summaryrefslogtreecommitdiff
path: root/roles/kubernetes/standalone/base/tasks/tls.yml
blob: 5603f8ec218b6db10203bb5880addb4d7d53953b (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
---
- name: install python-cryptoraphy
  apt:
    name: "{{ python_basename }}-cryptography"
    state: present

- name: create base directory
  file:
    path: /etc/ssl/standalone-kubelet
    state: directory


- name: create CA directory
  file:
    path: /etc/ssl/standalone-kubelet/ca
    state: directory
    mode: 0700

- name: create CA private key
  openssl_privatekey:
    path: /etc/ssl/standalone-kubelet/ca/key.pem
    type: RSA
    size: 4096
    mode: 0600

- name: create signing request for CA certificate
  openssl_csr:
    path: /etc/ssl/standalone-kubelet/ca/csr.pem
    privatekey_path: /etc/ssl/standalone-kubelet/ca/key.pem
    CN: "CA for standalone-kubelet running on {{ inventory_hostname }}"
    useCommonNameForSAN: no
    key_usage:
    - cRLSign
    - keyCertSign
    key_usage_critical: yes
    basic_constraints:
    - 'CA:TRUE'
    - 'pathlen:0'
    basic_constraints_critical: yes

- name: create self-signed CA certificate
  openssl_certificate:
    path: /etc/ssl/standalone-kubelet/ca-crt.pem
    csr_path: /etc/ssl/standalone-kubelet/ca/csr.pem
    privatekey_path: /etc/ssl/standalone-kubelet/ca/key.pem
    provider: selfsigned
    selfsigned_digest: sha256
    selfsigned_not_after: "+18250d" ## 50 years
    selfsigned_create_subject_key_identifier: always_create
  notify: restart kubelet


- name: create server cert/key directory
  file:
    path: /etc/ssl/standalone-kubelet/server
    state: directory
    mode: 0700

- name: create server private key
  openssl_privatekey:
    path: /etc/ssl/standalone-kubelet/server/key.pem
    type: RSA
    size: 4096
    mode: 0400
  notify: restart kubelet

- name: create signing request for server certificate
  openssl_csr:
    path: /etc/ssl/standalone-kubelet/server/csr.pem
    privatekey_path: /etc/ssl/standalone-kubelet/server/key.pem
    CN: "{{ kubernetes_standalone_address | default('127.0.0.1') }}"
    subject_alt_name:
    - "IP:{{ kubernetes_standalone_address | default('127.0.0.1') }}"
    key_usage:
    - digitalSignature
    key_usage_critical: yes
    extended_key_usage:
    - serverAuth
    extended_key_usage_critical: yes
    basic_constraints:
    - 'CA:FALSE'
    basic_constraints_critical: yes

- name: generate server certificate
  openssl_certificate:
    path: /etc/ssl/standalone-kubelet/server/crt.pem
    csr_path: /etc/ssl/standalone-kubelet/server/csr.pem
    provider: ownca
    ownca_path: /etc/ssl/standalone-kubelet/ca-crt.pem
    ownca_privatekey_path: /etc/ssl/standalone-kubelet/ca/key.pem
    ownca_digest: sha256
    ownca_not_after: "+18250d" ## 50 years
  notify: restart kubelet


- name: create client cert/key directory
  file:
    path: /etc/ssl/standalone-kubelet/client
    state: directory
    mode: 0700

- name: create private key for client certificate
  openssl_privatekey:
    path: /etc/ssl/standalone-kubelet/client/key.pem
    type: RSA
    size: 4096
    mode: 0400

- name: create signing request for client certificate
  openssl_csr:
    path: /etc/ssl/standalone-kubelet/client/csr.pem
    privatekey_path: /etc/ssl/standalone-kubelet/client/key.pem
    CN: "{{ inventory_hostname }}"
    key_usage:
    - digitalSignature
    key_usage_critical: yes
    extended_key_usage:
    - clientAuth
    extended_key_usage_critical: yes
    basic_constraints:
    - 'CA:FALSE'
    basic_constraints_critical: yes

- name: create client certificate
  openssl_certificate:
    path: /etc/ssl/standalone-kubelet/client/crt.pem
    csr_path: /etc/ssl/standalone-kubelet/client/csr.pem
    provider: ownca
    ownca_path: /etc/ssl/standalone-kubelet/ca-crt.pem
    ownca_privatekey_path: /etc/ssl/standalone-kubelet/ca/key.pem
    ownca_digest: sha256
    ownca_not_after: "+18250d" ## 50 years