Improve kubernetes-ca role readability

2025-12-25 13:46:59 +01:00 · 2018-08-02 21:03:31 +02:00 · 2018-08-02 21:03:31 +02:00 · c19e9410f8
commit c19e9410f8
parent a57445c364
2 changed files with 16 additions and 17 deletions
--- a/roles/kubernetes-ca/defaults/main.yml
+++ b/roles/kubernetes-ca/defaults/main.yml
@ -32,6 +32,7 @@ k8s_csr:
      names_o: "Kubernetes"
      names_ou: "{{ k8s_config_cluster_name }}"
      names_st: "Luxembourg"
      hostnames: "{{etcdHosts}}"
    - name: "apiserver"    
      cn: "Kubernetes"
      key_algo: "rsa"
@ -41,6 +42,7 @@ k8s_csr:
      names_o: "Kubernetes"
      names_ou: "{{ k8s_config_cluster_name }}"
      names_st: "Luxembourg"
      hostnames: "{{k8sHosts}}"
    - name: "admin"
      cn: "admin"
      key_algo: "rsa"
--- a/roles/kubernetes-ca/tasks/main.yml
+++ b/roles/kubernetes-ca/tasks/main.yml
@ -1,7 +1,4 @@
 ---
 #- name: Display hostvars
 #  debug: var=hostvars
 - name: Generate list of IP addresses and hostnames needed for Kubernetes API server certificate
  set_fact:
    tmpK8sHosts: |
@ -85,6 +82,8 @@
  tags:
    - kubernetes-ca
  loop: "{{ k8s_csr.master|flatten(levels=1)}}"
  loop_control:
    label: "{{ item.name }}"
 - name: Generate CA and private key
  shell: cfssl gencert -initca ca-csr.json | cfssljson -bare ca
@ -108,24 +107,19 @@
  tags:
    - kubernetes-ca
- name: Generate TLS certificate for etcd
+- name: Generate TLS certificates whith hostname
-  shell: "cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -hostname={{etcdHosts}} -profile=kubernetes etcd-csr.json | cfssljson -bare etcd"
+  shell: "cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -hostname={{item.hostnames}} -profile=kubernetes {{item.name}}-csr.json | cfssljson -bare {{item.name}}"
  args:
    chdir: "{{k8s_ca_conf_directory}}"
-    creates: "{{k8s_ca_conf_directory}}/etcd-key.pem"
+    creates: "{{k8s_ca_conf_directory}}/{{item.name}}-key.pem"
  tags:
    - kubernetes-ca
  loop: "{{ k8s_csr.master|flatten(levels=1)}}"
  loop_control:
    label: "{{ item.name }}"
  when: item.hostnames is defined
-
+- name: Generate TLS certificates whithout hostname
 - name: Generate TLS certificate for Kubernetes API server
  shell: "cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -hostname={{k8sHosts}} -profile=kubernetes apiserver-csr.json | cfssljson -bare apiserver"
  args:
    chdir: "{{k8s_ca_conf_directory}}"
    creates: "{{k8s_ca_conf_directory}}/apiserver-key.pem"
  tags:
    - kubernetes-ca
 - name: Generate TLS certificates
  shell: "cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes {{item.name}}-csr.json | cfssljson -bare {{item.name}}"
  args:
    chdir: "{{k8s_ca_conf_directory}}"
@ -133,12 +127,15 @@
  tags:
    - kubernetes-ca
  loop: "{{ k8s_csr.master|flatten(levels=1)}}"
  loop_control:
    label: "{{ item.name }}"
  when: item.hostnames is not defined
 - name: Generate TLS certificates for Kubernetes worker hosts
  shell: "cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -hostname={{hostvars[item]['ansible_hostname']}},{{hostvars[item]['ansible_default_ipv4']['address']}},{{hostvars[item]['ansible_'+hostvars[item]['peervpn_conf_interface']].ipv4.address}} -profile=kubernetes {{item}}-csr.json | cfssljson -bare {{item}}"
  args:
    chdir: "{{k8s_ca_conf_directory}}"
-    creates: "{{k8s_ca_conf_directory}}/cert-{{item}}-key.pem"
+    creates: "{{k8s_ca_conf_directory}}/{{item}}-key.pem"
  with_inventory_hostnames:
    - k8s_worker
  tags: