forked from hswaw/hscloud
clustercfg: do not use SAN section if no SAN names
This commit is contained in:
parent
ae56b6a6a5
commit
4c186db2c1
1 changed files with 11 additions and 12 deletions
|
@ -51,9 +51,10 @@ class PKI(object):
|
|||
'-CA', self.cacert,
|
||||
'-CAkey', self.cakey,
|
||||
'-out', crt,
|
||||
'-extensions', 'SAN', '-extfile', conf,
|
||||
'-days', str(days),
|
||||
])
|
||||
] + ([
|
||||
'-extensions', 'SAN', '-extfile', conf,
|
||||
] if conf else []))
|
||||
|
||||
|
||||
class Subject(object):
|
||||
|
@ -92,10 +93,11 @@ def openssl_config(san):
|
|||
with open(os.path.join(local_root, 'cluster/openssl.cnf'), 'rb') as f:
|
||||
config = BytesIO(f.read())
|
||||
|
||||
config.seek(0, 2)
|
||||
config.write(b'\n[SAN]\n')
|
||||
for s in san:
|
||||
config.write('subjectAltName=DNS:{}\n'.format(s).encode())
|
||||
if san:
|
||||
config.seek(0, 2)
|
||||
config.write(b'\n[SAN]\n')
|
||||
for s in san:
|
||||
config.write('subjectAltName=DNS:{}\n'.format(s).encode())
|
||||
|
||||
f = tempfile.NamedTemporaryFile(delete=False)
|
||||
path = f.name
|
||||
|
@ -205,8 +207,9 @@ def shared_cert(pki, c, fqdn, cert_name, subj, san=[], days=365):
|
|||
'-out', local_csr,
|
||||
'-subj', str(subj),
|
||||
'-config', local_config,
|
||||
] + ([
|
||||
'-reqexts', 'SAN',
|
||||
])
|
||||
] if san else []))
|
||||
|
||||
pki.sign(local_csr, local_cert, local_config, days)
|
||||
|
||||
|
@ -282,7 +285,6 @@ def admincreds(args):
|
|||
if not generate_cert:
|
||||
return configure_k8s(username, pki.cacert, local_cert, local_key)
|
||||
|
||||
local_config = openssl_config([])
|
||||
subj = Subject('system:masters', "Kubernetes Admin Account for {}".format(username), username)
|
||||
|
||||
subprocess.check_call([
|
||||
|
@ -290,12 +292,9 @@ def admincreds(args):
|
|||
'-key', local_key,
|
||||
'-out', local_csr,
|
||||
'-subj', str(subj),
|
||||
'-config', local_config,
|
||||
'-reqexts', 'SAN',
|
||||
])
|
||||
|
||||
pki.sign(local_csr, local_cert, local_config, 5)
|
||||
os.remove(local_config)
|
||||
pki.sign(local_csr, local_cert, None, 5)
|
||||
|
||||
configure_k8s(username, pki.cacert, local_cert, local_key)
|
||||
|
||||
|
|
Loading…
Reference in a new issue