salt: add authorityKeyIdentifier to leaf cert states

Add `authorityKeyIdentifier: keyid` to all 13 leaf certificate
`x509.certificate_managed` states so that Salt detects the missing
extension on existing certs and re-issues them during upgrade.

The signing policies alone (in pillar) control what extensions are
stamped on new certs, but Salt does not compare signing policy
extensions against existing certs. Adding the extension in the
state itself triggers the diff detection needed for upgrade.

Closes: MK8S-201

Author: ezekiel-alexrod

salt/metalk8s/addons/dex/certs/server.sls

@@ -45,6 +45,7 @@ Generate Dex server certificate:
     - signing_policy: {{ dex.cert.server_signing_policy }}
     - CN: dex-server
     - subjectAltName: "{{ salt['metalk8s.format_san'](certSANs | unique) }}"
+    - authorityKeyIdentifier: keyid
     - days_valid: {{
         certificates.server.files.dex.days_valid |
         default(certificates.server.days_valid) }}

salt/metalk8s/addons/nginx-ingress-control-plane/certs/server.sls

@@ -45,6 +45,7 @@ Generate Control-Plane Ingress server certificate:
     - signing_policy: {{ nginx_ingress.cert.server_signing_policy }}
     - CN: nginx-ingress-control-plane-server
     - subjectAltName: "{{ salt['metalk8s.format_san'](certSANs | unique) }}"
+    - authorityKeyIdentifier: keyid
     - days_valid: {{
         certificates.server.files['control-plane-ingress'].days_valid |
         default(certificates.server.days_valid) }}

salt/metalk8s/addons/nginx-ingress/certs/server.sls

@@ -41,6 +41,7 @@ Generate Workload-Plane Ingress server certificate:
     - signing_policy: {{ nginx_ingress.cert.server_signing_policy }}
     - CN: nginx-ingress-workload-plane-server
     - subjectAltName: "{{ salt['metalk8s.format_san'](certSANs | unique) }}"
+    - authorityKeyIdentifier: keyid
     - days_valid: {{
         certificates.server.files['workload-plane-ingress'].days_valid |
         default(certificates.server.days_valid) }}

salt/metalk8s/backup/certs/server.sls

@@ -35,6 +35,7 @@ Generate backup server certificate:
     - signing_policy: {{ backup_server.cert.server_signing_policy }}
     - CN: backup
     - subjectAltName: "{{ salt['metalk8s.format_san'](certSANs | unique) }}"
+    - authorityKeyIdentifier: keyid
     - days_valid: {{
         certificates.server.files["backup-server"].days_valid |
         default(certificates.server.days_valid) }}

salt/metalk8s/kubernetes/apiserver/certs/etcd-client.sls

@@ -29,6 +29,7 @@ Generate apiserver etcd client certificate:
     - signing_policy: {{ etcd.cert.apiserver_client_signing_policy }}
     - CN: kube-apiserver-etcd-client
     - O: "system:masters"
+    - authorityKeyIdentifier: keyid
     - days_valid: {{
         certificates.client.files['apiserver-etcd'].days_valid |
         default(certificates.client.days_valid) }}

salt/metalk8s/kubernetes/apiserver/certs/front-proxy-client.sls

@@ -28,6 +28,7 @@ Generate front proxy client certificate:
     - ca_server: {{ pillar['metalk8s']['ca']['minion'] }}
     - signing_policy: {{ front_proxy.cert.client_signing_policy }}
     - CN: front-proxy-client
+    - authorityKeyIdentifier: keyid
     - days_valid: {{
         certificates.client.files['front-proxy'].days_valid |
         default(certificates.client.days_valid) }}

salt/metalk8s/kubernetes/apiserver/certs/kubelet-client.sls

@@ -29,6 +29,7 @@ Generate kube-apiserver kubelet client certificate:
     - signing_policy: {{ kube_api.cert.client_signing_policy }}
     - CN: kube-apiserver-kubelet-client
     - O: "system:masters"
+    - authorityKeyIdentifier: keyid
     - days_valid: {{
         certificates.client.files['apiserver-kubelet'].days_valid |
         default(certificates.client.days_valid) }}

salt/metalk8s/kubernetes/apiserver/certs/server.sls

@@ -43,6 +43,7 @@ Generate kube-apiserver certificate:
     - signing_policy: {{ kube_api.cert.server_signing_policy }}
     - CN: kube-apiserver
     - subjectAltName: "{{ salt['metalk8s.format_san'](certSANs | unique) }}"
+    - authorityKeyIdentifier: keyid
     - days_valid: {{
         certificates.server.files.apiserver.days_valid |
         default(certificates.server.days_valid) }}

salt/metalk8s/kubernetes/etcd/certs/healthcheck-client.sls

@@ -29,6 +29,7 @@ Generate etcd healthcheck client certificate:
     - signing_policy: {{ etcd.cert.healthcheck_client_signing_policy }}
     - CN: kube-etcd-healthcheck-client
     - O: "system:masters"
+    - authorityKeyIdentifier: keyid
     - days_valid: {{
         certificates.client.files['etcd-healthcheck'].days_valid |
         default(certificates.client.days_valid) }}

salt/metalk8s/kubernetes/etcd/certs/peer.sls

@@ -29,6 +29,7 @@ Generate etcd peer certificate:
     - signing_policy: {{ etcd.cert.peer_signing_policy }}
     - CN: "{{ grains['fqdn'] }}"
     - subjectAltName: "DNS:{{ grains['fqdn'] }}, DNS:localhost, IP:{{ grains['metalk8s']['control_plane_ip'] }}, IP:127.0.0.1"
+    - authorityKeyIdentifier: keyid
     - days_valid: {{
         certificates.server.files['etcd-peer'].days_valid |
         default(certificates.server.days_valid) }}