clustercfg: do not use SAN section if no SAN names
diff --git a/tools/clustercfg.py b/tools/clustercfg.py
index be3fea7..29e42a4 100644
--- a/tools/clustercfg.py
+++ b/tools/clustercfg.py
@@ -51,9 +51,10 @@
'-CA', self.cacert,
'-CAkey', self.cakey,
'-out', crt,
- '-extensions', 'SAN', '-extfile', conf,
'-days', str(days),
- ])
+ ] + ([
+ '-extensions', 'SAN', '-extfile', conf,
+ ] if conf else []))
class Subject(object):
@@ -92,10 +93,11 @@
with open(os.path.join(local_root, 'cluster/openssl.cnf'), 'rb') as f:
config = BytesIO(f.read())
- config.seek(0, 2)
- config.write(b'\n[SAN]\n')
- for s in san:
- config.write('subjectAltName=DNS:{}\n'.format(s).encode())
+ if san:
+ config.seek(0, 2)
+ config.write(b'\n[SAN]\n')
+ for s in san:
+ config.write('subjectAltName=DNS:{}\n'.format(s).encode())
f = tempfile.NamedTemporaryFile(delete=False)
path = f.name
@@ -205,8 +207,9 @@
'-out', local_csr,
'-subj', str(subj),
'-config', local_config,
+ ] + ([
'-reqexts', 'SAN',
- ])
+ ] if san else []))
pki.sign(local_csr, local_cert, local_config, days)
@@ -282,7 +285,6 @@
if not generate_cert:
return configure_k8s(username, pki.cacert, local_cert, local_key)
- local_config = openssl_config([])
subj = Subject('system:masters', "Kubernetes Admin Account for {}".format(username), username)
subprocess.check_call([
@@ -290,12 +292,9 @@
'-key', local_key,
'-out', local_csr,
'-subj', str(subj),
- '-config', local_config,
- '-reqexts', 'SAN',
])
- pki.sign(local_csr, local_cert, local_config, 5)
- os.remove(local_config)
+ pki.sign(local_csr, local_cert, None, 5)
configure_k8s(username, pki.cacert, local_cert, local_key)