salt: add x509 extensions 'subjectKeyIdentifier' and 'authorityKeyIdentifier' to certs

ezekiel-alexrod · ezekiel-alexrod · commit 081d828c5a0e · 2026-03-24T17:12:38.000Z
Closes: MK8s-201
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -60,6 +60,9 @@
 - Implement ability to add certificates to fluent-bit by mounting a fluent-bit-certs secret
   (PR[#4812](https://github.com/scality/metalk8s/pull/4812))
 
+- Add x509 extensions 'subjectKeyIdentifier' and 'authorityKeyIdentifier' to certificates
+  (PR[#4836](https://github.com/scality/metalk8s/pull/4836))
+
 ### Bug Fixes
 
 - Fix a bug where part of the upgrade process would silently be skipped
diff --git a/salt/metalk8s/addons/dex/ca/installed.sls b/salt/metalk8s/addons/dex/ca/installed.sls
@@ -27,6 +27,8 @@ Generate dex CA certificate:
     - CN: dex-ca
     - keyUsage: "critical digitalSignature, keyEncipherment, keyCertSign"
     - basicConstraints: "critical CA:true"
+    - subjectKeyIdentifier: hash
+    - authorityKeyIdentifier: keyid,issuer:always
     - days_valid: {{ dex.ca.cert.days_valid }}
     - user: root
     - group: root
diff --git a/salt/metalk8s/addons/nginx-ingress/ca/installed.sls b/salt/metalk8s/addons/nginx-ingress/ca/installed.sls
@@ -27,6 +27,8 @@ Generate Ingress CA certificate:
     - CN: ingress-ca
     - keyUsage: "critical digitalSignature, keyEncipherment, keyCertSign"
     - basicConstraints: "critical CA:true"
+    - subjectKeyIdentifier: hash
+    - authorityKeyIdentifier: keyid,issuer:always
     - days_valid: {{ nginx_ingress.ca.cert.days_valid }}
     - user: root
     - group: root
diff --git a/salt/metalk8s/backup/certs/ca.sls b/salt/metalk8s/backup/certs/ca.sls
@@ -27,6 +27,8 @@ Generate backup server CA certificate:
     - CN: backup-server-ca
     - keyUsage: "critical digitalSignature, keyEncipherment, keyCertSign"
     - basicConstraints: "critical CA:true"
+    - subjectKeyIdentifier: hash
+    - authorityKeyIdentifier: keyid,issuer:always
     - days_valid: {{ backup_server.ca.cert.days_valid }}
     - user: root
     - group: root
diff --git a/salt/metalk8s/kubernetes/ca/etcd/installed.sls b/salt/metalk8s/kubernetes/ca/etcd/installed.sls
@@ -27,6 +27,8 @@ Generate etcd CA certificate:
     - CN: etcd-ca
     - keyUsage: "critical digitalSignature, keyEncipherment, keyCertSign"
     - basicConstraints: "critical CA:true"
+    - subjectKeyIdentifier: hash
+    - authorityKeyIdentifier: keyid,issuer:always
     - days_valid: {{ etcd.ca.cert.days_valid }}
     - user: root
     - group: root
diff --git a/salt/metalk8s/kubernetes/ca/front-proxy/installed.sls b/salt/metalk8s/kubernetes/ca/front-proxy/installed.sls
@@ -27,6 +27,8 @@ Generate front proxy CA certificate:
     - CN: front-proxy-ca
     - keyUsage: "critical digitalSignature, keyEncipherment, keyCertSign"
     - basicConstraints: "critical CA:true"
+    - subjectKeyIdentifier: hash
+    - authorityKeyIdentifier: keyid,issuer:always
     - days_valid: {{ front_proxy.ca.cert.days_valid }}
     - user: root
     - group: root
diff --git a/salt/metalk8s/kubernetes/ca/kubernetes/installed.sls b/salt/metalk8s/kubernetes/ca/kubernetes/installed.sls
@@ -27,6 +27,8 @@ Generate CA certificate:
     - CN: kubernetes
     - keyUsage: "critical digitalSignature, keyEncipherment, keyCertSign"
     - basicConstraints: "critical CA:true"
+    - subjectKeyIdentifier: hash
+    - authorityKeyIdentifier: keyid,issuer:always
     - days_valid: {{ ca.cert.days_valid }}
     - user: root
     - group: root
