self-hosting/roles/kubernetes-ca/defaults/main.yml

---
# The directory from where to copy the K8s certificates. By default this
# will expand to user's LOCAL $HOME (the user that run's "ansible-playbook ..."
# plus "/k8s/certs". That means if the user's $HOME directory is e.g.
# "/home/da_user" then "k8s_ca_conf_directory" will have a value of
# "/home/da_user/k8s/certs".
k8s_ca_conf_directory: "{{ '~/k8s/certs' | expanduser }}"
k8s_ca_certificate_owner: "root"
k8s_ca_certificate_group: "root"


# Expiry for Kubernetes API server root certificates
ca_expiry: "87600h"

k8s_csr:
  master:
    - name: "ca"
      cn: "Kubernetes"
      key_algo: "rsa"
      key_size: "2048"
      names_c: "BE"
      names_l: "The_Internet"
      names_o: "Kubernetes"
      names_ou: "CA"
      names_st: "Luxembourg"
    - name: "etcd"
      cn: "Etcd"
      key_algo: "rsa"
      key_size: "2048"
      names_c: "BE"
      names_l: "The_Internet"
      names_o: "Kubernetes"
      names_ou: "{{ k8s_config_cluster_name }}"
      names_st: "Luxembourg"
      hostnames: "{{etcdHosts}}"
    - name: "apiserver"    
      cn: "Kubernetes"
      key_algo: "rsa"
      key_size: "2048"
      names_c: "BE"
      names_l: "The_Internet"
      names_o: "Kubernetes"
      names_ou: "{{ k8s_config_cluster_name }}"
      names_st: "Luxembourg"
      hostnames: "{{k8sHosts}}"
    - name: "admin"
      cn: "admin"
      key_algo: "rsa"
      key_size: "2048"
      names_c: "BE"
      names_l: "The_Internet"
      names_o: "system:masters" # DO NOT CHANGE!
      names_ou: "{{ k8s_config_cluster_name }}"
      names_st: "Luxembourg"
    - name: "kube-proxy"
      cn: "system:kube-proxy" # DO NOT CHANGE!
      key_algo: "rsa"
      key_size: "2048"
      names_c: "BE"
      names_l: "The_Internet"
      names_o: "system:node-proxier" # DO NOT CHANGE!
      names_ou: "{{ k8s_config_cluster_name }}"
      names_st: "Luxembourg"
    - name: "kube-controller-manager"
      cn: "system:kube-controller-manager" # DO NOT CHANGE!
      key_algo: "rsa"
      key_size: "2048"
      names_c: "BE"
      names_l: "The_Internet"
      names_o: "system:kube-controller-manager" # DO NOT CHANGE!
      names_ou: "{{ k8s_config_cluster_name }}"
      names_st: "Luxembourg"
    - name: "kube-scheduler"
      cn: "system:kube-scheduler" # DO NOT CHANGE!
      key_algo: "rsa"
      key_size: "2048"
      names_c: "BE"
      names_l: "The_Internet"
      names_o: "system:kube-scheduler" # DO NOT CHANGE!
      names_ou: "{{ k8s_config_cluster_name }}"
      names_st: "Luxembourg"
    - name: "service-account"
      cn: "service-accounts"
      key_algo: "rsa"
      key_size: "2048"
      names_c: "BE"
      names_l: "The_Internet"
      names_o: "Kubernetes"
      names_ou: "{{ k8s_config_cluster_name }}"
      names_st: "Luxembourg"
  worker:
    name: "worker"
    key_algo: "rsa"
    key_size: "2048"
    names_c: "BE"
    names_l: "The_Internet"
    names_o: "system:nodes" # DO NOT CHANGE!
    names_ou: "{{ k8s_config_cluster_name }}"
    names_st: "Luxembourg"

etcd_cert_hosts:
  - 127.0.0.1
  - etcd0
  - etcd1
  - etcd2

k8s_apiserver_cert_hosts:
  - 127.0.0.1
  - 10.32.0.1
  - kubernetes
  - kubernetes.default
  - kubernetes.default.svc
  - kubernetes.default.svc.cluster.local
Custom kubernetes-ca role 2018-07-31 17:33:26 +02:00			`---`
			`# The directory from where to copy the K8s certificates. By default this`
			`# will expand to user's LOCAL $HOME (the user that run's "ansible-playbook ..."`
			`# plus "/k8s/certs". That means if the user's $HOME directory is e.g.`
			`# "/home/da_user" then "k8s_ca_conf_directory" will have a value of`
			`# "/home/da_user/k8s/certs".`
			`k8s_ca_conf_directory: "{{ '~/k8s/certs' \| expanduser }}"`
			`k8s_ca_certificate_owner: "root"`
			`k8s_ca_certificate_group: "root"`


			`# Expiry for Kubernetes API server root certificates`
kubernetes-ca role refactoring 2018-08-02 19:40:43 +02:00			`ca_expiry: "87600h"`
Custom kubernetes-ca role 2018-07-31 17:33:26 +02:00
kubernetes-ca role refactoring 2018-08-02 19:40:43 +02:00			`k8s_csr:`
			`master:`
			`- name: "ca"`
			`cn: "Kubernetes"`
			`key_algo: "rsa"`
			`key_size: "2048"`
			`names_c: "BE"`
			`names_l: "The_Internet"`
			`names_o: "Kubernetes"`
			`names_ou: "CA"`
			`names_st: "Luxembourg"`
			`- name: "etcd"`
			`cn: "Etcd"`
			`key_algo: "rsa"`
			`key_size: "2048"`
			`names_c: "BE"`
			`names_l: "The_Internet"`
			`names_o: "Kubernetes"`
			`names_ou: "{{ k8s_config_cluster_name }}"`
			`names_st: "Luxembourg"`
Improve kubernetes-ca role readability 2018-08-02 21:03:31 +02:00			`hostnames: "{{etcdHosts}}"`
kubernetes-ca role refactoring 2018-08-02 19:40:43 +02:00			`- name: "apiserver"`
			`cn: "Kubernetes"`
			`key_algo: "rsa"`
			`key_size: "2048"`
			`names_c: "BE"`
			`names_l: "The_Internet"`
			`names_o: "Kubernetes"`
			`names_ou: "{{ k8s_config_cluster_name }}"`
			`names_st: "Luxembourg"`
Improve kubernetes-ca role readability 2018-08-02 21:03:31 +02:00			`hostnames: "{{k8sHosts}}"`
kubernetes-ca role refactoring 2018-08-02 19:40:43 +02:00			`- name: "admin"`
			`cn: "admin"`
			`key_algo: "rsa"`
			`key_size: "2048"`
			`names_c: "BE"`
			`names_l: "The_Internet"`
			`names_o: "system:masters" # DO NOT CHANGE!`
			`names_ou: "{{ k8s_config_cluster_name }}"`
			`names_st: "Luxembourg"`
			`- name: "kube-proxy"`
			`cn: "system:kube-proxy" # DO NOT CHANGE!`
			`key_algo: "rsa"`
			`key_size: "2048"`
			`names_c: "BE"`
			`names_l: "The_Internet"`
			`names_o: "system:node-proxier" # DO NOT CHANGE!`
			`names_ou: "{{ k8s_config_cluster_name }}"`
			`names_st: "Luxembourg"`
			`- name: "kube-controller-manager"`
			`cn: "system:kube-controller-manager" # DO NOT CHANGE!`
			`key_algo: "rsa"`
			`key_size: "2048"`
			`names_c: "BE"`
			`names_l: "The_Internet"`
			`names_o: "system:kube-controller-manager" # DO NOT CHANGE!`
			`names_ou: "{{ k8s_config_cluster_name }}"`
			`names_st: "Luxembourg"`
			`- name: "kube-scheduler"`
			`cn: "system:kube-scheduler" # DO NOT CHANGE!`
			`key_algo: "rsa"`
			`key_size: "2048"`
			`names_c: "BE"`
			`names_l: "The_Internet"`
			`names_o: "system:kube-scheduler" # DO NOT CHANGE!`
			`names_ou: "{{ k8s_config_cluster_name }}"`
			`names_st: "Luxembourg"`
			`- name: "service-account"`
			`cn: "service-accounts"`
			`key_algo: "rsa"`
			`key_size: "2048"`
			`names_c: "BE"`
			`names_l: "The_Internet"`
			`names_o: "Kubernetes"`
			`names_ou: "{{ k8s_config_cluster_name }}"`
			`names_st: "Luxembourg"`
			`worker:`
			`name: "worker"`
			`key_algo: "rsa"`
			`key_size: "2048"`
			`names_c: "BE"`
			`names_l: "The_Internet"`
			`names_o: "system:nodes" # DO NOT CHANGE!`
			`names_ou: "{{ k8s_config_cluster_name }}"`
			`names_st: "Luxembourg"`
Custom kubernetes-ca role 2018-07-31 17:33:26 +02:00
			`etcd_cert_hosts:`
			`- 127.0.0.1`
			`- etcd0`
			`- etcd1`
			`- etcd2`

			`k8s_apiserver_cert_hosts:`
			`- 127.0.0.1`
			`- 10.32.0.1`
			`- kubernetes`
			`- kubernetes.default`
			`- kubernetes.default.svc`
			`- kubernetes.default.svc.cluster.local`