diff --git a/group_vars/all/vars b/group_vars/all/vars index ba1ec07..5cdfece 100644 --- a/group_vars/all/vars +++ b/group_vars/all/vars @@ -9,7 +9,7 @@ k8s_release: "1.10.6" k8s_apiserver_secure_port: "6443" k8s_ca_conf_directory: "{{ '~/k8s/certs' | expanduser }}" k8s_config_directory: "{{ '~/k8s/configs' | expanduser }}" -k8s_ca_certificate_owner: "root" +k8s_ca_certificate_owner: "{{ harden_linux_deploy_user }}" k8s_ca_certificate_group: "root" k8s_config_cluster_name: banditlair.com k8s_encryption_config_directory: "{{k8s_config_directory}}" diff --git a/inventories/staging/.hosts.swp b/inventories/staging/.hosts.swp deleted file mode 100644 index 81a4161..0000000 Binary files a/inventories/staging/.hosts.swp and /dev/null differ diff --git a/k8s.yml b/k8s.yml index 194bfbf..81e2bd6 100644 --- a/k8s.yml +++ b/k8s.yml @@ -26,24 +26,30 @@ tags: role-peervpn - hosts: k8s_ca become: yes + gather_facts: no roles: - role: cfssl tags: role-cfssl - role: kubernetes-ca tags: role-kubernetes-ca - hosts: k8s_etcd + become: yes + gather_facts: no roles: - role: etcd tags: role-etcd - hosts: k8s_master + gather_facts: no roles: - role: kubernetes-controller tags: role-kubernetes-controller - hosts: k8s_worker + gather_facts: no roles: - role: githubixx.kubernetes-worker tags: role-kubernetes-worker - hosts: k8s + gather_facts: no roles: - role: githubixx.flanneld tags: role-kubernetes-flanneld diff --git a/roles/etcd/defaults/main.yml b/roles/etcd/defaults/main.yml index cc440ff..5374674 100644 --- a/roles/etcd/defaults/main.yml +++ b/roles/etcd/defaults/main.yml @@ -26,14 +26,14 @@ etcd_data_dir: "/var/lib/etcd" etcd_settings: "name": "{{ansible_hostname}}" - "cert-file": "{{etcd_conf_dir}}/cert-etcd.pem" - "key-file": "{{etcd_conf_dir}}/cert-etcd-key.pem" - "peer-cert-file": "{{etcd_conf_dir}}/cert-etcd.pem" - "peer-key-file": "{{etcd_conf_dir}}/cert-etcd-key.pem" - "peer-trusted-ca-file": "{{etcd_conf_dir}}/ca-etcd.pem" + "cert-file": "{{etcd_conf_dir}}/etcd.pem" + "key-file": "{{etcd_conf_dir}}/etcd-key.pem" + "peer-cert-file": "{{etcd_conf_dir}}/etcd.pem" + "peer-key-file": "{{etcd_conf_dir}}/etcd-key.pem" + "peer-trusted-ca-file": "{{etcd_conf_dir}}/ca.pem" "peer-client-cert-auth": "true" # # Enable peer client cert authentication "client-cert-auth": "true" # Enable client cert authentication - "trusted-ca-file": "{{etcd_conf_dir}}/ca-etcd.pem" + "trusted-ca-file": "{{etcd_conf_dir}}/ca.pem" "advertise-client-urls": "{{'https://' + hostvars[inventory_hostname]['ansible_' + etcd_interface].ipv4.address + ':' + etcd_client_port}}" "initial-advertise-peer-urls": "{{'https://' + hostvars[inventory_hostname]['ansible_' + etcd_interface].ipv4.address + ':' + etcd_peer_port}}" "listen-peer-urls": "{{'https://' + hostvars[inventory_hostname]['ansible_' + etcd_interface].ipv4.address + ':' + etcd_peer_port}}" @@ -55,7 +55,6 @@ etcd_settings: # Certificate authority and certificate files for etcd etcd_certificates: - - ca-etcd.pem # client server TLS trusted CA key file/peer server TLS trusted CA file - - ca-etcd-key.pem # CA key file - - cert-etcd.pem # peer server TLS cert file - - cert-etcd-key.pem # peer server TLS key file + - ca.pem # client server TLS trusted CA key file/peer server TLS trusted CA file + - etcd.pem # peer server TLS cert file + - etcd-key.pem # peer server TLS key file diff --git a/roles/kubernetes-ca/tasks/main.yml b/roles/kubernetes-ca/tasks/main.yml index 532387c..a220440 100644 --- a/roles/kubernetes-ca/tasks/main.yml +++ b/roles/kubernetes-ca/tasks/main.yml @@ -140,3 +140,9 @@ - k8s_worker tags: - kubernetes-ca +- name: Allow ansible_user to read private keys + file: + path: "{{k8s_ca_conf_directory}}" + state: directory + owner: "{{ ansible_user }}" + recurse: yes