Generate certificates for the aggregation layer.

2026-01-09 18:19:34 -05:00
parent c0ace47d95
commit fd1ea9e890
13 changed files with 204 additions and 43 deletions
--- a/nix/kubernetes/keys/package/k8s-ca/files/requestheader-client-ca.conf
+++ b/nix/kubernetes/keys/package/k8s-ca/files/requestheader-client-ca.conf
@@ -0,0 +1,95 @@
+[req]
+distinguished_name = req_distinguished_name
+prompt             = no
+x509_extensions    = ca_x509_extensions
+
+[ca_x509_extensions]
+basicConstraints = CA:TRUE
+keyUsage         = cRLSign, keyCertSign
+
+[req_distinguished_name]
+C   = US
+ST  = Washington
+L   = Seattle
+CN  = CA
+
+[controller0-proxy]
+distinguished_name = controller0_distinguished_name
+prompt             = no
+req_extensions     = controller0_req_extensions
+
+[controller0_req_extensions]
+basicConstraints     = CA:FALSE
+extendedKeyUsage     = clientAuth, serverAuth
+keyUsage             = critical, digitalSignature, keyEncipherment
+nsCertType           = client
+nsComment            = "controller0 Certificate"
+subjectAltName       = @controller0_alt_names
+subjectKeyIdentifier = hash
+
+[controller0_distinguished_name]
+CN = system:node:controller0
+O  = system:nodes
+C  = US
+ST = Washington
+L  = Seattle
+
+[controller0_alt_names]
+IP.0  = 127.0.0.1
+IP.4  = 10.215.1.221
+IP.5  = 2620:11f:7001:7:ffff:ffff:0ad7:01dd
+DNS.0 = controller0
+
+[controller1-proxy]
+distinguished_name = controller1_distinguished_name
+prompt             = no
+req_extensions     = controller1_req_extensions
+
+[controller1_req_extensions]
+basicConstraints     = CA:FALSE
+extendedKeyUsage     = clientAuth, serverAuth
+keyUsage             = critical, digitalSignature, keyEncipherment
+nsCertType           = client
+nsComment            = "controller1 Certificate"
+subjectAltName       = @controller1_alt_names
+subjectKeyIdentifier = hash
+
+[controller1_distinguished_name]
+CN = system:node:controller1
+O  = system:nodes
+C  = US
+ST = Washington
+L  = Seattle
+
+[controller1_alt_names]
+IP.0  = 127.0.0.1
+IP.4  = 10.215.1.222
+IP.5  = 2620:11f:7001:7:ffff:ffff:0ad7:01de
+DNS.0 = controller1
+
+[controller2-proxy]
+distinguished_name = controller2_distinguished_name
+prompt             = no
+req_extensions     = controller2_req_extensions
+
+[controller2_req_extensions]
+basicConstraints     = CA:FALSE
+extendedKeyUsage     = clientAuth, serverAuth
+keyUsage             = critical, digitalSignature, keyEncipherment
+nsCertType           = client
+nsComment            = "controller2 Certificate"
+subjectAltName       = @controller2_alt_names
+subjectKeyIdentifier = hash
+
+[controller2_distinguished_name]
+CN = system:node:controller2
+O  = system:nodes
+C  = US
+ST = Washington
+L  = Seattle
+
+[controller2_alt_names]
+IP.0  = 127.0.0.1
+IP.6  = 10.215.1.223
+IP.7  = 2620:11f:7001:7:ffff:ffff:0ad7:01df
+DNS.0 = controller2