diff options
author | Christian Pointner <equinox@spreadspace.org> | 2023-04-23 00:01:44 +0200 |
---|---|---|
committer | Christian Pointner <equinox@spreadspace.org> | 2023-04-23 00:01:44 +0200 |
commit | 6424e5079fd29f377350df26f7768ef2bcd5f5a4 (patch) | |
tree | 84b52a45492fb6a43916767a5f3f5cb61fb92ea9 /roles/kubernetes/standalone | |
parent | ch-equinox-* add k9s and kubeletctl (diff) |
kubernetes/standalone: install kubeletctl and enable x509 based auth
Diffstat (limited to 'roles/kubernetes/standalone')
-rw-r--r-- | roles/kubernetes/standalone/base/tasks/main.yml | 19 | ||||
-rw-r--r-- | roles/kubernetes/standalone/base/tasks/tls.yml | 130 | ||||
-rw-r--r-- | roles/kubernetes/standalone/base/templates/kubelet-config.yml.j2 | 6 |
3 files changed, 154 insertions, 1 deletions
diff --git a/roles/kubernetes/standalone/base/tasks/main.yml b/roles/kubernetes/standalone/base/tasks/main.yml index d7f47ff4..495fd4ff 100644 --- a/roles/kubernetes/standalone/base/tasks/main.yml +++ b/roles/kubernetes/standalone/base/tasks/main.yml @@ -16,6 +16,9 @@ dest: /etc/kubernetes/kubelet.yml notify: restart kubelet +- name: create TLS certificates and keys + import_tasks: tls.yml + - name: make sure kubelet is enabled and running systemd: name: kubelet.service @@ -52,3 +55,19 @@ name: kube-standalone-local-services.service state: started enabled: yes + +- name: install kubeletctl + apt: + name: kubeletctl + state: present + +- name: add kubeletctl config for shells + loop: + - zsh + - bash + blockinfile: + path: "/root/.{{ item }}rc" + create: yes + marker: "### {mark} ANSIBLE MANAGED BLOCK for kubeletctl ###" + content: | + alias kubeletctl="kubeletctl --server 127.0.0.1 --cacert /etc/ssl/standalone-kubelet/ca-crt.pem --cert /etc/ssl/standalone-kubelet/client/crt.pem --key /etc/ssl/standalone-kubelet/client/key.pem --ignoreconfig" diff --git a/roles/kubernetes/standalone/base/tasks/tls.yml b/roles/kubernetes/standalone/base/tasks/tls.yml new file mode 100644 index 00000000..39952267 --- /dev/null +++ b/roles/kubernetes/standalone/base/tasks/tls.yml @@ -0,0 +1,130 @@ +--- +- name: install python-cryptoraphy + apt: + name: "{{ python_basename }}-cryptography" + state: present + +- name: create base directory + file: + path: /etc/ssl/standalone-kubelet + state: directory + + +- name: create CA directory + file: + path: /etc/ssl/standalone-kubelet/ca + state: directory + mode: 0700 + +- name: create CA private key + openssl_privatekey: + path: /etc/ssl/standalone-kubelet/ca/key.pem + type: RSA + size: 4096 + mode: 0600 + +- name: create signing request for CA certificate + openssl_csr: + path: /etc/ssl/standalone-kubelet/ca/csr.pem + privatekey_path: /etc/ssl/standalone-kubelet/ca/key.pem + CN: "CA for standalone-kubelet running on {{ inventory_hostname }}" + useCommonNameForSAN: no + key_usage: + - cRLSign + - keyCertSign + key_usage_critical: yes + basic_constraints: + - 'CA:TRUE' + - 'pathlen:0' + basic_constraints_critical: yes + +- name: create self-signed CA certificate + openssl_certificate: + path: /etc/ssl/standalone-kubelet/ca-crt.pem + csr_path: /etc/ssl/standalone-kubelet/ca/csr.pem + privatekey_path: /etc/ssl/standalone-kubelet/ca/key.pem + provider: selfsigned + selfsigned_digest: sha256 + selfsigned_not_after: "+18250d" ## 50 years + selfsigned_create_subject_key_identifier: always_create + notify: restart kubelet + + +- name: create server cert/key directory + file: + path: /etc/ssl/standalone-kubelet/server + state: directory + mode: 0700 + +- name: create server private key + openssl_privatekey: + path: /etc/ssl/standalone-kubelet/server/key.pem + type: RSA + size: 4096 + mode: 0400 + notify: restart kubelet + +- name: create signing request for server certificate + openssl_csr: + path: /etc/ssl/standalone-kubelet/server/csr.pem + privatekey_path: /etc/ssl/standalone-kubelet/server/key.pem + CN: "{{ inventory_hostname }}" + key_usage: + - digitalSignature + key_usage_critical: yes + extended_key_usage: + - serverAuth + extended_key_usage_critical: yes + basic_constraints: + - 'CA:FALSE' + basic_constraints_critical: yes + +- name: generate server certificate + openssl_certificate: + path: /etc/ssl/standalone-kubelet/server/crt.pem + csr_path: /etc/ssl/standalone-kubelet/server/csr.pem + provider: ownca + ownca_path: /etc/ssl/standalone-kubelet/ca-crt.pem + ownca_privatekey_path: /etc/ssl/standalone-kubelet/ca/key.pem + ownca_digest: sha256 + ownca_not_after: "+18250d" ## 50 years + notify: restart kubelet + + +- name: create client cert/key directory + file: + path: /etc/ssl/standalone-kubelet/client + state: directory + mode: 0700 + +- name: create private key for client certificate + openssl_privatekey: + path: /etc/ssl/standalone-kubelet/client/key.pem + type: RSA + size: 4096 + mode: 0400 + +- name: create signing request for client certificate + openssl_csr: + path: /etc/ssl/standalone-kubelet/client/csr.pem + privatekey_path: /etc/ssl/standalone-kubelet/client/key.pem + CN: "{{ inventory_hostname }}" + key_usage: + - digitalSignature + key_usage_critical: yes + extended_key_usage: + - clientAuth + extended_key_usage_critical: yes + basic_constraints: + - 'CA:FALSE' + basic_constraints_critical: yes + +- name: create client certificate + openssl_certificate: + path: /etc/ssl/standalone-kubelet/client/crt.pem + csr_path: /etc/ssl/standalone-kubelet/client/csr.pem + provider: ownca + ownca_path: /etc/ssl/standalone-kubelet/ca-crt.pem + ownca_privatekey_path: /etc/ssl/standalone-kubelet/ca/key.pem + ownca_digest: sha256 + ownca_not_after: "+18250d" ## 50 years diff --git a/roles/kubernetes/standalone/base/templates/kubelet-config.yml.j2 b/roles/kubernetes/standalone/base/templates/kubelet-config.yml.j2 index c4395631..ae26d04d 100644 --- a/roles/kubernetes/standalone/base/templates/kubelet-config.yml.j2 +++ b/roles/kubernetes/standalone/base/templates/kubelet-config.yml.j2 @@ -8,11 +8,15 @@ port: {{ kubernetes_standalone_port }} readOnlyPort: {{ kubernetes_standalone_readonly_port }} healthzBindAddress: {{ kubernetes_standalone_healthz_address }} healthzPort: {{ kubernetes_standalone_healthz_port }} +tlsCertFile: /etc/ssl/standalone-kubelet/server/crt.pem +tlsPrivateKeyFile: /etc/ssl/standalone-kubelet/server/key.pem authentication: anonymous: - enabled: true + enabled: false webhook: enabled: false + x509: + clientCAFile: /etc/ssl/standalone-kubelet/ca-crt.pem authorization: mode: AlwaysAllow maxPods: {{ kubernetes_standalone_max_pods }} |