Skip to content

salt: add x509 extensions 'subjectKeyIdentifier' and 'authorityKeyIdentifier' to certs #4836

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
ezekiel-alexrod wants to merge 2 commits into
base: development/133.0
Choose a base branch
from
Open

salt: add x509 extensions 'subjectKeyIdentifier' and 'authorityKeyIdentifier' to certs #4836

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
5d0dbef
salt: add x509 extensions to CA and leaf certificates (RFC 5280)
ezekiel-alexrod Mar 25, 2026
9f38ed7
salt: add authorityKeyIdentifier to leaf cert states
ezekiel-alexrod Mar 26, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -60,6 +60,10 @@
- Implement ability to add certificates to fluent-bit by mounting a fluent-bit-certs secret
(PR[#4812](https://github.com/scality/metalk8s/pull/4812))

- Add x509 `subjectKeyIdentifier` extension to CA certificates and
`authorityKeyIdentifier` extension to leaf certificates per RFC 5280
(PR[#4836](https://github.com/scality/metalk8s/pull/4836))

### Bug Fixes

- Fix a bug where part of the upgrade process would silently be skipped
Expand Down
8 changes: 8 additions & 0 deletions pillar/metalk8s/roles/ca.sls
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,45 +34,53 @@ x509_signing_policies:
- signing_cert: /etc/kubernetes/pki/ca.crt
- keyUsage: critical digitalSignature, keyEncipherment
- extendedKeyUsage: clientAuth
- authorityKeyIdentifier: keyid
kube_apiserver_server_policy:
- minions: '*'
- signing_private_key: /etc/kubernetes/pki/ca.key
- signing_cert: /etc/kubernetes/pki/ca.crt
- keyUsage: critical digitalSignature, keyEncipherment
- extendedKeyUsage: serverAuth
- authorityKeyIdentifier: keyid
etcd_client_policy:
- minions: '*'
- signing_private_key: /etc/kubernetes/pki/etcd/ca.key
- signing_cert: /etc/kubernetes/pki/etcd/ca.crt
- keyUsage: critical digitalSignature, keyEncipherment
- extendedKeyUsage: clientAuth
- authorityKeyIdentifier: keyid
etcd_server_client_policy:
- minions: '*'
- signing_private_key: /etc/kubernetes/pki/etcd/ca.key
- signing_cert: /etc/kubernetes/pki/etcd/ca.crt
- keyUsage: critical digitalSignature, keyEncipherment
- extendedKeyUsage: serverAuth, clientAuth
- authorityKeyIdentifier: keyid
front_proxy_client_policy:
- minions: '*'
- signing_private_key: /etc/kubernetes/pki/front-proxy-ca.key
- signing_cert: /etc/kubernetes/pki/front-proxy-ca.crt
- keyUsage: critical digitalSignature, keyEncipherment
- extendedKeyUsage: clientAuth
- authorityKeyIdentifier: keyid
ingress_server_policy:
- minions: '*'
- signing_private_key: /etc/metalk8s/pki/nginx-ingress/ca.key
- signing_cert: /etc/metalk8s/pki/nginx-ingress/ca.crt
- keyUsage: critical digitalSignature, keyEncipherment
- extendedKeyUsage: serverAuth
- authorityKeyIdentifier: keyid
dex_server_policy:
- minions: '*'
- signing_private_key: /etc/metalk8s/pki/dex/ca.key
- signing_cert: /etc/metalk8s/pki/dex/ca.crt
- keyUsage: critical digitalSignature, keyEncipherment
- extendedKeyUsage: serverAuth
- authorityKeyIdentifier: keyid
backup_server_policy:
- minions: '*'
- signing_private_key: /etc/metalk8s/pki/backup-server/ca.key
- signing_cert: /etc/metalk8s/pki/backup-server/ca.crt
- keyUsage: critical digitalSignature, keyEncipherment
- extendedKeyUsage: serverAuth
- authorityKeyIdentifier: keyid
1 change: 1 addition & 0 deletions salt/metalk8s/addons/dex/ca/installed.sls
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@ Generate dex CA certificate:
- CN: dex-ca
- keyUsage: "critical digitalSignature, keyEncipherment, keyCertSign"
- basicConstraints: "critical CA:true"
- subjectKeyIdentifier: hash
- days_valid: {{ dex.ca.cert.days_valid }}
- user: root
- group: root
Expand Down
1 change: 1 addition & 0 deletions salt/metalk8s/addons/dex/certs/server.sls
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,7 @@ Generate Dex server certificate:
- signing_policy: {{ dex.cert.server_signing_policy }}
- CN: dex-server
- subjectAltName: "{{ salt['metalk8s.format_san'](certSANs | unique) }}"
- authorityKeyIdentifier: keyid
Copy link
Copy Markdown

@claude claude bot Mar 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

authorityKeyIdentifier: keyid is now specified in both the signing policy (pillar) and in each individual leaf cert state file. The signing policy already enforces this extension on all certificates it signs, so the per-cert declarations are redundant.

This duplication means if the extension needs to change in the future, it must be updated in 8 signing policies + 13 individual state files instead of just the 8 policies. Consider removing the authorityKeyIdentifier lines from the individual leaf cert state files and relying solely on the signing policies in pillar/metalk8s/roles/ca.sls.

— Claude Code

Copy link
Copy Markdown
Contributor Author

@ezekiel-alexrod ezekiel-alexrod Mar 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The duplication is intentional and required for upgrade correctness.

We tested with authorityKeyIdentifier: keyid only in the signing policies (without it in the individual leaf cert states). The result: on upgrade from 132.0.2, Salt did not re-issue any leaf cert -- all leaf certs remained without AKI post-upgrade.

The reason is that the signing policy controls what extensions are stamped when a cert is issued, but x509.certificate_managed only compares properties declared in the state itself to decide whether to re-issue an existing cert. Since the signing policy lives on the CA side (pillar), the minion-side state has no visibility into it for diff detection.

So both are needed:

  • The signing policy ensures new certs (fresh install) get the AKI
  • The state declaration ensures Salt detects the missing AKI on existing certs and triggers re-issuance during upgrade

This was verified on 3-node EC2 clusters: without the per-cert declarations, AKI was present on fresh install but absent after upgrade. With both, it works in all scenarios.

- days_valid: {{
certificates.server.files.dex.days_valid |
default(certificates.server.days_valid) }}
Expand Down
1 change: 1 addition & 0 deletions salt/metalk8s/addons/nginx-ingress-control-plane/certs/server.sls
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,7 @@ Generate Control-Plane Ingress server certificate:
- signing_policy: {{ nginx_ingress.cert.server_signing_policy }}
- CN: nginx-ingress-control-plane-server
- subjectAltName: "{{ salt['metalk8s.format_san'](certSANs | unique) }}"
- authorityKeyIdentifier: keyid
- days_valid: {{
certificates.server.files['control-plane-ingress'].days_valid |
default(certificates.server.days_valid) }}
Expand Down
1 change: 1 addition & 0 deletions salt/metalk8s/addons/nginx-ingress/ca/installed.sls
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@ Generate Ingress CA certificate:
- CN: ingress-ca
- keyUsage: "critical digitalSignature, keyEncipherment, keyCertSign"
- basicConstraints: "critical CA:true"
- subjectKeyIdentifier: hash
- days_valid: {{ nginx_ingress.ca.cert.days_valid }}
- user: root
- group: root
Expand Down
1 change: 1 addition & 0 deletions salt/metalk8s/addons/nginx-ingress/certs/server.sls
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,7 @@ Generate Workload-Plane Ingress server certificate:
- signing_policy: {{ nginx_ingress.cert.server_signing_policy }}
- CN: nginx-ingress-workload-plane-server
- subjectAltName: "{{ salt['metalk8s.format_san'](certSANs | unique) }}"
- authorityKeyIdentifier: keyid
- days_valid: {{
certificates.server.files['workload-plane-ingress'].days_valid |
default(certificates.server.days_valid) }}
Expand Down
1 change: 1 addition & 0 deletions salt/metalk8s/backup/certs/ca.sls
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@ Generate backup server CA certificate:
- CN: backup-server-ca
- keyUsage: "critical digitalSignature, keyEncipherment, keyCertSign"
- basicConstraints: "critical CA:true"
- subjectKeyIdentifier: hash
- days_valid: {{ backup_server.ca.cert.days_valid }}
- user: root
- group: root
Expand Down
1 change: 1 addition & 0 deletions salt/metalk8s/backup/certs/server.sls
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,7 @@ Generate backup server certificate:
- signing_policy: {{ backup_server.cert.server_signing_policy }}
- CN: backup
- subjectAltName: "{{ salt['metalk8s.format_san'](certSANs | unique) }}"
- authorityKeyIdentifier: keyid
- days_valid: {{
certificates.server.files["backup-server"].days_valid |
default(certificates.server.days_valid) }}
Expand Down
1 change: 1 addition & 0 deletions salt/metalk8s/kubernetes/apiserver/certs/etcd-client.sls
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,7 @@ Generate apiserver etcd client certificate:
- signing_policy: {{ etcd.cert.apiserver_client_signing_policy }}
- CN: kube-apiserver-etcd-client
- O: "system:masters"
- authorityKeyIdentifier: keyid
- days_valid: {{
certificates.client.files['apiserver-etcd'].days_valid |
default(certificates.client.days_valid) }}
Expand Down
1 change: 1 addition & 0 deletions salt/metalk8s/kubernetes/apiserver/certs/front-proxy-client.sls
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,7 @@ Generate front proxy client certificate:
- ca_server: {{ pillar['metalk8s']['ca']['minion'] }}
- signing_policy: {{ front_proxy.cert.client_signing_policy }}
- CN: front-proxy-client
- authorityKeyIdentifier: keyid
- days_valid: {{
certificates.client.files['front-proxy'].days_valid |
default(certificates.client.days_valid) }}
Expand Down
1 change: 1 addition & 0 deletions salt/metalk8s/kubernetes/apiserver/certs/kubelet-client.sls
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,7 @@ Generate kube-apiserver kubelet client certificate:
- signing_policy: {{ kube_api.cert.client_signing_policy }}
- CN: kube-apiserver-kubelet-client
- O: "system:masters"
- authorityKeyIdentifier: keyid
- days_valid: {{
certificates.client.files['apiserver-kubelet'].days_valid |
default(certificates.client.days_valid) }}
Expand Down
1 change: 1 addition & 0 deletions salt/metalk8s/kubernetes/apiserver/certs/server.sls
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,7 @@ Generate kube-apiserver certificate:
- signing_policy: {{ kube_api.cert.server_signing_policy }}
- CN: kube-apiserver
- subjectAltName: "{{ salt['metalk8s.format_san'](certSANs | unique) }}"
- authorityKeyIdentifier: keyid
- days_valid: {{
certificates.server.files.apiserver.days_valid |
default(certificates.server.days_valid) }}
Expand Down
1 change: 1 addition & 0 deletions salt/metalk8s/kubernetes/ca/etcd/installed.sls
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@ Generate etcd CA certificate:
- CN: etcd-ca
- keyUsage: "critical digitalSignature, keyEncipherment, keyCertSign"
- basicConstraints: "critical CA:true"
- subjectKeyIdentifier: hash
- days_valid: {{ etcd.ca.cert.days_valid }}
- user: root
- group: root
Expand Down
1 change: 1 addition & 0 deletions salt/metalk8s/kubernetes/ca/front-proxy/installed.sls
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@ Generate front proxy CA certificate:
- CN: front-proxy-ca
- keyUsage: "critical digitalSignature, keyEncipherment, keyCertSign"
- basicConstraints: "critical CA:true"
- subjectKeyIdentifier: hash
- days_valid: {{ front_proxy.ca.cert.days_valid }}
- user: root
- group: root
Expand Down
1 change: 1 addition & 0 deletions salt/metalk8s/kubernetes/ca/kubernetes/installed.sls
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@ Generate CA certificate:
- CN: kubernetes
- keyUsage: "critical digitalSignature, keyEncipherment, keyCertSign"
- basicConstraints: "critical CA:true"
- subjectKeyIdentifier: hash
- days_valid: {{ ca.cert.days_valid }}
- user: root
- group: root
Expand Down
1 change: 1 addition & 0 deletions salt/metalk8s/kubernetes/etcd/certs/healthcheck-client.sls
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,7 @@ Generate etcd healthcheck client certificate:
- signing_policy: {{ etcd.cert.healthcheck_client_signing_policy }}
- CN: kube-etcd-healthcheck-client
- O: "system:masters"
- authorityKeyIdentifier: keyid
- days_valid: {{
certificates.client.files['etcd-healthcheck'].days_valid |
default(certificates.client.days_valid) }}
Expand Down
1 change: 1 addition & 0 deletions salt/metalk8s/kubernetes/etcd/certs/peer.sls
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,7 @@ Generate etcd peer certificate:
- signing_policy: {{ etcd.cert.peer_signing_policy }}
- CN: "{{ grains['fqdn'] }}"
- subjectAltName: "DNS:{{ grains['fqdn'] }}, DNS:localhost, IP:{{ grains['metalk8s']['control_plane_ip'] }}, IP:127.0.0.1"
- authorityKeyIdentifier: keyid
- days_valid: {{
certificates.server.files['etcd-peer'].days_valid |
default(certificates.server.days_valid) }}
Expand Down
1 change: 1 addition & 0 deletions salt/metalk8s/kubernetes/etcd/certs/server.sls
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,7 @@ Generate etcd server certificate:
- signing_policy: {{ etcd.cert.server_signing_policy }}
- CN: "{{ grains['fqdn'] }}"
- subjectAltName: "DNS:{{ grains['fqdn'] }}, DNS:localhost, IP:{{ grains['metalk8s']['control_plane_ip'] }}, IP:127.0.0.1"
- authorityKeyIdentifier: keyid
- days_valid: {{
certificates.server.files.etcd.days_valid |
default(certificates.server.days_valid) }}
Expand Down
1 change: 1 addition & 0 deletions salt/metalk8s/salt/master/certs/etcd-client.sls
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,7 @@ Generate salt master etcd client certificate:
- ca_server: {{ pillar['metalk8s']['ca']['minion'] }}
- signing_policy: {{ etcd.cert.apiserver_client_signing_policy }}
- CN: etcd-salt-master-client
- authorityKeyIdentifier: keyid
- days_valid: {{
certificates.client.files['salt-master-etcd'].days_valid |
default(certificates.client.days_valid) }}
Expand Down
1 change: 1 addition & 0 deletions salt/metalk8s/salt/master/certs/salt-api.sls
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,7 @@ Generate Salt API certificate:
- signing_policy: {{ kube_api.cert.server_signing_policy }}
- CN: salt-api on {{ grains.id }}
- subjectAltName: "{{ salt['metalk8s.format_san'](certSANs | unique) }}"
- authorityKeyIdentifier: keyid
- days_valid: {{
certificates.server.files['salt-api'].days_valid |
default(certificates.server.days_valid) }}
Expand Down
7 changes: 7 additions & 0 deletions salt/tests/unit/formulas/data/base_pillar.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -93,42 +93,49 @@ x509_signing_policies:
- signing_cert: /etc/metalk8s/pki/dex/ca.crt
- keyUsage: critical digitalSignature, keyEncipherment
- extendedKeyUsage: serverAuth
- authorityKeyIdentifier: keyid
etcd_client_policy:
- minions: '*'
- signing_private_key: /etc/kubernetes/pki/etcd/ca.key
- signing_cert: /etc/kubernetes/pki/etcd/ca.crt
- keyUsage: critical digitalSignature, keyEncipherment
- extendedKeyUsage: clientAuth
- authorityKeyIdentifier: keyid
etcd_server_client_policy:
- minions: '*'
- signing_private_key: /etc/kubernetes/pki/etcd/ca.key
- signing_cert: /etc/kubernetes/pki/etcd/ca.crt
- keyUsage: critical digitalSignature, keyEncipherment
- extendedKeyUsage: serverAuth, clientAuth
- authorityKeyIdentifier: keyid
front_proxy_client_policy:
- minions: '*'
- signing_private_key: /etc/kubernetes/pki/front-proxy-ca.key
- signing_cert: /etc/kubernetes/pki/front-proxy-ca.crt
- keyUsage: critical digitalSignature, keyEncipherment
- extendedKeyUsage: clientAuth
- authorityKeyIdentifier: keyid
ingress_server_policy:
- minions: '*'
- signing_private_key: /etc/metalk8s/pki/nginx-ingress/ca.key
- signing_cert: /etc/metalk8s/pki/nginx-ingress/ca.crt
- keyUsage: critical digitalSignature, keyEncipherment
- extendedKeyUsage: serverAuth
- authorityKeyIdentifier: keyid
kube_apiserver_client_policy:
- minions: '*'
- signing_private_key: /etc/kubernetes/pki/ca.key
- signing_cert: /etc/kubernetes/pki/ca.crt
- keyUsage: critical digitalSignature, keyEncipherment
- extendedKeyUsage: clientAuth
- authorityKeyIdentifier: keyid
kube_apiserver_server_policy:
- minions: '*'
- signing_private_key: /etc/kubernetes/pki/ca.key
- signing_cert: /etc/kubernetes/pki/ca.crt
- keyUsage: critical digitalSignature, keyEncipherment
- extendedKeyUsage: serverAuth
- authorityKeyIdentifier: keyid
certificates:
client:
files:
Expand Down
Loading