diff options
author | Christian Pointner <equinox@spreadspace.org> | 2023-04-23 00:01:44 +0200 |
---|---|---|
committer | Christian Pointner <equinox@spreadspace.org> | 2023-04-23 00:01:44 +0200 |
commit | 6424e5079fd29f377350df26f7768ef2bcd5f5a4 (patch) | |
tree | 84b52a45492fb6a43916767a5f3f5cb61fb92ea9 /roles/kubernetes/standalone/base/tasks/tls.yml | |
parent | ch-equinox-* add k9s and kubeletctl (diff) |
kubernetes/standalone: install kubeletctl and enable x509 based auth
Diffstat (limited to 'roles/kubernetes/standalone/base/tasks/tls.yml')
-rw-r--r-- | roles/kubernetes/standalone/base/tasks/tls.yml | 130 |
1 files changed, 130 insertions, 0 deletions
diff --git a/roles/kubernetes/standalone/base/tasks/tls.yml b/roles/kubernetes/standalone/base/tasks/tls.yml new file mode 100644 index 00000000..39952267 --- /dev/null +++ b/roles/kubernetes/standalone/base/tasks/tls.yml @@ -0,0 +1,130 @@ +--- +- name: install python-cryptoraphy + apt: + name: "{{ python_basename }}-cryptography" + state: present + +- name: create base directory + file: + path: /etc/ssl/standalone-kubelet + state: directory + + +- name: create CA directory + file: + path: /etc/ssl/standalone-kubelet/ca + state: directory + mode: 0700 + +- name: create CA private key + openssl_privatekey: + path: /etc/ssl/standalone-kubelet/ca/key.pem + type: RSA + size: 4096 + mode: 0600 + +- name: create signing request for CA certificate + openssl_csr: + path: /etc/ssl/standalone-kubelet/ca/csr.pem + privatekey_path: /etc/ssl/standalone-kubelet/ca/key.pem + CN: "CA for standalone-kubelet running on {{ inventory_hostname }}" + useCommonNameForSAN: no + key_usage: + - cRLSign + - keyCertSign + key_usage_critical: yes + basic_constraints: + - 'CA:TRUE' + - 'pathlen:0' + basic_constraints_critical: yes + +- name: create self-signed CA certificate + openssl_certificate: + path: /etc/ssl/standalone-kubelet/ca-crt.pem + csr_path: /etc/ssl/standalone-kubelet/ca/csr.pem + privatekey_path: /etc/ssl/standalone-kubelet/ca/key.pem + provider: selfsigned + selfsigned_digest: sha256 + selfsigned_not_after: "+18250d" ## 50 years + selfsigned_create_subject_key_identifier: always_create + notify: restart kubelet + + +- name: create server cert/key directory + file: + path: /etc/ssl/standalone-kubelet/server + state: directory + mode: 0700 + +- name: create server private key + openssl_privatekey: + path: /etc/ssl/standalone-kubelet/server/key.pem + type: RSA + size: 4096 + mode: 0400 + notify: restart kubelet + +- name: create signing request for server certificate + openssl_csr: + path: /etc/ssl/standalone-kubelet/server/csr.pem + privatekey_path: /etc/ssl/standalone-kubelet/server/key.pem + CN: "{{ inventory_hostname }}" + key_usage: + - digitalSignature + key_usage_critical: yes + extended_key_usage: + - serverAuth + extended_key_usage_critical: yes + basic_constraints: + - 'CA:FALSE' + basic_constraints_critical: yes + +- name: generate server certificate + openssl_certificate: + path: /etc/ssl/standalone-kubelet/server/crt.pem + csr_path: /etc/ssl/standalone-kubelet/server/csr.pem + provider: ownca + ownca_path: /etc/ssl/standalone-kubelet/ca-crt.pem + ownca_privatekey_path: /etc/ssl/standalone-kubelet/ca/key.pem + ownca_digest: sha256 + ownca_not_after: "+18250d" ## 50 years + notify: restart kubelet + + +- name: create client cert/key directory + file: + path: /etc/ssl/standalone-kubelet/client + state: directory + mode: 0700 + +- name: create private key for client certificate + openssl_privatekey: + path: /etc/ssl/standalone-kubelet/client/key.pem + type: RSA + size: 4096 + mode: 0400 + +- name: create signing request for client certificate + openssl_csr: + path: /etc/ssl/standalone-kubelet/client/csr.pem + privatekey_path: /etc/ssl/standalone-kubelet/client/key.pem + CN: "{{ inventory_hostname }}" + key_usage: + - digitalSignature + key_usage_critical: yes + extended_key_usage: + - clientAuth + extended_key_usage_critical: yes + basic_constraints: + - 'CA:FALSE' + basic_constraints_critical: yes + +- name: create client certificate + openssl_certificate: + path: /etc/ssl/standalone-kubelet/client/crt.pem + csr_path: /etc/ssl/standalone-kubelet/client/csr.pem + provider: ownca + ownca_path: /etc/ssl/standalone-kubelet/ca-crt.pem + ownca_privatekey_path: /etc/ssl/standalone-kubelet/ca/key.pem + ownca_digest: sha256 + ownca_not_after: "+18250d" ## 50 years |