self-hosting/roles/kubernetes-ca/tasks/main.yml

---
- name: Generate list of IP addresses and hostnames needed for Kubernetes API server certificate
  set_fact:
    tmpK8sHosts: |
      {% set comma = joiner(",") %}
      {% for item in groups["k8s_master"] -%}
        {{ comma() }}{{ hostvars[item].private_ip }}{{ comma() }}{{ hostvars[item]["ansible_"+hostvars[item]["peervpn_conf_interface"]].ipv4.address }}{{ comma() }}{{ hostvars[item]["public_ip"] }}{{ comma() }}{{ hostvars[item].ansible_hostname }}
      {%- endfor %}
      {% for item in groups["k8s_worker"] -%}
        {{ comma() }}{{ hostvars[item].private_ip}}{{ comma() }}{{ hostvars[item]["ansible_"+hostvars[item]["peervpn_conf_interface"]].ipv4.address }}{{ comma() }}{{ hostvars[item]["public_ip"] }}{{ comma() }}{{ hostvars[item].ansible_hostname }}
      {%- endfor %}
      {% for item in k8s_apiserver_cert_hosts -%}
        {{ comma() }}{{item}}
      {%- endfor %}
  tags:
    - kubernetes-ca

- name: Remove newline from controller hosts list
  set_fact:
    k8sHosts: "{{tmpK8sHosts |replace('\n', '')}}"
  tags:
    - kubernetes-ca

- name: Output of hostnames/IPs used for Kubernetes API server certificate
  debug: var=k8sHosts
  tags:
    - kubernetes-ca
- name: Generate list of IP addresses and hostnames needed for etcd certificate
  set_fact:
    tmpEtcdHosts: |
      {% set comma = joiner(",") %}
      {% for item in groups["k8s_etcd"] -%}
        {{ comma() }}{{ hostvars[item].private_ip}}{{ comma() }}{{ hostvars[item]["ansible_"+hostvars[item]["peervpn_conf_interface"]].ipv4.address }}{{ comma() }}{{hostvars[item]["public_ip"]}}{{ comma() }}{{ hostvars[item].ansible_hostname }}
      {%- endfor %}
      {% for item in etcd_cert_hosts -%}
        {{ comma() }}{{item}}
      {%- endfor %}
  tags:
    - kubernetes-ca
    - kubernetes-ca-etcd

- name: Remove newline from etcd hosts list
  set_fact:
    etcdHosts: "{{tmpEtcdHosts |replace('\n', '')}}"
  tags:
    - kubernetes-ca
    - kubernetes-ca-etcd

- name: Output of hostnames/IPs used for etcd certificate
  debug: var=etcdHosts
  tags:
    - kubernetes-ca
    - kubernetes-ca-etcd

- name: Create directory for CA and certificate files
  file:
    path: "{{k8s_ca_conf_directory}}"
    owner: "{{k8s_ca_certificate_owner}}"
    group: "{{k8s_ca_certificate_group}}"
    mode: 0755
    state: directory
  tags:
    - kubernetes-ca

- name: Create CA configuration file
  template:
    src: "ca-config.json.j2"
    dest: "{{k8s_ca_conf_directory}}/ca-config.json"
    owner: "{{k8s_ca_certificate_owner}}"
    group: "{{k8s_ca_certificate_group}}"
    mode: 0600
  tags:
    - kubernetes-ca

- name: Create the CSR files
  template:
    src: "csr.json.j2"
    dest: "{{k8s_ca_conf_directory}}/{{ item.name }}-csr.json"
    owner: "{{k8s_ca_certificate_owner}}"
    group: "{{k8s_ca_certificate_group}}"
    mode: 0600
  tags:
    - kubernetes-ca
  loop: "{{ k8s_csr.master|flatten(levels=1)}}"
  loop_control:
    label: "{{ item.name }}"

- name: Generate CA and private key
  shell: cfssl gencert -initca ca-csr.json | cfssljson -bare ca
  args:
    chdir: "{{k8s_ca_conf_directory}}"
    creates: "{{k8s_ca_conf_directory}}/ca-key.pem"
  tags:
    - kubernetes-ca

- name: Create the worker CSR files
  template:
    src: "cert-worker-csr.json.j2"
    dest: "{{k8s_ca_conf_directory}}/{{item}}-csr.json"
    owner: "{{k8s_ca_certificate_owner}}"
    group: "{{k8s_ca_certificate_group}}"
    mode: 0600
  with_inventory_hostnames:
    - k8s_worker
  vars:
    - workerHost: "{{item}}"
  tags:
    - kubernetes-ca

- name: Generate TLS certificates whith hostname
  shell: "cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -hostname={{item.hostnames}} -profile=kubernetes {{item.name}}-csr.json | cfssljson -bare {{item.name}}"
  args:
    chdir: "{{k8s_ca_conf_directory}}"
    creates: "{{k8s_ca_conf_directory}}/{{item.name}}-key.pem"
  tags:
    - kubernetes-ca
  loop: "{{ k8s_csr.master|flatten(levels=1)}}"
  loop_control:
    label: "{{ item.name }}"
  when: item.hostnames is defined

- name: Generate TLS certificates whithout hostname
  shell: "cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes {{item.name}}-csr.json | cfssljson -bare {{item.name}}"
  args:
    chdir: "{{k8s_ca_conf_directory}}"
    creates: "{{k8s_ca_conf_directory}}/{{item.name}}-key.pem"
  tags:
    - kubernetes-ca
  loop: "{{ k8s_csr.master|flatten(levels=1)}}"
  loop_control:
    label: "{{ item.name }}"
  when: item.hostnames is not defined

- name: Generate TLS certificates for Kubernetes worker hosts
  shell: "cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -hostname={{hostvars[item]['ansible_hostname']}},{{hostvars[item]['ansible_default_ipv4']['address']}},{{hostvars[item]['ansible_'+hostvars[item]['peervpn_conf_interface']].ipv4.address}} -profile=kubernetes {{item}}-csr.json | cfssljson -bare {{item}}"
  args:
    chdir: "{{k8s_ca_conf_directory}}"
    creates: "{{k8s_ca_conf_directory}}/{{item}}-key.pem"
  with_inventory_hostnames:
    - k8s_worker
  tags:
    - kubernetes-ca
- name: Allow ansible_user to read private keys
  file:
    path: "{{k8s_ca_conf_directory}}"
    state: directory
    owner: "{{ ansible_user }}"
    recurse: yes
Custom kubernetes-ca role 2018-07-31 17:33:26 +02:00			`---`
			`- name: Generate list of IP addresses and hostnames needed for Kubernetes API server certificate`
			`set_fact:`
			`tmpK8sHosts: \|`
			`{% set comma = joiner(",") %}`
			`{% for item in groups["k8s_master"] -%}`
kubernetes-ca role refactoring 2018-08-02 19:40:43 +02:00			`{{ comma() }}{{ hostvars[item].private_ip }}{{ comma() }}{{ hostvars[item]["ansible_"+hostvars[item]["peervpn_conf_interface"]].ipv4.address }}{{ comma() }}{{ hostvars[item]["public_ip"] }}{{ comma() }}{{ hostvars[item].ansible_hostname }}`
Custom kubernetes-ca role 2018-07-31 17:33:26 +02:00			`{%- endfor %}`
			`{% for item in groups["k8s_worker"] -%}`
kubernetes-ca role refactoring 2018-08-02 19:40:43 +02:00			`{{ comma() }}{{ hostvars[item].private_ip}}{{ comma() }}{{ hostvars[item]["ansible_"+hostvars[item]["peervpn_conf_interface"]].ipv4.address }}{{ comma() }}{{ hostvars[item]["public_ip"] }}{{ comma() }}{{ hostvars[item].ansible_hostname }}`
Custom kubernetes-ca role 2018-07-31 17:33:26 +02:00			`{%- endfor %}`
			`{% for item in k8s_apiserver_cert_hosts -%}`
			`{{ comma() }}{{item}}`
			`{%- endfor %}`
			`tags:`
			`- kubernetes-ca`

			`- name: Remove newline from controller hosts list`
			`set_fact:`
			`k8sHosts: "{{tmpK8sHosts \|replace('\n', '')}}"`
			`tags:`
			`- kubernetes-ca`

			`- name: Output of hostnames/IPs used for Kubernetes API server certificate`
			`debug: var=k8sHosts`
			`tags:`
			`- kubernetes-ca`
			`- name: Generate list of IP addresses and hostnames needed for etcd certificate`
			`set_fact:`
			`tmpEtcdHosts: \|`
			`{% set comma = joiner(",") %}`
			`{% for item in groups["k8s_etcd"] -%}`
kubernetes-ca role refactoring 2018-08-02 19:40:43 +02:00			`{{ comma() }}{{ hostvars[item].private_ip}}{{ comma() }}{{ hostvars[item]["ansible_"+hostvars[item]["peervpn_conf_interface"]].ipv4.address }}{{ comma() }}{{hostvars[item]["public_ip"]}}{{ comma() }}{{ hostvars[item].ansible_hostname }}`
Custom kubernetes-ca role 2018-07-31 17:33:26 +02:00			`{%- endfor %}`
			`{% for item in etcd_cert_hosts -%}`
			`{{ comma() }}{{item}}`
			`{%- endfor %}`
			`tags:`
			`- kubernetes-ca`
			`- kubernetes-ca-etcd`

			`- name: Remove newline from etcd hosts list`
			`set_fact:`
			`etcdHosts: "{{tmpEtcdHosts \|replace('\n', '')}}"`
			`tags:`
			`- kubernetes-ca`
			`- kubernetes-ca-etcd`

			`- name: Output of hostnames/IPs used for etcd certificate`
			`debug: var=etcdHosts`
			`tags:`
			`- kubernetes-ca`
			`- kubernetes-ca-etcd`

			`- name: Create directory for CA and certificate files`
			`file:`
			`path: "{{k8s_ca_conf_directory}}"`
			`owner: "{{k8s_ca_certificate_owner}}"`
			`group: "{{k8s_ca_certificate_group}}"`
			`mode: 0755`
			`state: directory`
			`tags:`
			`- kubernetes-ca`

kubernetes-ca role refactoring 2018-08-02 19:40:43 +02:00			`- name: Create CA configuration file`
Custom kubernetes-ca role 2018-07-31 17:33:26 +02:00			`template:`
kubernetes-ca role refactoring 2018-08-02 19:40:43 +02:00			`src: "ca-config.json.j2"`
			`dest: "{{k8s_ca_conf_directory}}/ca-config.json"`
Custom kubernetes-ca role 2018-07-31 17:33:26 +02:00			`owner: "{{k8s_ca_certificate_owner}}"`
			`group: "{{k8s_ca_certificate_group}}"`
			`mode: 0600`
			`tags:`
			`- kubernetes-ca`

kubernetes-ca role refactoring 2018-08-02 19:40:43 +02:00			`- name: Create the CSR files`
Custom kubernetes-ca role 2018-07-31 17:33:26 +02:00			`template:`
kubernetes-ca role refactoring 2018-08-02 19:40:43 +02:00			`src: "csr.json.j2"`
			`dest: "{{k8s_ca_conf_directory}}/{{ item.name }}-csr.json"`
Custom kubernetes-ca role 2018-07-31 17:33:26 +02:00			`owner: "{{k8s_ca_certificate_owner}}"`
			`group: "{{k8s_ca_certificate_group}}"`
			`mode: 0600`
			`tags:`
			`- kubernetes-ca`
kubernetes-ca role refactoring 2018-08-02 19:40:43 +02:00			`loop: "{{ k8s_csr.master\|flatten(levels=1)}}"`
Improve kubernetes-ca role readability 2018-08-02 21:03:31 +02:00			`loop_control:`
			`label: "{{ item.name }}"`
Custom kubernetes-ca role 2018-07-31 17:33:26 +02:00
kubernetes-ca role refactoring 2018-08-02 19:40:43 +02:00			`- name: Generate CA and private key`
			`shell: cfssl gencert -initca ca-csr.json \| cfssljson -bare ca`
Custom kubernetes-ca role 2018-07-31 17:33:26 +02:00			`args:`
			`chdir: "{{k8s_ca_conf_directory}}"`
kubernetes-ca role refactoring 2018-08-02 19:40:43 +02:00			`creates: "{{k8s_ca_conf_directory}}/ca-key.pem"`
Custom kubernetes-ca role 2018-07-31 17:33:26 +02:00			`tags:`
			`- kubernetes-ca`

kubernetes-ca role refactoring 2018-08-02 19:40:43 +02:00			`- name: Create the worker CSR files`
Custom kubernetes-ca role 2018-07-31 17:33:26 +02:00			`template:`
			`src: "cert-worker-csr.json.j2"`
kubernetes-ca role refactoring 2018-08-02 19:40:43 +02:00			`dest: "{{k8s_ca_conf_directory}}/{{item}}-csr.json"`
Custom kubernetes-ca role 2018-07-31 17:33:26 +02:00			`owner: "{{k8s_ca_certificate_owner}}"`
			`group: "{{k8s_ca_certificate_group}}"`
			`mode: 0600`
			`with_inventory_hostnames:`
			`- k8s_worker`
			`vars:`
			`- workerHost: "{{item}}"`
			`tags:`
			`- kubernetes-ca`

Improve kubernetes-ca role readability 2018-08-02 21:03:31 +02:00			`- name: Generate TLS certificates whith hostname`
			`shell: "cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -hostname={{item.hostnames}} -profile=kubernetes {{item.name}}-csr.json \| cfssljson -bare {{item.name}}"`
Custom kubernetes-ca role 2018-07-31 17:33:26 +02:00			`args:`
			`chdir: "{{k8s_ca_conf_directory}}"`
Improve kubernetes-ca role readability 2018-08-02 21:03:31 +02:00			`creates: "{{k8s_ca_conf_directory}}/{{item.name}}-key.pem"`
Custom kubernetes-ca role 2018-07-31 17:33:26 +02:00			`tags:`
			`- kubernetes-ca`
Improve kubernetes-ca role readability 2018-08-02 21:03:31 +02:00			`loop: "{{ k8s_csr.master\|flatten(levels=1)}}"`
			`loop_control:`
			`label: "{{ item.name }}"`
			`when: item.hostnames is defined`
Custom kubernetes-ca role 2018-07-31 17:33:26 +02:00
Improve kubernetes-ca role readability 2018-08-02 21:03:31 +02:00			`- name: Generate TLS certificates whithout hostname`
kubernetes-ca role refactoring 2018-08-02 19:40:43 +02:00			`shell: "cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes {{item.name}}-csr.json \| cfssljson -bare {{item.name}}"`
Custom kubernetes-ca role 2018-07-31 17:33:26 +02:00			`args:`
			`chdir: "{{k8s_ca_conf_directory}}"`
kubernetes-ca role refactoring 2018-08-02 19:40:43 +02:00			`creates: "{{k8s_ca_conf_directory}}/{{item.name}}-key.pem"`
Custom kubernetes-ca role 2018-07-31 17:33:26 +02:00			`tags:`
			`- kubernetes-ca`
kubernetes-ca role refactoring 2018-08-02 19:40:43 +02:00			`loop: "{{ k8s_csr.master\|flatten(levels=1)}}"`
Improve kubernetes-ca role readability 2018-08-02 21:03:31 +02:00			`loop_control:`
			`label: "{{ item.name }}"`
			`when: item.hostnames is not defined`
Custom kubernetes-ca role 2018-07-31 17:33:26 +02:00
			`- name: Generate TLS certificates for Kubernetes worker hosts`
kubernetes-ca role refactoring 2018-08-02 19:40:43 +02:00			`shell: "cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -hostname={{hostvars[item]['ansible_hostname']}},{{hostvars[item]['ansible_default_ipv4']['address']}},{{hostvars[item]['ansible_'+hostvars[item]['peervpn_conf_interface']].ipv4.address}} -profile=kubernetes {{item}}-csr.json \| cfssljson -bare {{item}}"`
Custom kubernetes-ca role 2018-07-31 17:33:26 +02:00			`args:`
			`chdir: "{{k8s_ca_conf_directory}}"`
Improve kubernetes-ca role readability 2018-08-02 21:03:31 +02:00			`creates: "{{k8s_ca_conf_directory}}/{{item}}-key.pem"`
Custom kubernetes-ca role 2018-07-31 17:33:26 +02:00			`with_inventory_hostnames:`
			`- k8s_worker`
			`tags:`
			`- kubernetes-ca`
Fix certificates names and permissions for etcd role 2018-08-02 23:18:47 +02:00			`- name: Allow ansible_user to read private keys`
			`file:`
			`path: "{{k8s_ca_conf_directory}}"`
			`state: directory`
			`owner: "{{ ansible_user }}"`
			`recurse: yes`