kubernetes-ca role refactoring

roles/kubernetes-ca/defaults/main.yml

@@ -8,110 +8,93 @@ k8s_ca_conf_directory: "{{ '~/k8s/certs' | expanduser }}"
 k8s_ca_certificate_owner: "root"
 k8s_ca_certificate_group: "root"
 
-# Expiry for etcd root certificate
-ca_etcd_expiry: "87600h"
-
-# Certificate authority for etcd certificates
-ca_etcd_csr_cn: "Etcd"
-ca_etcd_csr_key_algo: "rsa"
-ca_etcd_csr_key_size: "2048"
-ca_etcd_csr_names_c: "DE"
-ca_etcd_csr_names_l: "The_Internet"
-ca_etcd_csr_names_o: "Kubernetes"
-ca_etcd_csr_names_ou: "BY"
-ca_etcd_csr_names_st: "Bayern"
 
 # Expiry for Kubernetes API server root certificates
-ca_k8s_apiserver_expiry: "87600h"
+ca_expiry: "87600h"
 
-# Certificate authority for Kubernetes API server
+k8s_csr:
-ca_k8s_apiserver_csr_cn: "Kubernetes"
+  master:
-ca_k8s_apiserver_csr_key_algo: "rsa"
+    - name: "ca"
-ca_k8s_apiserver_csr_key_size: "2048"
+      cn: "Kubernetes"
-ca_k8s_apiserver_csr_names_c: "DE"
+      key_algo: "rsa"
-ca_k8s_apiserver_csr_names_l: "The_Internet"
+      key_size: "2048"
-ca_k8s_apiserver_csr_names_o: "Kubernetes"
+      names_c: "BE"
-ca_k8s_apiserver_csr_names_ou: "BY"
+      names_l: "The_Internet"
-ca_k8s_apiserver_csr_names_st: "Bayern"
+      names_o: "Kubernetes"
-
+      names_ou: "CA"
-# CSR parameter for etcd certificate
+      names_st: "Luxembourg"
-etcd_csr_cn: "Etcd"
+    - name: "etcd"
-etcd_csr_key_algo: "rsa"
+      cn: "Etcd"
-etcd_csr_key_size: "2048"
+      key_algo: "rsa"
-etcd_csr_names_c: "DE"
+      key_size: "2048"
-etcd_csr_names_l: "The_Internet"
+      names_c: "BE"
-etcd_csr_names_o: "Kubernetes"
+      names_l: "The_Internet"
-etcd_csr_names_ou: "BY"
+      names_o: "Kubernetes"
-etcd_csr_names_st: "Bayern"
+      names_ou: "{{ k8s_config_cluster_name }}"
-
+      names_st: "Luxembourg"
-# CSR parameter for Kubernetes API server certificate
+    - name: "apiserver"    
-k8s_apiserver_csr_cn: "Kubernetes"
+      cn: "Kubernetes"
-k8s_apiserver_csr_key_algo: "rsa"
+      key_algo: "rsa"
-k8s_apiserver_csr_key_size: "2048"
+      key_size: "2048"
-k8s_apiserver_csr_names_c: "DE"
+      names_c: "BE"
-k8s_apiserver_csr_names_l: "The_Internet"
+      names_l: "The_Internet"
-k8s_apiserver_csr_names_o: "Kubernetes"
+      names_o: "Kubernetes"
-k8s_apiserver_csr_names_ou: "BY"
+      names_ou: "{{ k8s_config_cluster_name }}"
-k8s_apiserver_csr_names_st: "Bayern"
+      names_st: "Luxembourg"
-
+    - name: "admin"
-# CSR parameter for the admin user
+      cn: "admin"
-k8s_admin_csr_cn: "admin"
+      key_algo: "rsa"
-k8s_admin_csr_key_algo: "rsa"
+      key_size: "2048"
-k8s_admin_csr_key_size: "2048"
+      names_c: "BE"
-k8s_admin_csr_names_c: "DE"
+      names_l: "The_Internet"
-k8s_admin_csr_names_l: "The_Internet"
+      names_o: "system:masters" # DO NOT CHANGE!
-k8s_admin_csr_names_o: "system:masters" # DO NOT CHANGE!
+      names_ou: "{{ k8s_config_cluster_name }}"
-k8s_admin_csr_names_ou: "BY"
+      names_st: "Luxembourg"
-k8s_admin_csr_names_st: "Bayern"
+    - name: "kube-proxy"
-
+      cn: "system:kube-proxy" # DO NOT CHANGE!
-# CSR parameter for kubelet client certificates
+      key_algo: "rsa"
-k8s_worker_csr_key_algo: "rsa"
+      key_size: "2048"
-k8s_worker_csr_key_size: "2048"
+      names_c: "BE"
-k8s_worker_csr_names_c: "DE"
+      names_l: "The_Internet"
-k8s_worker_csr_names_l: "The_Internet"
+      names_o: "system:node-proxier" # DO NOT CHANGE!
-k8s_worker_csr_names_o: "system:nodes" # DO NOT CHANGE!
+      names_ou: "{{ k8s_config_cluster_name }}"
-k8s_worker_csr_names_ou: "BY"
+      names_st: "Luxembourg"
-k8s_worker_csr_names_st: "Bayern"
+    - name: "kube-controller-manager"
-
+      cn: "system:kube-controller-manager" # DO NOT CHANGE!
-# CSR parameter for the kube-proxy client certificate
+      key_algo: "rsa"
-k8s_kube_proxy_csr_cn: "system:kube-proxy" # DO NOT CHANGE!
+      key_size: "2048"
-k8s_kube_proxy_csr_key_algo: "rsa"
+      names_c: "BE"
-k8s_kube_proxy_csr_key_size: "2048"
+      names_l: "The_Internet"
-k8s_kube_proxy_csr_names_c: "DE"
+      names_o: "system:kube-controller-manager" # DO NOT CHANGE!
-k8s_kube_proxy_csr_names_l: "The_Internet"
+      names_ou: "{{ k8s_config_cluster_name }}"
-k8s_kube_proxy_csr_names_o: "system:node-proxier" # DO NOT CHANGE!
+      names_st: "Luxembourg"
-k8s_kube_proxy_csr_names_ou: "BY"
+    - name: "kube-scheduler"
-k8s_kube_proxy_csr_names_st: "Bayern"
+      cn: "system:kube-scheduler" # DO NOT CHANGE!
-
+      key_algo: "rsa"
-# CSR parameter for the kube-controller-manager client certificate
+      key_size: "2048"
-k8s_controller_manager_csr_cn: "system:kube-controller-manager" # DO NOT CHANGE!
+      names_c: "BE"
-k8s_controller_manager_csr_key_algo: "rsa"
+      names_l: "The_Internet"
-k8s_controller_manager_csr_key_size: "2048"
+      names_o: "system:kube-scheduler" # DO NOT CHANGE!
-k8s_controller_manager_csr_names_c: "DE"
+      names_ou: "{{ k8s_config_cluster_name }}"
-k8s_controller_manager_csr_names_l: "The_Internet"
+      names_st: "Luxembourg"
-k8s_controller_manager_csr_names_o: "system:kube-controller-manager" # DO NOT CHANGE!
+    - name: "service-account"
-k8s_controller_manager_csr_names_ou: "BY"
+      cn: "service-accounts"
-k8s_controller_manager_csr_names_st: "Bayern"
+      key_algo: "rsa"
-
+      key_size: "2048"
-# CSR parameter for the kube-scheduler client certificate
+      names_c: "BE"
-k8s_scheduler_csr_cn: "system:kube-scheduler" # DO NOT CHANGE!
+      names_l: "The_Internet"
-k8s_scheduler_csr_key_algo: "rsa"
+      names_o: "Kubernetes"
-k8s_scheduler_csr_key_size: "2048"
+      names_ou: "{{ k8s_config_cluster_name }}"
-k8s_scheduler_csr_names_c: "DE"
+      names_st: "Luxembourg"
-k8s_scheduler_csr_names_l: "The_Internet"
+  worker:
-k8s_scheduler_csr_names_o: "system:kube-scheduler" # DO NOT CHANGE!
+    name: "worker"
-k8s_scheduler_csr_names_ou: "BY"
+    key_algo: "rsa"
-k8s_scheduler_csr_names_st: "Bayern"
+    key_size: "2048"
-
+    names_c: "BE"
-# CSR parameter for kube-controller-manager service account key pair. Used to generate and sign service account tokens.
+    names_l: "The_Internet"
-k8s_controller_manager_sa_csr_cn: "service-accounts"
+    names_o: "system:nodes" # DO NOT CHANGE!
-k8s_controller_manager_sa_csr_key_algo: "rsa"
+    names_ou: "{{ k8s_config_cluster_name }}"
-k8s_controller_manager_sa_csr_key_size: "2048"
+    names_st: "Luxembourg"
-k8s_controller_manager_sa_csr_names_c: "DE"
-k8s_controller_manager_sa_csr_names_l: "The_Internet"
-k8s_controller_manager_sa_csr_names_o: "Kubernetes"
-k8s_controller_manager_sa_csr_names_ou: "BY"
-k8s_controller_manager_sa_csr_names_st: "Bayern"
 
 etcd_cert_hosts:
   - 127.0.0.1

roles/kubernetes-ca/tasks/main.yml

@@ -1,13 +1,16 @@
 ---
+#- name: Display hostvars
+#  debug: var=hostvars
+
 - name: Generate list of IP addresses and hostnames needed for Kubernetes API server certificate
   set_fact:
     tmpK8sHosts: |
       {% set comma = joiner(",") %}
       {% for item in groups["k8s_master"] -%}
-        {{ comma() }}{{ hostvars[item].private_ip }}{{ comma() }}{{ hostvars[item]["ansible_"+hostvars[item]["peervpn_conf_interface"]].ipv4.address }}{{ comma() }}{{item}}{{ comma() }}{{hostvars[item]["public_ip"]}}
+        {{ comma() }}{{ hostvars[item].private_ip }}{{ comma() }}{{ hostvars[item]["ansible_"+hostvars[item]["peervpn_conf_interface"]].ipv4.address }}{{ comma() }}{{ hostvars[item]["public_ip"] }}{{ comma() }}{{ hostvars[item].ansible_hostname }}
       {%- endfor %}
       {% for item in groups["k8s_worker"] -%}
-        {{ comma() }}{{ hostvars[item].private_ip}}{{ comma() }}{{ hostvars[item]["ansible_"+hostvars[item]["peervpn_conf_interface"]].ipv4.address }}{{ comma() }}{{item}}{{ comma() }}{{hostvars[item]["public_ip"]}}
+        {{ comma() }}{{ hostvars[item].private_ip}}{{ comma() }}{{ hostvars[item]["ansible_"+hostvars[item]["peervpn_conf_interface"]].ipv4.address }}{{ comma() }}{{ hostvars[item]["public_ip"] }}{{ comma() }}{{ hostvars[item].ansible_hostname }}
       {%- endfor %}
       {% for item in k8s_apiserver_cert_hosts -%}
         {{ comma() }}{{item}}
@@ -25,13 +28,12 @@
   debug: var=k8sHosts
   tags:
     - kubernetes-ca
-
 - name: Generate list of IP addresses and hostnames needed for etcd certificate
   set_fact:
     tmpEtcdHosts: |
       {% set comma = joiner(",") %}
       {% for item in groups["k8s_etcd"] -%}
-        {{ comma() }}{{ hostvars[item].private_ip}}{{ comma() }}{{ hostvars[item]["ansible_"+hostvars[item]["peervpn_conf_interface"]].ipv4.address }}{{ comma() }}{{item}}{{ comma() }}{{hostvars[item]["public_ip"]}}
+        {{ comma() }}{{ hostvars[item].private_ip}}{{ comma() }}{{ hostvars[item]["ansible_"+hostvars[item]["peervpn_conf_interface"]].ipv4.address }}{{ comma() }}{{hostvars[item]["public_ip"]}}{{ comma() }}{{ hostvars[item].ansible_hostname }}
       {%- endfor %}
       {% for item in etcd_cert_hosts -%}
         {{ comma() }}{{item}}
@@ -63,110 +65,39 @@
   tags:
     - kubernetes-ca
 
-- name: Create etcd CA configuration file
+- name: Create CA configuration file
   template:
-    src: "ca-etcd-config.json.j2"
+    src: "ca-config.json.j2"
-    dest: "{{k8s_ca_conf_directory}}/ca-etcd-config.json"
+    dest: "{{k8s_ca_conf_directory}}/ca-config.json"
-    owner: "{{k8s_ca_certificate_owner}}"
-    group: "{{k8s_ca_certificate_group}}"
-    mode: 0600
-  tags:
-    - kubernetes-ca
-    - kubernetes-ca-etcd
-
-- name: Create Kubernetes API server CA configuration file
-  template:
-    src: "ca-k8s-apiserver-config.json.j2"
-    dest: "{{k8s_ca_conf_directory}}/ca-k8s-apiserver-config.json"
     owner: "{{k8s_ca_certificate_owner}}"
     group: "{{k8s_ca_certificate_group}}"
     mode: 0600
   tags:
     - kubernetes-ca
 
-- name: Copy the etcd CA certificate request file (CSR)
+- name: Create the CSR files
   template:
-    src: "ca-etcd-csr.json.j2"
+    src: "csr.json.j2"
-    dest: "{{k8s_ca_conf_directory}}/ca-etcd-csr.json"
+    dest: "{{k8s_ca_conf_directory}}/{{ item.name }}-csr.json"
     owner: "{{k8s_ca_certificate_owner}}"
     group: "{{k8s_ca_certificate_group}}"
     mode: 0600
   tags:
     - kubernetes-ca
-    - kubernetes-ca-etcd
+  loop: "{{ k8s_csr.master|flatten(levels=1)}}"
 
-- name: Copy the Kubernetes API server CA certificate request file (CSR)
+- name: Generate CA and private key
-  template:
+  shell: cfssl gencert -initca ca-csr.json | cfssljson -bare ca
-    src: "ca-k8s-apiserver-csr.json.j2"
-    dest: "{{k8s_ca_conf_directory}}/ca-k8s-apiserver-csr.json"
-    owner: "{{k8s_ca_certificate_owner}}"
-    group: "{{k8s_ca_certificate_group}}"
-    mode: 0600
-  tags:
-    - kubernetes-ca 
-
-- name: Generate the etcd CA and private key
-  shell: cfssl gencert -initca ca-etcd-csr.json | cfssljson -bare ca-etcd
   args:
     chdir: "{{k8s_ca_conf_directory}}"
-    creates: "{{k8s_ca_conf_directory}}/ca-etcd-key.pem"
+    creates: "{{k8s_ca_conf_directory}}/ca-key.pem"
-  tags:
-    - kubernetes-ca
-    - kubernetes-ca-etcd
-
-- name: Generate the Kubernetes API server CA and private key
-  shell: cfssl gencert -initca ca-k8s-apiserver-csr.json | cfssljson -bare ca-k8s-apiserver
-  args:
-    chdir: "{{k8s_ca_conf_directory}}"
-    creates: "{{k8s_ca_conf_directory}}/ca-k8s-apiserver-key.pem"
   tags:
     - kubernetes-ca
 
-- name: Create the etcd key CSR file
+- name: Create the worker CSR files
-  template:
-    src: "cert-etcd-csr.json.j2"
-    dest: "{{k8s_ca_conf_directory}}/cert-etcd-csr.json"
-    owner: "{{k8s_ca_certificate_owner}}"
-    group: "{{k8s_ca_certificate_group}}"
-    mode: 0600
-  tags:
-    - kubernetes-ca
-    - kubernetes-ca-etcd
-
-- name: Create the Kubernetes API server key CSR file
-  template:
-    src: "cert-k8s-apiserver-csr.json.j2"
-    dest: "{{k8s_ca_conf_directory}}/cert-k8s-apiserver-csr.json"
-    owner: "{{k8s_ca_certificate_owner}}"
-    group: "{{k8s_ca_certificate_group}}"
-    mode: 0600
-  tags:
-    - kubernetes-ca
-
-- name: Create the admin user key CSR file
-  template:
-    src: "cert-admin-csr.json.j2"
-    dest: "{{k8s_ca_conf_directory}}/cert-admin-csr.json"
-    owner: "{{k8s_ca_certificate_owner}}"
-    group: "{{k8s_ca_certificate_group}}"
-    mode: 0600
-  tags:
-    - kubernetes-ca
-
-- name: Create the kube-proxy key CSR file
-  template:
-    src: "cert-k8s-proxy-csr.json.j2"
-    dest: "{{k8s_ca_conf_directory}}/cert-k8s-proxy-csr.json"
-    owner: "{{k8s_ca_certificate_owner}}"
-    group: "{{k8s_ca_certificate_group}}"
-    mode: 0600
-  tags:
-    - kubernetes-ca
-
-- name: Create the worker key CSR files
   template:
     src: "cert-worker-csr.json.j2"
-    dest: "{{k8s_ca_conf_directory}}/cert-{{item}}-csr.json"
+    dest: "{{k8s_ca_conf_directory}}/{{item}}-csr.json"
     owner: "{{k8s_ca_certificate_owner}}"
     group: "{{k8s_ca_certificate_group}}"
     mode: 0600
@@ -177,63 +108,34 @@
   tags:
     - kubernetes-ca
 
-- name: Create the kube-controller-manager key CSR file
-  template:
-    src: "cert-k8s-controller-manager-csr.json.j2"
-    dest: "{{k8s_ca_conf_directory}}/cert-k8s-controller-manager-csr.json"
-    owner: "{{k8s_ca_certificate_owner}}"
-    group: "{{k8s_ca_certificate_group}}"
-    mode: 0600
-  tags:
-    - kubernetes-ca
-
-- name: Create the kube-controller-manager service-account key CSR file
-  template:
-    src: "cert-k8s-controller-manager-sa-csr.json.j2"
-    dest: "{{k8s_ca_conf_directory}}/cert-k8s-controller-manager-sa-csr.json"
-    owner: "{{k8s_ca_certificate_owner}}"
-    group: "{{k8s_ca_certificate_group}}"
-    mode: 0600
-  tags:
-    - kubernetes-ca
-
-- name: Create the kube-scheduler key CSR file
-  template:
-    src: "cert-k8s-scheduler-csr.json.j2"
-    dest: "{{k8s_ca_conf_directory}}/cert-k8s-scheduler-csr.json"
-    owner: "{{k8s_ca_certificate_owner}}"
-    group: "{{k8s_ca_certificate_group}}"
-    mode: 0600
-  tags:
-    - kubernetes-ca
-
 - name: Generate TLS certificate for etcd
-  shell: "cfssl gencert -ca=ca-etcd.pem -ca-key=ca-etcd-key.pem -config=ca-etcd-config.json -hostname={{etcdHosts}} -profile=etcd cert-etcd-csr.json | cfssljson -bare cert-etcd"
+  shell: "cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -hostname={{etcdHosts}} -profile=kubernetes etcd-csr.json | cfssljson -bare etcd"
   args:
     chdir: "{{k8s_ca_conf_directory}}"
-    creates: "{{k8s_ca_conf_directory}}/cert-etcd-key.pem"
+    creates: "{{k8s_ca_conf_directory}}/etcd-key.pem"
   tags:
     - kubernetes-ca
-    - kubernetes-ca-etcd
+
 
 - name: Generate TLS certificate for Kubernetes API server
-  shell: "cfssl gencert -ca=ca-k8s-apiserver.pem -ca-key=ca-k8s-apiserver-key.pem -config=ca-k8s-apiserver-config.json -hostname={{k8sHosts}} -profile=kubernetes cert-k8s-apiserver-csr.json | cfssljson -bare cert-k8s-apiserver"
+  shell: "cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -hostname={{k8sHosts}} -profile=kubernetes apiserver-csr.json | cfssljson -bare apiserver"
   args:
     chdir: "{{k8s_ca_conf_directory}}"
-    creates: "{{k8s_ca_conf_directory}}/cert-k8s-apiserver-key.pem"
+    creates: "{{k8s_ca_conf_directory}}/apiserver-key.pem"
   tags:
     - kubernetes-ca
 
-- name: Generate TLS certificate for admin user
+- name: Generate TLS certificates
-  shell: "cfssl gencert -ca=ca-k8s-apiserver.pem -ca-key=ca-k8s-apiserver-key.pem -config=ca-k8s-apiserver-config.json -profile=kubernetes cert-admin-csr.json | cfssljson -bare cert-admin"
+  shell: "cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes {{item.name}}-csr.json | cfssljson -bare {{item.name}}"
   args:
     chdir: "{{k8s_ca_conf_directory}}"
-    creates: "{{k8s_ca_conf_directory}}/cert-admin-key.pem"
+    creates: "{{k8s_ca_conf_directory}}/{{item.name}}-key.pem"
   tags:
     - kubernetes-ca
+  loop: "{{ k8s_csr.master|flatten(levels=1)}}"
 
 - name: Generate TLS certificates for Kubernetes worker hosts
-  shell: "cfssl gencert -ca=ca-k8s-apiserver.pem -ca-key=ca-k8s-apiserver-key.pem -config=ca-k8s-apiserver-config.json -hostname={{hostvars[item]['ansible_hostname']}},{{hostvars[item]['ansible_default_ipv4']['address']}},{{hostvars[item]['ansible_'+hostvars[item]['peervpn_conf_interface']].ipv4.address}} -profile=kubernetes cert-{{item}}-csr.json | cfssljson -bare cert-{{item}}"
+  shell: "cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -hostname={{hostvars[item]['ansible_hostname']}},{{hostvars[item]['ansible_default_ipv4']['address']}},{{hostvars[item]['ansible_'+hostvars[item]['peervpn_conf_interface']].ipv4.address}} -profile=kubernetes {{item}}-csr.json | cfssljson -bare {{item}}"
   args:
     chdir: "{{k8s_ca_conf_directory}}"
     creates: "{{k8s_ca_conf_directory}}/cert-{{item}}-key.pem"
@@ -241,35 +143,3 @@
     - k8s_worker
   tags:
     - kubernetes-ca
-
-- name: Generate TLS certificate for kube-proxy
-  shell: "cfssl gencert -ca=ca-k8s-apiserver.pem -ca-key=ca-k8s-apiserver-key.pem -config=ca-k8s-apiserver-config.json -profile=kubernetes cert-k8s-proxy-csr.json | cfssljson -bare cert-k8s-proxy"
-  args:
-    chdir: "{{k8s_ca_conf_directory}}"
-    creates: "{{k8s_ca_conf_directory}}/cert-k8s-proxy-key.pem"
-  tags:
-    - kubernetes-ca
-
-- name: Generate TLS certificate for kube-controller-manager
-  shell: "cfssl gencert -ca=ca-k8s-apiserver.pem -ca-key=ca-k8s-apiserver-key.pem -config=ca-k8s-apiserver-config.json -profile=kubernetes cert-k8s-controller-manager-csr.json | cfssljson -bare cert-k8s-controller-manager"
-  args:
-    chdir: "{{k8s_ca_conf_directory}}"
-    creates: "{{k8s_ca_conf_directory}}/cert-k8s-controller-manager-key.pem"
-  tags:
-    - kubernetes-ca
-
-- name: Generate TLS certificate for kube-controller-manager service account
-  shell: "cfssl gencert -ca=ca-k8s-apiserver.pem -ca-key=ca-k8s-apiserver-key.pem -config=ca-k8s-apiserver-config.json -profile=kubernetes cert-k8s-controller-manager-sa-csr.json | cfssljson -bare cert-k8s-controller-manager-sa"
-  args:
-    chdir: "{{k8s_ca_conf_directory}}"
-    creates: "{{k8s_ca_conf_directory}}/cert-k8s-controller-manager-sa-key.pem"
-  tags:
-    - kubernetes-ca
-
-- name: Generate TLS certificate for kube-scheduler
-  shell: "cfssl gencert -ca=ca-k8s-apiserver.pem -ca-key=ca-k8s-apiserver-key.pem -config=ca-k8s-apiserver-config.json -profile=kubernetes cert-k8s-scheduler-csr.json | cfssljson -bare cert-k8s-scheduler"
-  args:
-    chdir: "{{k8s_ca_conf_directory}}"
-    creates: "{{k8s_ca_conf_directory}}/cert-k8s-scheduler-key.pem"
-  tags:
-    - kubernetes-ca

roles/kubernetes-ca/templates/ca-config.json.j2

@@ -1,7 +1,7 @@
 {
   "signing": {
     "default": {
-      "expiry": "{{ ca_k8s_apiserver_expiry }}"
+      "expiry": "{{ ca_expiry }}"
     },
     "profiles": {
       "kubernetes": {
@@ -11,7 +11,7 @@
             "server auth",
             "client auth"
           ],
-          "expiry": "{{ ca_k8s_apiserver_expiry }}"
+          "expiry": "{{ ca_expiry }}"
       }
     }
   }

roles/kubernetes-ca/templates/ca-etcd-config.json.j2

@@ -1,18 +0,0 @@
-{
-  "signing": {
-    "default": {
-      "expiry": "{{ ca_etcd_expiry }}"
-    },
-    "profiles": {
-      "etcd": {
-         "usages": [
-            "signing",
-            "key encipherment",
-            "server auth",
-            "client auth"
-          ],
-          "expiry": "{{ ca_etcd_expiry }}"
-      }
-    }
-  }
-}

roles/kubernetes-ca/templates/ca-etcd-csr.json.j2

@@ -1,16 +0,0 @@
-{
-  "CN": "{{ca_etcd_csr_cn}}",
-  "key": {
-    "algo": "{{ca_etcd_csr_key_algo}}",
-    "size": {{ca_etcd_csr_key_size}}
-  },
-  "names": [
-    {
-      "C": "{{ca_etcd_csr_names_c}}",
-      "L": "{{ca_etcd_csr_names_l}}",
-      "O": "{{ca_etcd_csr_names_o}}",
-      "OU": "{{ca_etcd_csr_names_ou}}",
-      "ST": "{{ca_etcd_csr_names_st}}"
-    }
-  ]
-}

roles/kubernetes-ca/templates/ca-k8s-apiserver-csr.json.j2

@@ -1,16 +0,0 @@
-{
-  "CN": "{{ca_k8s_apiserver_csr_cn}}",
-  "key": {
-    "algo": "{{ca_k8s_apiserver_csr_key_algo}}",
-    "size": {{ca_k8s_apiserver_csr_key_size}}
-  },
-  "names": [
-    {
-      "C": "{{ca_k8s_apiserver_csr_names_c}}",
-      "L": "{{ca_k8s_apiserver_csr_names_l}}",
-      "O": "{{ca_k8s_apiserver_csr_names_o}}",
-      "OU": "{{ca_k8s_apiserver_csr_names_ou}}",
-      "ST": "{{ca_k8s_apiserver_csr_names_st}}"
-    }
-  ]
-}

roles/kubernetes-ca/templates/cert-admin-csr.json.j2

@@ -1,16 +0,0 @@
-{
-  "CN": "{{k8s_admin_csr_cn}}",
-  "key": {
-    "algo": "{{k8s_admin_csr_key_algo}}",
-    "size": {{k8s_admin_csr_key_size}}
-  },
-  "names": [
-    {
-      "C": "{{k8s_admin_csr_names_c}}",
-      "L": "{{k8s_admin_csr_names_l}}",
-      "O": "{{k8s_admin_csr_names_o}}",
-      "OU": "{{k8s_admin_csr_names_ou}}",
-      "ST": "{{k8s_admin_csr_names_st}}"
-    }
-  ]
-}

roles/kubernetes-ca/templates/cert-etcd-csr.json.j2

@@ -1,16 +0,0 @@
-{
-  "CN": "{{etcd_csr_cn}}",
-  "key": {
-    "algo": "{{etcd_csr_key_algo}}",
-    "size": {{etcd_csr_key_size}}
-  },
-  "names": [
-    {
-      "C": "{{etcd_csr_names_c}}",
-      "L": "{{etcd_csr_names_l}}",
-      "O": "{{etcd_csr_names_o}}",
-      "OU": "{{etcd_csr_names_ou}}",
-      "ST": "{{etcd_csr_names_st}}"
-    }
-  ]
-}

roles/kubernetes-ca/templates/cert-k8s-apiserver-csr.json.j2

@@ -1,16 +0,0 @@
-{
-  "CN": "{{k8s_apiserver_csr_cn}}",
-  "key": {
-    "algo": "{{k8s_apiserver_csr_key_algo}}",
-    "size": {{k8s_apiserver_csr_key_size}}
-  },
-  "names": [
-    {
-      "C": "{{k8s_apiserver_csr_names_c}}",
-      "L": "{{k8s_apiserver_csr_names_l}}",
-      "O": "{{k8s_apiserver_csr_names_o}}",
-      "OU": "{{k8s_apiserver_csr_names_ou}}",
-      "ST": "{{k8s_apiserver_csr_names_st}}"
-    }
-  ]
-}

roles/kubernetes-ca/templates/cert-k8s-controller-manager-csr.json.j2

@@ -1,16 +0,0 @@
-{
-  "CN": "{{k8s_controller_manager_csr_cn}}",
-  "key": {
-    "algo": "{{k8s_controller_manager_csr_key_algo}}",
-    "size": {{k8s_controller_manager_csr_key_size}}
-  },
-  "names": [
-    {
-      "C": "{{k8s_controller_manager_csr_names_c}}",
-      "L": "{{k8s_controller_manager_csr_names_l}}",
-      "O": "{{k8s_controller_manager_csr_names_o}}",
-      "OU": "{{k8s_controller_manager_csr_names_ou}}",
-      "ST": "{{k8s_controller_manager_csr_names_st}}"
-    }
-  ]
-}

roles/kubernetes-ca/templates/cert-k8s-controller-manager-sa-csr.json.j2

@@ -1,16 +0,0 @@
-{
-  "CN": "{{k8s_controller_manager_sa_csr_cn}}",
-  "key": {
-    "algo": "{{k8s_controller_manager_sa_csr_key_algo}}",
-    "size": {{k8s_controller_manager_sa_csr_key_size}}
-  },
-  "names": [
-    {
-      "C": "{{k8s_controller_manager_sa_csr_names_c}}",
-      "L": "{{k8s_controller_manager_sa_csr_names_l}}",
-      "O": "{{k8s_controller_manager_sa_csr_names_o}}",
-      "OU": "{{k8s_controller_manager_sa_csr_names_ou}}",
-      "ST": "{{k8s_controller_manager_sa_csr_names_st}}"
-    }
-  ]
-}

roles/kubernetes-ca/templates/cert-k8s-proxy-csr.json.j2

@@ -1,16 +0,0 @@
-{
-  "CN": "{{k8s_kube_proxy_csr_cn}}",
-  "key": {
-    "algo": "{{k8s_kube_proxy_csr_key_algo}}",
-    "size": {{k8s_kube_proxy_csr_key_size}}
-  },
-  "names": [
-    {
-      "C": "{{k8s_kube_proxy_csr_names_c}}",
-      "L": "{{k8s_kube_proxy_csr_names_l}}",
-      "O": "{{k8s_kube_proxy_csr_names_o}}",
-      "OU": "{{k8s_kube_proxy_csr_names_ou}}",
-      "ST": "{{k8s_kube_proxy_csr_names_st}}"
-    }
-  ]
-}

roles/kubernetes-ca/templates/cert-k8s-scheduler-csr.json.j2

@@ -1,16 +0,0 @@
-{
-  "CN": "{{k8s_scheduler_csr_cn}}",
-  "key": {
-    "algo": "{{k8s_scheduler_csr_key_algo}}",
-    "size": {{k8s_scheduler_csr_key_size}}
-  },
-  "names": [
-    {
-      "C": "{{k8s_scheduler_csr_names_c}}",
-      "L": "{{k8s_scheduler_csr_names_l}}",
-      "O": "{{k8s_scheduler_csr_names_o}}",
-      "OU": "{{k8s_scheduler_csr_names_ou}}",
-      "ST": "{{k8s_scheduler_csr_names_st}}"
-    }
-  ]
-}

roles/kubernetes-ca/templates/cert-worker-csr.json.j2

@@ -1,16 +1,16 @@
 {
   "CN": "system:node:{{hostvars[workerHost]['ansible_hostname']}}",
   "key": {
-    "algo": "{{k8s_worker_csr_key_algo}}",
+    "algo": "{{k8s_csr.worker.key_algo}}",
-    "size": {{k8s_worker_csr_key_size}}
+    "size": {{k8s_csr.worker.key_size}}
   },
   "names": [
     {
-      "C": "{{k8s_worker_csr_names_c}}",
+      "C": "{{k8s_csr.worker.names_c}}",
-      "L": "{{k8s_worker_csr_names_l}}",
+      "L": "{{k8s_csr.worker.names_l}}",
-      "O": "{{k8s_worker_csr_names_o}}",
+      "O": "{{k8s_csr.worker.names_o}}",
-      "OU": "{{k8s_worker_csr_names_ou}}",
+      "OU": "{{k8s_csr.worker.names_ou}}",
-      "ST": "{{k8s_worker_csr_names_st}}"
+      "ST": "{{k8s_csr.worker.names_st}}"
     }
   ]
 }

roles/kubernetes-ca/templates/csr.json.j2

@@ -0,0 +1,16 @@
+{
+  "CN": "{{item.cn}}",
+  "key": {
+    "algo": "{{item.key_algo}}",
+    "size": {{item.key_size}}
+  },
+  "names": [
+    {
+      "C": "{{item.names_c}}",
+      "L": "{{item.names_l}}",
+      "O": "{{item.names_o}}",
+      "OU": "{{item.names_ou}}",
+      "ST": "{{item.names_st}}"
+    }
+  ]
+}