summaryrefslogtreecommitdiff
path: root/roles/kubernetes/standalone
diff options
context:
space:
mode:
authorChristian Pointner <equinox@spreadspace.org>2023-04-23 00:01:44 +0200
committerChristian Pointner <equinox@spreadspace.org>2023-04-23 00:01:44 +0200
commit6424e5079fd29f377350df26f7768ef2bcd5f5a4 (patch)
tree84b52a45492fb6a43916767a5f3f5cb61fb92ea9 /roles/kubernetes/standalone
parentch-equinox-* add k9s and kubeletctl (diff)
kubernetes/standalone: install kubeletctl and enable x509 based auth
Diffstat (limited to 'roles/kubernetes/standalone')
-rw-r--r--roles/kubernetes/standalone/base/tasks/main.yml19
-rw-r--r--roles/kubernetes/standalone/base/tasks/tls.yml130
-rw-r--r--roles/kubernetes/standalone/base/templates/kubelet-config.yml.j26
3 files changed, 154 insertions, 1 deletions
diff --git a/roles/kubernetes/standalone/base/tasks/main.yml b/roles/kubernetes/standalone/base/tasks/main.yml
index d7f47ff4..495fd4ff 100644
--- a/roles/kubernetes/standalone/base/tasks/main.yml
+++ b/roles/kubernetes/standalone/base/tasks/main.yml
@@ -16,6 +16,9 @@
dest: /etc/kubernetes/kubelet.yml
notify: restart kubelet
+- name: create TLS certificates and keys
+ import_tasks: tls.yml
+
- name: make sure kubelet is enabled and running
systemd:
name: kubelet.service
@@ -52,3 +55,19 @@
name: kube-standalone-local-services.service
state: started
enabled: yes
+
+- name: install kubeletctl
+ apt:
+ name: kubeletctl
+ state: present
+
+- name: add kubeletctl config for shells
+ loop:
+ - zsh
+ - bash
+ blockinfile:
+ path: "/root/.{{ item }}rc"
+ create: yes
+ marker: "### {mark} ANSIBLE MANAGED BLOCK for kubeletctl ###"
+ content: |
+ alias kubeletctl="kubeletctl --server 127.0.0.1 --cacert /etc/ssl/standalone-kubelet/ca-crt.pem --cert /etc/ssl/standalone-kubelet/client/crt.pem --key /etc/ssl/standalone-kubelet/client/key.pem --ignoreconfig"
diff --git a/roles/kubernetes/standalone/base/tasks/tls.yml b/roles/kubernetes/standalone/base/tasks/tls.yml
new file mode 100644
index 00000000..39952267
--- /dev/null
+++ b/roles/kubernetes/standalone/base/tasks/tls.yml
@@ -0,0 +1,130 @@
+---
+- name: install python-cryptoraphy
+ apt:
+ name: "{{ python_basename }}-cryptography"
+ state: present
+
+- name: create base directory
+ file:
+ path: /etc/ssl/standalone-kubelet
+ state: directory
+
+
+- name: create CA directory
+ file:
+ path: /etc/ssl/standalone-kubelet/ca
+ state: directory
+ mode: 0700
+
+- name: create CA private key
+ openssl_privatekey:
+ path: /etc/ssl/standalone-kubelet/ca/key.pem
+ type: RSA
+ size: 4096
+ mode: 0600
+
+- name: create signing request for CA certificate
+ openssl_csr:
+ path: /etc/ssl/standalone-kubelet/ca/csr.pem
+ privatekey_path: /etc/ssl/standalone-kubelet/ca/key.pem
+ CN: "CA for standalone-kubelet running on {{ inventory_hostname }}"
+ useCommonNameForSAN: no
+ key_usage:
+ - cRLSign
+ - keyCertSign
+ key_usage_critical: yes
+ basic_constraints:
+ - 'CA:TRUE'
+ - 'pathlen:0'
+ basic_constraints_critical: yes
+
+- name: create self-signed CA certificate
+ openssl_certificate:
+ path: /etc/ssl/standalone-kubelet/ca-crt.pem
+ csr_path: /etc/ssl/standalone-kubelet/ca/csr.pem
+ privatekey_path: /etc/ssl/standalone-kubelet/ca/key.pem
+ provider: selfsigned
+ selfsigned_digest: sha256
+ selfsigned_not_after: "+18250d" ## 50 years
+ selfsigned_create_subject_key_identifier: always_create
+ notify: restart kubelet
+
+
+- name: create server cert/key directory
+ file:
+ path: /etc/ssl/standalone-kubelet/server
+ state: directory
+ mode: 0700
+
+- name: create server private key
+ openssl_privatekey:
+ path: /etc/ssl/standalone-kubelet/server/key.pem
+ type: RSA
+ size: 4096
+ mode: 0400
+ notify: restart kubelet
+
+- name: create signing request for server certificate
+ openssl_csr:
+ path: /etc/ssl/standalone-kubelet/server/csr.pem
+ privatekey_path: /etc/ssl/standalone-kubelet/server/key.pem
+ CN: "{{ inventory_hostname }}"
+ key_usage:
+ - digitalSignature
+ key_usage_critical: yes
+ extended_key_usage:
+ - serverAuth
+ extended_key_usage_critical: yes
+ basic_constraints:
+ - 'CA:FALSE'
+ basic_constraints_critical: yes
+
+- name: generate server certificate
+ openssl_certificate:
+ path: /etc/ssl/standalone-kubelet/server/crt.pem
+ csr_path: /etc/ssl/standalone-kubelet/server/csr.pem
+ provider: ownca
+ ownca_path: /etc/ssl/standalone-kubelet/ca-crt.pem
+ ownca_privatekey_path: /etc/ssl/standalone-kubelet/ca/key.pem
+ ownca_digest: sha256
+ ownca_not_after: "+18250d" ## 50 years
+ notify: restart kubelet
+
+
+- name: create client cert/key directory
+ file:
+ path: /etc/ssl/standalone-kubelet/client
+ state: directory
+ mode: 0700
+
+- name: create private key for client certificate
+ openssl_privatekey:
+ path: /etc/ssl/standalone-kubelet/client/key.pem
+ type: RSA
+ size: 4096
+ mode: 0400
+
+- name: create signing request for client certificate
+ openssl_csr:
+ path: /etc/ssl/standalone-kubelet/client/csr.pem
+ privatekey_path: /etc/ssl/standalone-kubelet/client/key.pem
+ CN: "{{ inventory_hostname }}"
+ key_usage:
+ - digitalSignature
+ key_usage_critical: yes
+ extended_key_usage:
+ - clientAuth
+ extended_key_usage_critical: yes
+ basic_constraints:
+ - 'CA:FALSE'
+ basic_constraints_critical: yes
+
+- name: create client certificate
+ openssl_certificate:
+ path: /etc/ssl/standalone-kubelet/client/crt.pem
+ csr_path: /etc/ssl/standalone-kubelet/client/csr.pem
+ provider: ownca
+ ownca_path: /etc/ssl/standalone-kubelet/ca-crt.pem
+ ownca_privatekey_path: /etc/ssl/standalone-kubelet/ca/key.pem
+ ownca_digest: sha256
+ ownca_not_after: "+18250d" ## 50 years
diff --git a/roles/kubernetes/standalone/base/templates/kubelet-config.yml.j2 b/roles/kubernetes/standalone/base/templates/kubelet-config.yml.j2
index c4395631..ae26d04d 100644
--- a/roles/kubernetes/standalone/base/templates/kubelet-config.yml.j2
+++ b/roles/kubernetes/standalone/base/templates/kubelet-config.yml.j2
@@ -8,11 +8,15 @@ port: {{ kubernetes_standalone_port }}
readOnlyPort: {{ kubernetes_standalone_readonly_port }}
healthzBindAddress: {{ kubernetes_standalone_healthz_address }}
healthzPort: {{ kubernetes_standalone_healthz_port }}
+tlsCertFile: /etc/ssl/standalone-kubelet/server/crt.pem
+tlsPrivateKeyFile: /etc/ssl/standalone-kubelet/server/key.pem
authentication:
anonymous:
- enabled: true
+ enabled: false
webhook:
enabled: false
+ x509:
+ clientCAFile: /etc/ssl/standalone-kubelet/ca-crt.pem
authorization:
mode: AlwaysAllow
maxPods: {{ kubernetes_standalone_max_pods }}