phfroidmont/self-hosting
1
0
Fork 0
mirror of https://github.com/phfroidmont/self-hosting.git synced 2025-12-25 21:57:00 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Custom kubernetes-ca role

Browse source
This commit is contained in:
Paul-Henri Froidmont 2018-07-31 17:33:26 +02:00
parent 956038220b
commit bb3a990c9a
22 changed files with 855 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

275
roles/kubernetes-ca/tasks/main.yml Normal file
View file

@ -0,0 +1,275 @@
---
- name: Generate list of IP addresses and hostnames needed for Kubernetes API server certificate
set_fact:
tmpK8sHosts: |
{% set comma = joiner(",") %}
{% for item in groups["k8s_master"] -%}
{{ comma() }}{{ hostvars[item].private_ip }}{{ comma() }}{{ hostvars[item]["ansible_"+hostvars[item]["peervpn_conf_interface"]].ipv4.address }}{{ comma() }}{{item}}{{ comma() }}{{hostvars[item]["public_ip"]}}
{%- endfor %}
{% for item in groups["k8s_worker"] -%}
{{ comma() }}{{ hostvars[item].private_ip}}{{ comma() }}{{ hostvars[item]["ansible_"+hostvars[item]["peervpn_conf_interface"]].ipv4.address }}{{ comma() }}{{item}}{{ comma() }}{{hostvars[item]["public_ip"]}}
{%- endfor %}
{% for item in k8s_apiserver_cert_hosts -%}
{{ comma() }}{{item}}
{%- endfor %}
tags:
- kubernetes-ca
- name: Remove newline from controller hosts list
set_fact:
k8sHosts: "{{tmpK8sHosts |replace('\n', '')}}"
tags:
- kubernetes-ca
- name: Output of hostnames/IPs used for Kubernetes API server certificate
debug: var=k8sHosts
tags:
- kubernetes-ca
- name: Generate list of IP addresses and hostnames needed for etcd certificate
set_fact:
tmpEtcdHosts: |
{% set comma = joiner(",") %}
{% for item in groups["k8s_etcd"] -%}
{{ comma() }}{{ hostvars[item].private_ip}}{{ comma() }}{{ hostvars[item]["ansible_"+hostvars[item]["peervpn_conf_interface"]].ipv4.address }}{{ comma() }}{{item}}{{ comma() }}{{hostvars[item]["public_ip"]}}
{%- endfor %}
{% for item in etcd_cert_hosts -%}
{{ comma() }}{{item}}
{%- endfor %}
tags:
- kubernetes-ca
- kubernetes-ca-etcd
- name: Remove newline from etcd hosts list
set_fact:
etcdHosts: "{{tmpEtcdHosts |replace('\n', '')}}"
tags:
- kubernetes-ca
- kubernetes-ca-etcd
- name: Output of hostnames/IPs used for etcd certificate
debug: var=etcdHosts
tags:
- kubernetes-ca
- kubernetes-ca-etcd
- name: Create directory for CA and certificate files
file:
path: "{{k8s_ca_conf_directory}}"
owner: "{{k8s_ca_certificate_owner}}"
group: "{{k8s_ca_certificate_group}}"
mode: 0755
state: directory
tags:
- kubernetes-ca
- name: Create etcd CA configuration file
template:
src: "ca-etcd-config.json.j2"
dest: "{{k8s_ca_conf_directory}}/ca-etcd-config.json"
owner: "{{k8s_ca_certificate_owner}}"
group: "{{k8s_ca_certificate_group}}"
mode: 0600
tags:
- kubernetes-ca
- kubernetes-ca-etcd
- name: Create Kubernetes API server CA configuration file
template:
src: "ca-k8s-apiserver-config.json.j2"
dest: "{{k8s_ca_conf_directory}}/ca-k8s-apiserver-config.json"
owner: "{{k8s_ca_certificate_owner}}"
group: "{{k8s_ca_certificate_group}}"
mode: 0600
tags:
- kubernetes-ca
- name: Copy the etcd CA certificate request file (CSR)
template:
src: "ca-etcd-csr.json.j2"
dest: "{{k8s_ca_conf_directory}}/ca-etcd-csr.json"
owner: "{{k8s_ca_certificate_owner}}"
group: "{{k8s_ca_certificate_group}}"
mode: 0600
tags:
- kubernetes-ca
- kubernetes-ca-etcd
- name: Copy the Kubernetes API server CA certificate request file (CSR)
template:
src: "ca-k8s-apiserver-csr.json.j2"
dest: "{{k8s_ca_conf_directory}}/ca-k8s-apiserver-csr.json"
owner: "{{k8s_ca_certificate_owner}}"
group: "{{k8s_ca_certificate_group}}"
mode: 0600
tags:
- kubernetes-ca
- name: Generate the etcd CA and private key
shell: cfssl gencert -initca ca-etcd-csr.json | cfssljson -bare ca-etcd
args:
chdir: "{{k8s_ca_conf_directory}}"
creates: "{{k8s_ca_conf_directory}}/ca-etcd-key.pem"
tags:
- kubernetes-ca
- kubernetes-ca-etcd
- name: Generate the Kubernetes API server CA and private key
shell: cfssl gencert -initca ca-k8s-apiserver-csr.json | cfssljson -bare ca-k8s-apiserver
args:
chdir: "{{k8s_ca_conf_directory}}"
creates: "{{k8s_ca_conf_directory}}/ca-k8s-apiserver-key.pem"
tags:
- kubernetes-ca
- name: Create the etcd key CSR file
template:
src: "cert-etcd-csr.json.j2"
dest: "{{k8s_ca_conf_directory}}/cert-etcd-csr.json"
owner: "{{k8s_ca_certificate_owner}}"
group: "{{k8s_ca_certificate_group}}"
mode: 0600
tags:
- kubernetes-ca
- kubernetes-ca-etcd
- name: Create the Kubernetes API server key CSR file
template:
src: "cert-k8s-apiserver-csr.json.j2"
dest: "{{k8s_ca_conf_directory}}/cert-k8s-apiserver-csr.json"
owner: "{{k8s_ca_certificate_owner}}"
group: "{{k8s_ca_certificate_group}}"
mode: 0600
tags:
- kubernetes-ca
- name: Create the admin user key CSR file
template:
src: "cert-admin-csr.json.j2"
dest: "{{k8s_ca_conf_directory}}/cert-admin-csr.json"
owner: "{{k8s_ca_certificate_owner}}"
group: "{{k8s_ca_certificate_group}}"
mode: 0600
tags:
- kubernetes-ca
- name: Create the kube-proxy key CSR file
template:
src: "cert-k8s-proxy-csr.json.j2"
dest: "{{k8s_ca_conf_directory}}/cert-k8s-proxy-csr.json"
owner: "{{k8s_ca_certificate_owner}}"
group: "{{k8s_ca_certificate_group}}"
mode: 0600
tags:
- kubernetes-ca
- name: Create the worker key CSR files
template:
src: "cert-worker-csr.json.j2"
dest: "{{k8s_ca_conf_directory}}/cert-{{item}}-csr.json"
owner: "{{k8s_ca_certificate_owner}}"
group: "{{k8s_ca_certificate_group}}"
mode: 0600
with_inventory_hostnames:
- k8s_worker
vars:
- workerHost: "{{item}}"
tags:
- kubernetes-ca
- name: Create the kube-controller-manager key CSR file
template:
src: "cert-k8s-controller-manager-csr.json.j2"
dest: "{{k8s_ca_conf_directory}}/cert-k8s-controller-manager-csr.json"
owner: "{{k8s_ca_certificate_owner}}"
group: "{{k8s_ca_certificate_group}}"
mode: 0600
tags:
- kubernetes-ca
- name: Create the kube-controller-manager service-account key CSR file
template:
src: "cert-k8s-controller-manager-sa-csr.json.j2"
dest: "{{k8s_ca_conf_directory}}/cert-k8s-controller-manager-sa-csr.json"
owner: "{{k8s_ca_certificate_owner}}"
group: "{{k8s_ca_certificate_group}}"
mode: 0600
tags:
- kubernetes-ca
- name: Create the kube-scheduler key CSR file
template:
src: "cert-k8s-scheduler-csr.json.j2"
dest: "{{k8s_ca_conf_directory}}/cert-k8s-scheduler-csr.json"
owner: "{{k8s_ca_certificate_owner}}"
group: "{{k8s_ca_certificate_group}}"
mode: 0600
tags:
- kubernetes-ca
- name: Generate TLS certificate for etcd
shell: "cfssl gencert -ca=ca-etcd.pem -ca-key=ca-etcd-key.pem -config=ca-etcd-config.json -hostname={{etcdHosts}} -profile=etcd cert-etcd-csr.json | cfssljson -bare cert-etcd"
args:
chdir: "{{k8s_ca_conf_directory}}"
creates: "{{k8s_ca_conf_directory}}/cert-etcd-key.pem"
tags:
- kubernetes-ca
- kubernetes-ca-etcd
- name: Generate TLS certificate for Kubernetes API server
shell: "cfssl gencert -ca=ca-k8s-apiserver.pem -ca-key=ca-k8s-apiserver-key.pem -config=ca-k8s-apiserver-config.json -hostname={{k8sHosts}} -profile=kubernetes cert-k8s-apiserver-csr.json | cfssljson -bare cert-k8s-apiserver"
args:
chdir: "{{k8s_ca_conf_directory}}"
creates: "{{k8s_ca_conf_directory}}/cert-k8s-apiserver-key.pem"
tags:
- kubernetes-ca
- name: Generate TLS certificate for admin user
shell: "cfssl gencert -ca=ca-k8s-apiserver.pem -ca-key=ca-k8s-apiserver-key.pem -config=ca-k8s-apiserver-config.json -profile=kubernetes cert-admin-csr.json | cfssljson -bare cert-admin"
args:
chdir: "{{k8s_ca_conf_directory}}"
creates: "{{k8s_ca_conf_directory}}/cert-admin-key.pem"
tags:
- kubernetes-ca
- name: Generate TLS certificates for Kubernetes worker hosts
shell: "cfssl gencert -ca=ca-k8s-apiserver.pem -ca-key=ca-k8s-apiserver-key.pem -config=ca-k8s-apiserver-config.json -hostname={{hostvars[item]['ansible_hostname']}},{{hostvars[item]['ansible_default_ipv4']['address']}},{{hostvars[item]['ansible_'+hostvars[item]['peervpn_conf_interface']].ipv4.address}} -profile=kubernetes cert-{{item}}-csr.json | cfssljson -bare cert-{{item}}"
args:
chdir: "{{k8s_ca_conf_directory}}"
creates: "{{k8s_ca_conf_directory}}/cert-{{item}}-key.pem"
with_inventory_hostnames:
- k8s_worker
tags:
- kubernetes-ca
- name: Generate TLS certificate for kube-proxy
shell: "cfssl gencert -ca=ca-k8s-apiserver.pem -ca-key=ca-k8s-apiserver-key.pem -config=ca-k8s-apiserver-config.json -profile=kubernetes cert-k8s-proxy-csr.json | cfssljson -bare cert-k8s-proxy"
args:
chdir: "{{k8s_ca_conf_directory}}"
creates: "{{k8s_ca_conf_directory}}/cert-k8s-proxy-key.pem"
tags:
- kubernetes-ca
- name: Generate TLS certificate for kube-controller-manager
shell: "cfssl gencert -ca=ca-k8s-apiserver.pem -ca-key=ca-k8s-apiserver-key.pem -config=ca-k8s-apiserver-config.json -profile=kubernetes cert-k8s-controller-manager-csr.json | cfssljson -bare cert-k8s-controller-manager"
args:
chdir: "{{k8s_ca_conf_directory}}"
creates: "{{k8s_ca_conf_directory}}/cert-k8s-controller-manager-key.pem"
tags:
- kubernetes-ca
- name: Generate TLS certificate for kube-controller-manager service account
shell: "cfssl gencert -ca=ca-k8s-apiserver.pem -ca-key=ca-k8s-apiserver-key.pem -config=ca-k8s-apiserver-config.json -profile=kubernetes cert-k8s-controller-manager-sa-csr.json | cfssljson -bare cert-k8s-controller-manager-sa"
args:
chdir: "{{k8s_ca_conf_directory}}"
creates: "{{k8s_ca_conf_directory}}/cert-k8s-controller-manager-sa-key.pem"
tags:
- kubernetes-ca
- name: Generate TLS certificate for kube-scheduler
shell: "cfssl gencert -ca=ca-k8s-apiserver.pem -ca-key=ca-k8s-apiserver-key.pem -config=ca-k8s-apiserver-config.json -profile=kubernetes cert-k8s-scheduler-csr.json | cfssljson -bare cert-k8s-scheduler"
args:
chdir: "{{k8s_ca_conf_directory}}"
creates: "{{k8s_ca_conf_directory}}/cert-k8s-scheduler-key.pem"
tags:
- kubernetes-ca