salt: add x509 extensions to CA and leaf certificates (RFC 5280)

Add `subjectKeyIdentifier` (SKI) to all 6 CA certificates and
`authorityKeyIdentifier` (AKI) to all leaf certificates via the
8 x509 signing policies, per RFC 5280:

- SKI on CA certs: MUST (Section 4.2.1.2)
- AKI on leaf certs: MUST (Section 4.2.1.1)
- AKI on self-signed CAs: MAY be omitted (Section 4.2.1.1)

The AKI keyid in leaf certs references the SKI of the issuing CA,
establishing the chain of trust identifier required by the RFC.

On upgrade, Salt detects the missing extensions and re-issues the
certificates while preserving the existing private keys.

Closes: MK8S-201

Author: ezekiel-alexrod

CHANGELOG.md

@@ -60,6 +60,10 @@
 - Implement ability to add certificates to fluent-bit by mounting a fluent-bit-certs secret
   (PR[#4812](https://github.com/scality/metalk8s/pull/4812))
 
+- Add x509 `subjectKeyIdentifier` extension to CA certificates and
+  `authorityKeyIdentifier` extension to leaf certificates per RFC 5280
+  (PR[#4836](https://github.com/scality/metalk8s/pull/4836))
+
 ### Bug Fixes
 
 - Fix a bug where part of the upgrade process would silently be skipped

pillar/metalk8s/roles/ca.sls

@@ -34,45 +34,53 @@ x509_signing_policies:
     - signing_cert: /etc/kubernetes/pki/ca.crt
     - keyUsage: critical digitalSignature, keyEncipherment
     - extendedKeyUsage: clientAuth
+    - authorityKeyIdentifier: keyid
   kube_apiserver_server_policy:
     - minions: '*'
     - signing_private_key: /etc/kubernetes/pki/ca.key
     - signing_cert: /etc/kubernetes/pki/ca.crt
     - keyUsage: critical digitalSignature, keyEncipherment
     - extendedKeyUsage: serverAuth
+    - authorityKeyIdentifier: keyid
   etcd_client_policy:
     - minions: '*'
     - signing_private_key: /etc/kubernetes/pki/etcd/ca.key
     - signing_cert: /etc/kubernetes/pki/etcd/ca.crt
     - keyUsage: critical digitalSignature, keyEncipherment
     - extendedKeyUsage: clientAuth
+    - authorityKeyIdentifier: keyid
   etcd_server_client_policy:
     - minions: '*'
     - signing_private_key: /etc/kubernetes/pki/etcd/ca.key
     - signing_cert: /etc/kubernetes/pki/etcd/ca.crt
     - keyUsage: critical digitalSignature, keyEncipherment
     - extendedKeyUsage: serverAuth, clientAuth
+    - authorityKeyIdentifier: keyid
   front_proxy_client_policy:
     - minions: '*'
     - signing_private_key: /etc/kubernetes/pki/front-proxy-ca.key
     - signing_cert: /etc/kubernetes/pki/front-proxy-ca.crt
     - keyUsage: critical digitalSignature, keyEncipherment
     - extendedKeyUsage: clientAuth
+    - authorityKeyIdentifier: keyid
   ingress_server_policy:
     - minions: '*'
     - signing_private_key: /etc/metalk8s/pki/nginx-ingress/ca.key
     - signing_cert: /etc/metalk8s/pki/nginx-ingress/ca.crt
     - keyUsage: critical digitalSignature, keyEncipherment
     - extendedKeyUsage: serverAuth
+    - authorityKeyIdentifier: keyid
   dex_server_policy:
     - minions: '*'
     - signing_private_key: /etc/metalk8s/pki/dex/ca.key
     - signing_cert: /etc/metalk8s/pki/dex/ca.crt
     - keyUsage: critical digitalSignature, keyEncipherment
     - extendedKeyUsage: serverAuth
+    - authorityKeyIdentifier: keyid
   backup_server_policy:
     - minions: '*'
     - signing_private_key: /etc/metalk8s/pki/backup-server/ca.key
     - signing_cert: /etc/metalk8s/pki/backup-server/ca.crt
     - keyUsage: critical digitalSignature, keyEncipherment
     - extendedKeyUsage: serverAuth
+    - authorityKeyIdentifier: keyid

salt/metalk8s/addons/dex/ca/installed.sls

@@ -27,6 +27,7 @@ Generate dex CA certificate:
     - CN: dex-ca
     - keyUsage: "critical digitalSignature, keyEncipherment, keyCertSign"
     - basicConstraints: "critical CA:true"
+    - subjectKeyIdentifier: hash
     - days_valid: {{ dex.ca.cert.days_valid }}
     - user: root
     - group: root

salt/metalk8s/addons/nginx-ingress/ca/installed.sls

@@ -27,6 +27,7 @@ Generate Ingress CA certificate:
     - CN: ingress-ca
     - keyUsage: "critical digitalSignature, keyEncipherment, keyCertSign"
     - basicConstraints: "critical CA:true"
+    - subjectKeyIdentifier: hash
     - days_valid: {{ nginx_ingress.ca.cert.days_valid }}
     - user: root
     - group: root

salt/metalk8s/backup/certs/ca.sls

@@ -27,6 +27,7 @@ Generate backup server CA certificate:
     - CN: backup-server-ca
     - keyUsage: "critical digitalSignature, keyEncipherment, keyCertSign"
     - basicConstraints: "critical CA:true"
+    - subjectKeyIdentifier: hash
     - days_valid: {{ backup_server.ca.cert.days_valid }}
     - user: root
     - group: root

salt/metalk8s/kubernetes/ca/etcd/installed.sls

@@ -27,6 +27,7 @@ Generate etcd CA certificate:
     - CN: etcd-ca
     - keyUsage: "critical digitalSignature, keyEncipherment, keyCertSign"
     - basicConstraints: "critical CA:true"
+    - subjectKeyIdentifier: hash
     - days_valid: {{ etcd.ca.cert.days_valid }}
     - user: root
     - group: root

salt/metalk8s/kubernetes/ca/front-proxy/installed.sls

@@ -27,6 +27,7 @@ Generate front proxy CA certificate:
     - CN: front-proxy-ca
     - keyUsage: "critical digitalSignature, keyEncipherment, keyCertSign"
     - basicConstraints: "critical CA:true"
+    - subjectKeyIdentifier: hash
     - days_valid: {{ front_proxy.ca.cert.days_valid }}
     - user: root
     - group: root

salt/metalk8s/kubernetes/ca/kubernetes/installed.sls

@@ -27,6 +27,7 @@ Generate CA certificate:
     - CN: kubernetes
     - keyUsage: "critical digitalSignature, keyEncipherment, keyCertSign"
     - basicConstraints: "critical CA:true"
+    - subjectKeyIdentifier: hash
     - days_valid: {{ ca.cert.days_valid }}
     - user: root
     - group: root

salt/tests/unit/formulas/data/base_pillar.yaml

@@ -93,42 +93,49 @@ x509_signing_policies:
     - signing_cert: /etc/metalk8s/pki/dex/ca.crt
     - keyUsage: critical digitalSignature, keyEncipherment
     - extendedKeyUsage: serverAuth
+    - authorityKeyIdentifier: keyid
   etcd_client_policy:
     - minions: '*'
     - signing_private_key: /etc/kubernetes/pki/etcd/ca.key
     - signing_cert: /etc/kubernetes/pki/etcd/ca.crt
     - keyUsage: critical digitalSignature, keyEncipherment
     - extendedKeyUsage: clientAuth
+    - authorityKeyIdentifier: keyid
   etcd_server_client_policy:
     - minions: '*'
     - signing_private_key: /etc/kubernetes/pki/etcd/ca.key
     - signing_cert: /etc/kubernetes/pki/etcd/ca.crt
     - keyUsage: critical digitalSignature, keyEncipherment
     - extendedKeyUsage: serverAuth, clientAuth
+    - authorityKeyIdentifier: keyid
   front_proxy_client_policy:
     - minions: '*'
     - signing_private_key: /etc/kubernetes/pki/front-proxy-ca.key
     - signing_cert: /etc/kubernetes/pki/front-proxy-ca.crt
     - keyUsage: critical digitalSignature, keyEncipherment
     - extendedKeyUsage: clientAuth
+    - authorityKeyIdentifier: keyid
   ingress_server_policy:
     - minions: '*'
     - signing_private_key: /etc/metalk8s/pki/nginx-ingress/ca.key
     - signing_cert: /etc/metalk8s/pki/nginx-ingress/ca.crt
     - keyUsage: critical digitalSignature, keyEncipherment
     - extendedKeyUsage: serverAuth
+    - authorityKeyIdentifier: keyid
   kube_apiserver_client_policy:
     - minions: '*'
     - signing_private_key: /etc/kubernetes/pki/ca.key
     - signing_cert: /etc/kubernetes/pki/ca.crt
     - keyUsage: critical digitalSignature, keyEncipherment
     - extendedKeyUsage: clientAuth
+    - authorityKeyIdentifier: keyid
   kube_apiserver_server_policy:
     - minions: '*'
     - signing_private_key: /etc/kubernetes/pki/ca.key
     - signing_cert: /etc/kubernetes/pki/ca.crt
     - keyUsage: critical digitalSignature, keyEncipherment
     - extendedKeyUsage: serverAuth
+    - authorityKeyIdentifier: keyid
 certificates:
   client:
     files: