kubernetes/standalone: install kubeletctl and enable x509 based auth

3 files changed, 154 insertions, 1 deletions

diff --git a/roles/kubernetes/standalone/base/tasks/main.yml b/roles/kubernetes/standalone/base/tasks/main.yml
index d7f47ff4..495fd4ff 100644
--- a/roles/kubernetes/standalone/base/tasks/main.yml
+++ b/roles/kubernetes/standalone/base/tasks/main.yml
@@ -16,6 +16,9 @@
     dest: /etc/kubernetes/kubelet.yml
   notify: restart kubelet
 
+- name: create TLS certificates and keys
+  import_tasks: tls.yml
+
 - name: make sure kubelet is enabled and running
   systemd:
     name: kubelet.service
@@ -52,3 +55,19 @@
     name: kube-standalone-local-services.service
     state: started
     enabled: yes
+
+- name: install kubeletctl
+  apt:
+    name: kubeletctl
+    state: present
+
+- name: add kubeletctl config for shells
+  loop:
+  - zsh
+  - bash
+  blockinfile:
+    path: "/root/.{{ item }}rc"
+    create: yes
+    marker: "### {mark} ANSIBLE MANAGED BLOCK for kubeletctl ###"
+    content: |
+      alias kubeletctl="kubeletctl --server 127.0.0.1 --cacert /etc/ssl/standalone-kubelet/ca-crt.pem --cert /etc/ssl/standalone-kubelet/client/crt.pem --key /etc/ssl/standalone-kubelet/client/key.pem --ignoreconfig"
diff --git a/roles/kubernetes/standalone/base/tasks/tls.yml b/roles/kubernetes/standalone/base/tasks/tls.yml
new file mode 100644
index 00000000..39952267
--- /dev/null
+++ b/roles/kubernetes/standalone/base/tasks/tls.yml
@@ -0,0 +1,130 @@
+---
+- name: install python-cryptoraphy
+  apt:
+    name: "{{ python_basename }}-cryptography"
+    state: present
+
+- name: create base directory
+  file:
+    path: /etc/ssl/standalone-kubelet
+    state: directory
+
+
+- name: create CA directory
+  file:
+    path: /etc/ssl/standalone-kubelet/ca
+    state: directory
+    mode: 0700
+
+- name: create CA private key
+  openssl_privatekey:
+    path: /etc/ssl/standalone-kubelet/ca/key.pem
+    type: RSA
+    size: 4096
+    mode: 0600
+
+- name: create signing request for CA certificate
+  openssl_csr:
+    path: /etc/ssl/standalone-kubelet/ca/csr.pem
+    privatekey_path: /etc/ssl/standalone-kubelet/ca/key.pem
+    CN: "CA for standalone-kubelet running on {{ inventory_hostname }}"
+    useCommonNameForSAN: no
+    key_usage:
+    - cRLSign
+    - keyCertSign
+    key_usage_critical: yes
+    basic_constraints:
+    - 'CA:TRUE'
+    - 'pathlen:0'
+    basic_constraints_critical: yes
+
+- name: create self-signed CA certificate
+  openssl_certificate:
+    path: /etc/ssl/standalone-kubelet/ca-crt.pem
+    csr_path: /etc/ssl/standalone-kubelet/ca/csr.pem
+    privatekey_path: /etc/ssl/standalone-kubelet/ca/key.pem
+    provider: selfsigned
+    selfsigned_digest: sha256
+    selfsigned_not_after: "+18250d" ## 50 years
+    selfsigned_create_subject_key_identifier: always_create
+  notify: restart kubelet
+
+
+- name: create server cert/key directory
+  file:
+    path: /etc/ssl/standalone-kubelet/server
+    state: directory
+    mode: 0700
+
+- name: create server private key
+  openssl_privatekey:
+    path: /etc/ssl/standalone-kubelet/server/key.pem
+    type: RSA
+    size: 4096
+    mode: 0400
+  notify: restart kubelet
+
+- name: create signing request for server certificate
+  openssl_csr:
+    path: /etc/ssl/standalone-kubelet/server/csr.pem
+    privatekey_path: /etc/ssl/standalone-kubelet/server/key.pem
+    CN: "{{ inventory_hostname }}"
+    key_usage:
+    - digitalSignature
+    key_usage_critical: yes
+    extended_key_usage:
+    - serverAuth
+    extended_key_usage_critical: yes
+    basic_constraints:
+    - 'CA:FALSE'
+    basic_constraints_critical: yes
+
+- name: generate server certificate
+  openssl_certificate:
+    path: /etc/ssl/standalone-kubelet/server/crt.pem
+    csr_path: /etc/ssl/standalone-kubelet/server/csr.pem
+    provider: ownca
+    ownca_path: /etc/ssl/standalone-kubelet/ca-crt.pem
+    ownca_privatekey_path: /etc/ssl/standalone-kubelet/ca/key.pem
+    ownca_digest: sha256
+    ownca_not_after: "+18250d" ## 50 years
+  notify: restart kubelet
+
+
+- name: create client cert/key directory
+  file:
+    path: /etc/ssl/standalone-kubelet/client
+    state: directory
+    mode: 0700
+
+- name: create private key for client certificate
+  openssl_privatekey:
+    path: /etc/ssl/standalone-kubelet/client/key.pem
+    type: RSA
+    size: 4096
+    mode: 0400
+
+- name: create signing request for client certificate
+  openssl_csr:
+    path: /etc/ssl/standalone-kubelet/client/csr.pem
+    privatekey_path: /etc/ssl/standalone-kubelet/client/key.pem
+    CN: "{{ inventory_hostname }}"
+    key_usage:
+    - digitalSignature
+    key_usage_critical: yes
+    extended_key_usage:
+    - clientAuth
+    extended_key_usage_critical: yes
+    basic_constraints:
+    - 'CA:FALSE'
+    basic_constraints_critical: yes
+
+- name: create client certificate
+  openssl_certificate:
+    path: /etc/ssl/standalone-kubelet/client/crt.pem
+    csr_path: /etc/ssl/standalone-kubelet/client/csr.pem
+    provider: ownca
+    ownca_path: /etc/ssl/standalone-kubelet/ca-crt.pem
+    ownca_privatekey_path: /etc/ssl/standalone-kubelet/ca/key.pem
+    ownca_digest: sha256
+    ownca_not_after: "+18250d" ## 50 years
diff --git a/roles/kubernetes/standalone/base/templates/kubelet-config.yml.j2 b/roles/kubernetes/standalone/base/templates/kubelet-config.yml.j2
index c4395631..ae26d04d 100644
--- a/roles/kubernetes/standalone/base/templates/kubelet-config.yml.j2
+++ b/roles/kubernetes/standalone/base/templates/kubelet-config.yml.j2
@@ -8,11 +8,15 @@ port: {{ kubernetes_standalone_port }}
 readOnlyPort: {{ kubernetes_standalone_readonly_port }}
 healthzBindAddress: {{ kubernetes_standalone_healthz_address }}
 healthzPort: {{ kubernetes_standalone_healthz_port }}
+tlsCertFile: /etc/ssl/standalone-kubelet/server/crt.pem
+tlsPrivateKeyFile: /etc/ssl/standalone-kubelet/server/key.pem
 authentication:
   anonymous:
-    enabled: true
+    enabled: false
   webhook:
     enabled: false
+  x509:
+    clientCAFile: /etc/ssl/standalone-kubelet/ca-crt.pem
 authorization:
   mode: AlwaysAllow
 maxPods: {{ kubernetes_standalone_max_pods }}