kubernetes/standalone: install kubeletctl and enable x509 based auth

author: Christian Pointner <equinox@spreadspace.org> 2023-04-23 00:01:44 +0200
committer: Christian Pointner <equinox@spreadspace.org> 2023-04-23 00:01:44 +0200
commit: 6424e5079fd29f377350df26f7768ef2bcd5f5a4 (patch)
tree: 84b52a45492fb6a43916767a5f3f5cb61fb92ea9 /roles/kubernetes/standalone/base/tasks/tls.yml
parent: ch-equinox-* add k9s and kubeletctl (diff)
1 files changed, 130 insertions, 0 deletions
diff --git a/roles/kubernetes/standalone/base/tasks/tls.yml b/roles/kubernetes/standalone/base/tasks/tls.yml
new file mode 100644
index 00000000..39952267
--- /dev/null
+++ b/roles/kubernetes/standalone/base/tasks/tls.yml
@@ -0,0 +1,130 @@
+---
+- name: install python-cryptoraphy
+  apt:
+    name: "{{ python_basename }}-cryptography"
+    state: present
+
+- name: create base directory
+  file:
+    path: /etc/ssl/standalone-kubelet
+    state: directory
+
+
+- name: create CA directory
+  file:
+    path: /etc/ssl/standalone-kubelet/ca
+    state: directory
+    mode: 0700
+
+- name: create CA private key
+  openssl_privatekey:
+    path: /etc/ssl/standalone-kubelet/ca/key.pem
+    type: RSA
+    size: 4096
+    mode: 0600
+
+- name: create signing request for CA certificate
+  openssl_csr:
+    path: /etc/ssl/standalone-kubelet/ca/csr.pem
+    privatekey_path: /etc/ssl/standalone-kubelet/ca/key.pem
+    CN: "CA for standalone-kubelet running on {{ inventory_hostname }}"
+    useCommonNameForSAN: no
+    key_usage:
+    - cRLSign
+    - keyCertSign
+    key_usage_critical: yes
+    basic_constraints:
+    - 'CA:TRUE'
+    - 'pathlen:0'
+    basic_constraints_critical: yes
+
+- name: create self-signed CA certificate
+  openssl_certificate:
+    path: /etc/ssl/standalone-kubelet/ca-crt.pem
+    csr_path: /etc/ssl/standalone-kubelet/ca/csr.pem
+    privatekey_path: /etc/ssl/standalone-kubelet/ca/key.pem
+    provider: selfsigned
+    selfsigned_digest: sha256
+    selfsigned_not_after: "+18250d" ## 50 years
+    selfsigned_create_subject_key_identifier: always_create
+  notify: restart kubelet
+
+
+- name: create server cert/key directory
+  file:
+    path: /etc/ssl/standalone-kubelet/server
+    state: directory
+    mode: 0700
+
+- name: create server private key
+  openssl_privatekey:
+    path: /etc/ssl/standalone-kubelet/server/key.pem
+    type: RSA
+    size: 4096
+    mode: 0400
+  notify: restart kubelet
+
+- name: create signing request for server certificate
+  openssl_csr:
+    path: /etc/ssl/standalone-kubelet/server/csr.pem
+    privatekey_path: /etc/ssl/standalone-kubelet/server/key.pem
+    CN: "{{ inventory_hostname }}"
+    key_usage:
+    - digitalSignature
+    key_usage_critical: yes
+    extended_key_usage:
+    - serverAuth
+    extended_key_usage_critical: yes
+    basic_constraints:
+    - 'CA:FALSE'
+    basic_constraints_critical: yes
+
+- name: generate server certificate
+  openssl_certificate:
+    path: /etc/ssl/standalone-kubelet/server/crt.pem
+    csr_path: /etc/ssl/standalone-kubelet/server/csr.pem
+    provider: ownca
+    ownca_path: /etc/ssl/standalone-kubelet/ca-crt.pem
+    ownca_privatekey_path: /etc/ssl/standalone-kubelet/ca/key.pem
+    ownca_digest: sha256
+    ownca_not_after: "+18250d" ## 50 years
+  notify: restart kubelet
+
+
+- name: create client cert/key directory
+  file:
+    path: /etc/ssl/standalone-kubelet/client
+    state: directory
+    mode: 0700
+
+- name: create private key for client certificate
+  openssl_privatekey:
+    path: /etc/ssl/standalone-kubelet/client/key.pem
+    type: RSA
+    size: 4096
+    mode: 0400
+
+- name: create signing request for client certificate
+  openssl_csr:
+    path: /etc/ssl/standalone-kubelet/client/csr.pem
+    privatekey_path: /etc/ssl/standalone-kubelet/client/key.pem
+    CN: "{{ inventory_hostname }}"
+    key_usage:
+    - digitalSignature
+    key_usage_critical: yes
+    extended_key_usage:
+    - clientAuth
+    extended_key_usage_critical: yes
+    basic_constraints:
+    - 'CA:FALSE'
+    basic_constraints_critical: yes
+
+- name: create client certificate
+  openssl_certificate:
+    path: /etc/ssl/standalone-kubelet/client/crt.pem
+    csr_path: /etc/ssl/standalone-kubelet/client/csr.pem
+    provider: ownca
+    ownca_path: /etc/ssl/standalone-kubelet/ca-crt.pem
+    ownca_privatekey_path: /etc/ssl/standalone-kubelet/ca/key.pem
+    ownca_digest: sha256
+    ownca_not_after: "+18250d" ## 50 years
author	Christian Pointner <equinox@spreadspace.org>	2023-04-23 00:01:44 +0200
committer	Christian Pointner <equinox@spreadspace.org>	2023-04-23 00:01:44 +0200
commit	6424e5079fd29f377350df26f7768ef2bcd5f5a4 (patch)
tree	84b52a45492fb6a43916767a5f3f5cb61fb92ea9 /roles/kubernetes/standalone/base/tasks/tls.yml
parent	ch-equinox-* add k9s and kubeletctl (diff)