }} ]
+authorityKeyIdentifier = keyid,issuer:always
+basicConstraints = critical,CA:FALSE
+extendedKeyUsage = serverAuth
+keyUsage = digitalSignature,keyEncipherment
+subjectKeyIdentifier = hash
+
+[ {{ etcd_ca_exts_client }} ]
+authorityKeyIdentifier = keyid,issuer:always
+basicConstraints = critical,CA:FALSE
+extendedKeyUsage = clientAuth
+keyUsage = digitalSignature,keyEncipherment
+subjectKeyIdentifier = hash