phfroidmont/self-hosting
1
0
Fork 0
mirror of https://github.com/phfroidmont/self-hosting.git synced 2025-12-25 05:36:59 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Fix certificates names and permissions for etcd role

Browse source
This commit is contained in:
Paul-Henri Froidmont 2018-08-02 23:18:47 +02:00
parent 436d31433f
commit 05ef08c57d
5 changed files with 22 additions and 11 deletions
Download patch file Download diff file Expand all files Collapse all files

2
group_vars/all/vars
View file

@ -9,7 +9,7 @@ k8s_release: "1.10.6"
k8s_apiserver_secure_port: "6443" k8s_apiserver_secure_port: "6443"
k8s_ca_conf_directory: "{{ '~/k8s/certs' | expanduser }}" k8s_ca_conf_directory: "{{ '~/k8s/certs' | expanduser }}"
k8s_config_directory: "{{ '~/k8s/configs' | expanduser }}" k8s_config_directory: "{{ '~/k8s/configs' | expanduser }}"
k8s_ca_certificate_owner: "root" k8s_ca_certificate_owner: "{{ harden_linux_deploy_user }}"
k8s_ca_certificate_group: "root" k8s_ca_certificate_group: "root"
k8s_config_cluster_name: banditlair.com k8s_config_cluster_name: banditlair.com
k8s_encryption_config_directory: "{{k8s_config_directory}}" k8s_encryption_config_directory: "{{k8s_config_directory}}"

BIN
inventories/staging/.hosts.swp
View file

Binary file not shown.

6
k8s.yml
View file

@ -26,24 +26,30 @@
tags: role-peervpn tags: role-peervpn
- hosts: k8s_ca - hosts: k8s_ca
become: yes become: yes
gather_facts: no
roles: roles:
- role: cfssl - role: cfssl
tags: role-cfssl tags: role-cfssl
- role: kubernetes-ca - role: kubernetes-ca
tags: role-kubernetes-ca tags: role-kubernetes-ca
- hosts: k8s_etcd - hosts: k8s_etcd
become: yes
gather_facts: no
roles: roles:
- role: etcd - role: etcd
tags: role-etcd tags: role-etcd
- hosts: k8s_master - hosts: k8s_master
gather_facts: no
roles: roles:
- role: kubernetes-controller - role: kubernetes-controller
tags: role-kubernetes-controller tags: role-kubernetes-controller
- hosts: k8s_worker - hosts: k8s_worker
gather_facts: no
roles: roles:
- role: githubixx.kubernetes-worker - role: githubixx.kubernetes-worker
tags: role-kubernetes-worker tags: role-kubernetes-worker
- hosts: k8s - hosts: k8s
gather_facts: no
roles: roles:
- role: githubixx.flanneld - role: githubixx.flanneld
tags: role-kubernetes-flanneld tags: role-kubernetes-flanneld

19
roles/etcd/defaults/main.yml
View file

@ -26,14 +26,14 @@ etcd_data_dir: "/var/lib/etcd"
etcd_settings: etcd_settings:
"name": "{{ansible_hostname}}" "name": "{{ansible_hostname}}"
"cert-file": "{{etcd_conf_dir}}/cert-etcd.pem" "cert-file": "{{etcd_conf_dir}}/etcd.pem"
"key-file": "{{etcd_conf_dir}}/cert-etcd-key.pem" "key-file": "{{etcd_conf_dir}}/etcd-key.pem"
"peer-cert-file": "{{etcd_conf_dir}}/cert-etcd.pem" "peer-cert-file": "{{etcd_conf_dir}}/etcd.pem"
"peer-key-file": "{{etcd_conf_dir}}/cert-etcd-key.pem" "peer-key-file": "{{etcd_conf_dir}}/etcd-key.pem"
"peer-trusted-ca-file": "{{etcd_conf_dir}}/ca-etcd.pem" "peer-trusted-ca-file": "{{etcd_conf_dir}}/ca.pem"
"peer-client-cert-auth": "true" # # Enable peer client cert authentication "peer-client-cert-auth": "true" # # Enable peer client cert authentication
"client-cert-auth": "true" # Enable client cert authentication "client-cert-auth": "true" # Enable client cert authentication
"trusted-ca-file": "{{etcd_conf_dir}}/ca-etcd.pem" "trusted-ca-file": "{{etcd_conf_dir}}/ca.pem"
"advertise-client-urls": "{{'https://' + hostvars[inventory_hostname]['ansible_' + etcd_interface].ipv4.address + ':' + etcd_client_port}}" "advertise-client-urls": "{{'https://' + hostvars[inventory_hostname]['ansible_' + etcd_interface].ipv4.address + ':' + etcd_client_port}}"
"initial-advertise-peer-urls": "{{'https://' + hostvars[inventory_hostname]['ansible_' + etcd_interface].ipv4.address + ':' + etcd_peer_port}}" "initial-advertise-peer-urls": "{{'https://' + hostvars[inventory_hostname]['ansible_' + etcd_interface].ipv4.address + ':' + etcd_peer_port}}"
"listen-peer-urls": "{{'https://' + hostvars[inventory_hostname]['ansible_' + etcd_interface].ipv4.address + ':' + etcd_peer_port}}" "listen-peer-urls": "{{'https://' + hostvars[inventory_hostname]['ansible_' + etcd_interface].ipv4.address + ':' + etcd_peer_port}}"
@ -55,7 +55,6 @@ etcd_settings:
# Certificate authority and certificate files for etcd # Certificate authority and certificate files for etcd
etcd_certificates: etcd_certificates:
- ca-etcd.pem # client server TLS trusted CA key file/peer server TLS trusted CA file - ca.pem # client server TLS trusted CA key file/peer server TLS trusted CA file
- ca-etcd-key.pem # CA key file - etcd.pem # peer server TLS cert file
- cert-etcd.pem # peer server TLS cert file - etcd-key.pem # peer server TLS key file
- cert-etcd-key.pem # peer server TLS key file

6
roles/kubernetes-ca/tasks/main.yml
View file

@ -140,3 +140,9 @@
- k8s_worker - k8s_worker
tags: tags:
- kubernetes-ca - kubernetes-ca
- name: Allow ansible_user to read private keys
file:
path: "{{k8s_ca_conf_directory}}"
state: directory
owner: "{{ ansible_user }}"
recurse: yes