From 6424e5079fd29f377350df26f7768ef2bcd5f5a4 Mon Sep 17 00:00:00 2001 From: Christian Pointner Date: Sun, 23 Apr 2023 00:01:44 +0200 Subject: kubernetes/standalone: install kubeletctl and enable x509 based auth --- roles/kubernetes/standalone/base/tasks/tls.yml | 130 +++++++++++++++++++++++++ 1 file changed, 130 insertions(+) create mode 100644 roles/kubernetes/standalone/base/tasks/tls.yml (limited to 'roles/kubernetes/standalone/base/tasks/tls.yml') diff --git a/roles/kubernetes/standalone/base/tasks/tls.yml b/roles/kubernetes/standalone/base/tasks/tls.yml new file mode 100644 index 00000000..39952267 --- /dev/null +++ b/roles/kubernetes/standalone/base/tasks/tls.yml @@ -0,0 +1,130 @@ +--- +- name: install python-cryptoraphy + apt: + name: "{{ python_basename }}-cryptography" + state: present + +- name: create base directory + file: + path: /etc/ssl/standalone-kubelet + state: directory + + +- name: create CA directory + file: + path: /etc/ssl/standalone-kubelet/ca + state: directory + mode: 0700 + +- name: create CA private key + openssl_privatekey: + path: /etc/ssl/standalone-kubelet/ca/key.pem + type: RSA + size: 4096 + mode: 0600 + +- name: create signing request for CA certificate + openssl_csr: + path: /etc/ssl/standalone-kubelet/ca/csr.pem + privatekey_path: /etc/ssl/standalone-kubelet/ca/key.pem + CN: "CA for standalone-kubelet running on {{ inventory_hostname }}" + useCommonNameForSAN: no + key_usage: + - cRLSign + - keyCertSign + key_usage_critical: yes + basic_constraints: + - 'CA:TRUE' + - 'pathlen:0' + basic_constraints_critical: yes + +- name: create self-signed CA certificate + openssl_certificate: + path: /etc/ssl/standalone-kubelet/ca-crt.pem + csr_path: /etc/ssl/standalone-kubelet/ca/csr.pem + privatekey_path: /etc/ssl/standalone-kubelet/ca/key.pem + provider: selfsigned + selfsigned_digest: sha256 + selfsigned_not_after: "+18250d" ## 50 years + selfsigned_create_subject_key_identifier: always_create + notify: restart kubelet + + +- name: create server cert/key directory + file: + path: /etc/ssl/standalone-kubelet/server + state: directory + mode: 0700 + +- name: create server private key + openssl_privatekey: + path: /etc/ssl/standalone-kubelet/server/key.pem + type: RSA + size: 4096 + mode: 0400 + notify: restart kubelet + +- name: create signing request for server certificate + openssl_csr: + path: /etc/ssl/standalone-kubelet/server/csr.pem + privatekey_path: /etc/ssl/standalone-kubelet/server/key.pem + CN: "{{ inventory_hostname }}" + key_usage: + - digitalSignature + key_usage_critical: yes + extended_key_usage: + - serverAuth + extended_key_usage_critical: yes + basic_constraints: + - 'CA:FALSE' + basic_constraints_critical: yes + +- name: generate server certificate + openssl_certificate: + path: /etc/ssl/standalone-kubelet/server/crt.pem + csr_path: /etc/ssl/standalone-kubelet/server/csr.pem + provider: ownca + ownca_path: /etc/ssl/standalone-kubelet/ca-crt.pem + ownca_privatekey_path: /etc/ssl/standalone-kubelet/ca/key.pem + ownca_digest: sha256 + ownca_not_after: "+18250d" ## 50 years + notify: restart kubelet + + +- name: create client cert/key directory + file: + path: /etc/ssl/standalone-kubelet/client + state: directory + mode: 0700 + +- name: create private key for client certificate + openssl_privatekey: + path: /etc/ssl/standalone-kubelet/client/key.pem + type: RSA + size: 4096 + mode: 0400 + +- name: create signing request for client certificate + openssl_csr: + path: /etc/ssl/standalone-kubelet/client/csr.pem + privatekey_path: /etc/ssl/standalone-kubelet/client/key.pem + CN: "{{ inventory_hostname }}" + key_usage: + - digitalSignature + key_usage_critical: yes + extended_key_usage: + - clientAuth + extended_key_usage_critical: yes + basic_constraints: + - 'CA:FALSE' + basic_constraints_critical: yes + +- name: create client certificate + openssl_certificate: + path: /etc/ssl/standalone-kubelet/client/crt.pem + csr_path: /etc/ssl/standalone-kubelet/client/csr.pem + provider: ownca + ownca_path: /etc/ssl/standalone-kubelet/ca-crt.pem + ownca_privatekey_path: /etc/ssl/standalone-kubelet/ca/key.pem + ownca_digest: sha256 + ownca_not_after: "+18250d" ## 50 years -- cgit v1.2.3