--- - name: install python-cryptoraphy apt: name: "{{ python_basename }}-cryptography" state: present - name: create base directory file: path: /etc/ssl/standalone-kubelet state: directory - name: create CA directory file: path: /etc/ssl/standalone-kubelet/ca state: directory mode: 0700 - name: create CA private key openssl_privatekey: path: /etc/ssl/standalone-kubelet/ca/key.pem type: RSA size: 4096 mode: 0600 - name: create signing request for CA certificate openssl_csr: path: /etc/ssl/standalone-kubelet/ca/csr.pem privatekey_path: /etc/ssl/standalone-kubelet/ca/key.pem CN: "CA for standalone-kubelet running on {{ inventory_hostname }}" useCommonNameForSAN: no key_usage: - cRLSign - keyCertSign key_usage_critical: yes basic_constraints: - 'CA:TRUE' - 'pathlen:0' basic_constraints_critical: yes - name: create self-signed CA certificate openssl_certificate: path: /etc/ssl/standalone-kubelet/ca-crt.pem csr_path: /etc/ssl/standalone-kubelet/ca/csr.pem privatekey_path: /etc/ssl/standalone-kubelet/ca/key.pem provider: selfsigned selfsigned_digest: sha256 selfsigned_not_after: "+18250d" ## 50 years selfsigned_create_subject_key_identifier: always_create notify: restart kubelet - name: create server cert/key directory file: path: /etc/ssl/standalone-kubelet/server state: directory mode: 0700 - name: create server private key openssl_privatekey: path: /etc/ssl/standalone-kubelet/server/key.pem type: RSA size: 4096 mode: 0400 notify: restart kubelet - name: create signing request for server certificate openssl_csr: path: /etc/ssl/standalone-kubelet/server/csr.pem privatekey_path: /etc/ssl/standalone-kubelet/server/key.pem CN: "{{ kubernetes_standalone_address | default('127.0.0.1') }}" subject_alt_name: - "IP:{{ kubernetes_standalone_address | default('127.0.0.1') }}" key_usage: - digitalSignature key_usage_critical: yes extended_key_usage: - serverAuth extended_key_usage_critical: yes basic_constraints: - 'CA:FALSE' basic_constraints_critical: yes - name: generate server certificate openssl_certificate: path: /etc/ssl/standalone-kubelet/server/crt.pem csr_path: /etc/ssl/standalone-kubelet/server/csr.pem provider: ownca ownca_path: /etc/ssl/standalone-kubelet/ca-crt.pem ownca_privatekey_path: /etc/ssl/standalone-kubelet/ca/key.pem ownca_digest: sha256 ownca_not_after: "+18250d" ## 50 years notify: restart kubelet - name: create client cert/key directory file: path: /etc/ssl/standalone-kubelet/client state: directory mode: 0700 - name: create private key for client certificate openssl_privatekey: path: /etc/ssl/standalone-kubelet/client/key.pem type: RSA size: 4096 mode: 0400 - name: create signing request for client certificate openssl_csr: path: /etc/ssl/standalone-kubelet/client/csr.pem privatekey_path: /etc/ssl/standalone-kubelet/client/key.pem CN: "{{ inventory_hostname }}" key_usage: - digitalSignature key_usage_critical: yes extended_key_usage: - clientAuth extended_key_usage_critical: yes basic_constraints: - 'CA:FALSE' basic_constraints_critical: yes - name: create client certificate openssl_certificate: path: /etc/ssl/standalone-kubelet/client/crt.pem csr_path: /etc/ssl/standalone-kubelet/client/csr.pem provider: ownca ownca_path: /etc/ssl/standalone-kubelet/ca-crt.pem ownca_privatekey_path: /etc/ssl/standalone-kubelet/ca/key.pem ownca_digest: sha256 ownca_not_after: "+18250d" ## 50 years