From 05ef08c57d8e225c8402f1ce8b87a905e73e2880 Mon Sep 17 00:00:00 2001
From: Paul-Henri Froidmont <git.contact-57n2p@froidmont.org>
Date: Thu, 2 Aug 2018 23:18:47 +0200
Subject: [PATCH] Fix certificates names and permissions for etcd role

---
 group_vars/all/vars                |   2 +-
 inventories/staging/.hosts.swp     | Bin 12288 -> 0 bytes
 k8s.yml                            |   6 ++++++
 roles/etcd/defaults/main.yml       |  19 +++++++++----------
 roles/kubernetes-ca/tasks/main.yml |   6 ++++++
 5 files changed, 22 insertions(+), 11 deletions(-)
 delete mode 100644 inventories/staging/.hosts.swp

diff --git a/group_vars/all/vars b/group_vars/all/vars
index ba1ec07..5cdfece 100644
--- a/group_vars/all/vars
+++ b/group_vars/all/vars
@@ -9,7 +9,7 @@ k8s_release: "1.10.6"
 k8s_apiserver_secure_port: "6443"
 k8s_ca_conf_directory: "{{ '~/k8s/certs' | expanduser }}"
 k8s_config_directory: "{{ '~/k8s/configs' | expanduser }}"
-k8s_ca_certificate_owner: "root"
+k8s_ca_certificate_owner: "{{ harden_linux_deploy_user }}"
 k8s_ca_certificate_group: "root"
 k8s_config_cluster_name: banditlair.com
 k8s_encryption_config_directory: "{{k8s_config_directory}}"
diff --git a/inventories/staging/.hosts.swp b/inventories/staging/.hosts.swp
deleted file mode 100644
index 81a4161c2a37772b7807ba8ad8951495e4166d8f..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 12288
zcmYc?2=nw+u+TGLU|?VnU|`Uk6dzqB<;JkHih&`mC_ghLw;&NDg%78v=9T2<>!zd@
zXP4v`;8s}&Gf+REC_gJTxujUXI5j6tHzU8eBr`8vKQpfkWKvOPYO#KCNn$!k3?x^K
z+sILw(GVC70ir{Im%-S`5S-POl@t|(g+hteIjV3p1V%$(Gz3ONU^E0qLtr!nMnhmU
z1V%$(=!ZZ_0V6{_0|NsS)GM4&nh}kLa!0Ar5Eu=C(GVC7fzc2c4S~@R7!85Z5Eu=C
z(GVC7fzc2c4S^vT0*NUM3>y3l3>o~8`F~jd|201Y!wG%{hU5GU3_JN57^d+vFihoV
zVCdmzV9123PY3B4f_@%#@@NQ*hQMeDjE2By2#kinXb6mkz-S1JhQMeDjE2By2+%A9
za`KZCb3m)v6%zA`Gm~;s<CF9A@=}vaGV}9n!IBKo*%rm|$%(NH3}8MHinB|TQj<$^
Wh|~eKST{L8ucRnHCnvQimH_}Ec4_GV

diff --git a/k8s.yml b/k8s.yml
index 194bfbf..81e2bd6 100644
--- a/k8s.yml
+++ b/k8s.yml
@@ -26,24 +26,30 @@
       tags: role-peervpn
 - hosts: k8s_ca
   become: yes
+  gather_facts: no
   roles:
     - role: cfssl
       tags: role-cfssl
     - role: kubernetes-ca
       tags: role-kubernetes-ca
 - hosts: k8s_etcd
+  become: yes
+  gather_facts: no
   roles:
     - role: etcd
       tags: role-etcd
 - hosts: k8s_master
+  gather_facts: no
   roles:
     - role: kubernetes-controller
       tags: role-kubernetes-controller
 - hosts: k8s_worker
+  gather_facts: no
   roles:
     - role: githubixx.kubernetes-worker
       tags: role-kubernetes-worker
 - hosts: k8s
+  gather_facts: no
   roles:
     - role: githubixx.flanneld
       tags: role-kubernetes-flanneld
diff --git a/roles/etcd/defaults/main.yml b/roles/etcd/defaults/main.yml
index cc440ff..5374674 100644
--- a/roles/etcd/defaults/main.yml
+++ b/roles/etcd/defaults/main.yml
@@ -26,14 +26,14 @@ etcd_data_dir: "/var/lib/etcd"
 
 etcd_settings:
   "name": "{{ansible_hostname}}"
-  "cert-file": "{{etcd_conf_dir}}/cert-etcd.pem"
-  "key-file": "{{etcd_conf_dir}}/cert-etcd-key.pem"
-  "peer-cert-file": "{{etcd_conf_dir}}/cert-etcd.pem"
-  "peer-key-file": "{{etcd_conf_dir}}/cert-etcd-key.pem"
-  "peer-trusted-ca-file": "{{etcd_conf_dir}}/ca-etcd.pem"
+  "cert-file": "{{etcd_conf_dir}}/etcd.pem"
+  "key-file": "{{etcd_conf_dir}}/etcd-key.pem"
+  "peer-cert-file": "{{etcd_conf_dir}}/etcd.pem"
+  "peer-key-file": "{{etcd_conf_dir}}/etcd-key.pem"
+  "peer-trusted-ca-file": "{{etcd_conf_dir}}/ca.pem"
   "peer-client-cert-auth": "true" # # Enable peer client cert authentication
   "client-cert-auth": "true" # Enable client cert authentication
-  "trusted-ca-file": "{{etcd_conf_dir}}/ca-etcd.pem"
+  "trusted-ca-file": "{{etcd_conf_dir}}/ca.pem"
   "advertise-client-urls": "{{'https://' + hostvars[inventory_hostname]['ansible_' + etcd_interface].ipv4.address + ':' + etcd_client_port}}"
   "initial-advertise-peer-urls": "{{'https://' + hostvars[inventory_hostname]['ansible_' + etcd_interface].ipv4.address + ':' + etcd_peer_port}}"
   "listen-peer-urls": "{{'https://' + hostvars[inventory_hostname]['ansible_' + etcd_interface].ipv4.address + ':' + etcd_peer_port}}"
@@ -55,7 +55,6 @@ etcd_settings:
 
 # Certificate authority and certificate files for etcd
 etcd_certificates:
-  - ca-etcd.pem        # client server TLS trusted CA key file/peer server TLS trusted CA file
-  - ca-etcd-key.pem    # CA key file
-  - cert-etcd.pem      # peer server TLS cert file
-  - cert-etcd-key.pem  # peer server TLS key file
+  - ca.pem        # client server TLS trusted CA key file/peer server TLS trusted CA file
+  - etcd.pem      # peer server TLS cert file
+  - etcd-key.pem  # peer server TLS key file
diff --git a/roles/kubernetes-ca/tasks/main.yml b/roles/kubernetes-ca/tasks/main.yml
index 532387c..a220440 100644
--- a/roles/kubernetes-ca/tasks/main.yml
+++ b/roles/kubernetes-ca/tasks/main.yml
@@ -140,3 +140,9 @@
     - k8s_worker
   tags:
     - kubernetes-ca
+- name: Allow ansible_user to read private keys
+  file:
+    path: "{{k8s_ca_conf_directory}}"
+    state: directory
+    owner: "{{ ansible_user }}"
+    recurse: yes