Skip to content

salt: add x509 extensions 'subjectKeyIdentifier' and 'authorityKeyIdentifier' to certs #4836

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
ezekiel-alexrod wants to merge 2 commits into
base: development/133.0
Choose a base branch
from
Open

salt: add x509 extensions 'subjectKeyIdentifier' and 'authorityKeyIdentifier' to certs #4836

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
5d0dbef
salt: add x509 extensions to CA and leaf certificates (RFC 5280)
ezekiel-alexrod Mar 25, 2026
9f38ed7
salt: add authorityKeyIdentifier to leaf cert states
ezekiel-alexrod Mar 26, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -60,6 +60,10 @@
- Implement ability to add certificates to fluent-bit by mounting a fluent-bit-certs secret
(PR[#4812](https://github.com/scality/metalk8s/pull/4812))

- Add x509 `subjectKeyIdentifier` extension to CA certificates and
`authorityKeyIdentifier` extension to leaf certificates per RFC 5280
(PR[#4836](https://github.com/scality/metalk8s/pull/4836))

### Bug Fixes

- Fix a bug where part of the upgrade process would silently be skipped
Expand Down
8 changes: 8 additions & 0 deletions pillar/metalk8s/roles/ca.sls
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,45 +34,53 @@ x509_signing_policies:
- signing_cert: /etc/kubernetes/pki/ca.crt
- keyUsage: critical digitalSignature, keyEncipherment
- extendedKeyUsage: clientAuth
- authorityKeyIdentifier: keyid
kube_apiserver_server_policy:
- minions: '*'
- signing_private_key: /etc/kubernetes/pki/ca.key
- signing_cert: /etc/kubernetes/pki/ca.crt
- keyUsage: critical digitalSignature, keyEncipherment
- extendedKeyUsage: serverAuth
- authorityKeyIdentifier: keyid
etcd_client_policy:
- minions: '*'
- signing_private_key: /etc/kubernetes/pki/etcd/ca.key
- signing_cert: /etc/kubernetes/pki/etcd/ca.crt
- keyUsage: critical digitalSignature, keyEncipherment
- extendedKeyUsage: clientAuth
- authorityKeyIdentifier: keyid
etcd_server_client_policy:
- minions: '*'
- signing_private_key: /etc/kubernetes/pki/etcd/ca.key
- signing_cert: /etc/kubernetes/pki/etcd/ca.crt
- keyUsage: critical digitalSignature, keyEncipherment
- extendedKeyUsage: serverAuth, clientAuth
- authorityKeyIdentifier: keyid
front_proxy_client_policy:
- minions: '*'
- signing_private_key: /etc/kubernetes/pki/front-proxy-ca.key
- signing_cert: /etc/kubernetes/pki/front-proxy-ca.crt
- keyUsage: critical digitalSignature, keyEncipherment
- extendedKeyUsage: clientAuth
- authorityKeyIdentifier: keyid
ingress_server_policy:
- minions: '*'
- signing_private_key: /etc/metalk8s/pki/nginx-ingress/ca.key
- signing_cert: /etc/metalk8s/pki/nginx-ingress/ca.crt
- keyUsage: critical digitalSignature, keyEncipherment
- extendedKeyUsage: serverAuth
- authorityKeyIdentifier: keyid
dex_server_policy:
- minions: '*'
- signing_private_key: /etc/metalk8s/pki/dex/ca.key
- signing_cert: /etc/metalk8s/pki/dex/ca.crt
- keyUsage: critical digitalSignature, keyEncipherment
- extendedKeyUsage: serverAuth
- authorityKeyIdentifier: keyid
backup_server_policy:
- minions: '*'
- signing_private_key: /etc/metalk8s/pki/backup-server/ca.key
- signing_cert: /etc/metalk8s/pki/backup-server/ca.crt
- keyUsage: critical digitalSignature, keyEncipherment
- extendedKeyUsage: serverAuth
- authorityKeyIdentifier: keyid
1 change: 1 addition & 0 deletions salt/metalk8s/addons/dex/ca/installed.sls
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@ Generate dex CA certificate:
- CN: dex-ca
- keyUsage: "critical digitalSignature, keyEncipherment, keyCertSign"
- basicConstraints: "critical CA:true"
- subjectKeyIdentifier: hash
- days_valid: {{ dex.ca.cert.days_valid }}
- user: root
- group: root
Expand Down
1 change: 1 addition & 0 deletions salt/metalk8s/addons/nginx-ingress/ca/installed.sls
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@ Generate Ingress CA certificate:
- CN: ingress-ca
- keyUsage: "critical digitalSignature, keyEncipherment, keyCertSign"
- basicConstraints: "critical CA:true"
- subjectKeyIdentifier: hash
- days_valid: {{ nginx_ingress.ca.cert.days_valid }}
- user: root
- group: root
Expand Down
1 change: 1 addition & 0 deletions salt/metalk8s/backup/certs/ca.sls
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@ Generate backup server CA certificate:
- CN: backup-server-ca
- keyUsage: "critical digitalSignature, keyEncipherment, keyCertSign"
- basicConstraints: "critical CA:true"
- subjectKeyIdentifier: hash
- days_valid: {{ backup_server.ca.cert.days_valid }}
- user: root
- group: root
Expand Down
1 change: 1 addition & 0 deletions salt/metalk8s/kubernetes/ca/etcd/installed.sls
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@ Generate etcd CA certificate:
- CN: etcd-ca
- keyUsage: "critical digitalSignature, keyEncipherment, keyCertSign"
- basicConstraints: "critical CA:true"
- subjectKeyIdentifier: hash
- days_valid: {{ etcd.ca.cert.days_valid }}
- user: root
- group: root
Expand Down
1 change: 1 addition & 0 deletions salt/metalk8s/kubernetes/ca/front-proxy/installed.sls
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@ Generate front proxy CA certificate:
- CN: front-proxy-ca
- keyUsage: "critical digitalSignature, keyEncipherment, keyCertSign"
- basicConstraints: "critical CA:true"
- subjectKeyIdentifier: hash
- days_valid: {{ front_proxy.ca.cert.days_valid }}
- user: root
- group: root
Expand Down
1 change: 1 addition & 0 deletions salt/metalk8s/kubernetes/ca/kubernetes/installed.sls
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@ Generate CA certificate:
- CN: kubernetes
- keyUsage: "critical digitalSignature, keyEncipherment, keyCertSign"
- basicConstraints: "critical CA:true"
- subjectKeyIdentifier: hash
- days_valid: {{ ca.cert.days_valid }}
- user: root
- group: root
Expand Down
7 changes: 7 additions & 0 deletions salt/tests/unit/formulas/data/base_pillar.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -93,42 +93,49 @@ x509_signing_policies:
- signing_cert: /etc/metalk8s/pki/dex/ca.crt
- keyUsage: critical digitalSignature, keyEncipherment
- extendedKeyUsage: serverAuth
- authorityKeyIdentifier: keyid
etcd_client_policy:
- minions: '*'
- signing_private_key: /etc/kubernetes/pki/etcd/ca.key
- signing_cert: /etc/kubernetes/pki/etcd/ca.crt
- keyUsage: critical digitalSignature, keyEncipherment
- extendedKeyUsage: clientAuth
- authorityKeyIdentifier: keyid
etcd_server_client_policy:
- minions: '*'
- signing_private_key: /etc/kubernetes/pki/etcd/ca.key
- signing_cert: /etc/kubernetes/pki/etcd/ca.crt
- keyUsage: critical digitalSignature, keyEncipherment
- extendedKeyUsage: serverAuth, clientAuth
- authorityKeyIdentifier: keyid
front_proxy_client_policy:
- minions: '*'
- signing_private_key: /etc/kubernetes/pki/front-proxy-ca.key
- signing_cert: /etc/kubernetes/pki/front-proxy-ca.crt
- keyUsage: critical digitalSignature, keyEncipherment
- extendedKeyUsage: clientAuth
- authorityKeyIdentifier: keyid
ingress_server_policy:
- minions: '*'
- signing_private_key: /etc/metalk8s/pki/nginx-ingress/ca.key
- signing_cert: /etc/metalk8s/pki/nginx-ingress/ca.crt
- keyUsage: critical digitalSignature, keyEncipherment
- extendedKeyUsage: serverAuth
- authorityKeyIdentifier: keyid
kube_apiserver_client_policy:
- minions: '*'
- signing_private_key: /etc/kubernetes/pki/ca.key
- signing_cert: /etc/kubernetes/pki/ca.crt
- keyUsage: critical digitalSignature, keyEncipherment
- extendedKeyUsage: clientAuth
- authorityKeyIdentifier: keyid
kube_apiserver_server_policy:
- minions: '*'
- signing_private_key: /etc/kubernetes/pki/ca.key
- signing_cert: /etc/kubernetes/pki/ca.crt
- keyUsage: critical digitalSignature, keyEncipherment
- extendedKeyUsage: serverAuth
- authorityKeyIdentifier: keyid
certificates:
client:
files:
Expand Down
Loading