blob: 5603f8ec218b6db10203bb5880addb4d7d53953b (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
|
---
- name: install python-cryptoraphy
apt:
name: "{{ python_basename }}-cryptography"
state: present
- name: create base directory
file:
path: /etc/ssl/standalone-kubelet
state: directory
- name: create CA directory
file:
path: /etc/ssl/standalone-kubelet/ca
state: directory
mode: 0700
- name: create CA private key
openssl_privatekey:
path: /etc/ssl/standalone-kubelet/ca/key.pem
type: RSA
size: 4096
mode: 0600
- name: create signing request for CA certificate
openssl_csr:
path: /etc/ssl/standalone-kubelet/ca/csr.pem
privatekey_path: /etc/ssl/standalone-kubelet/ca/key.pem
CN: "CA for standalone-kubelet running on {{ inventory_hostname }}"
useCommonNameForSAN: no
key_usage:
- cRLSign
- keyCertSign
key_usage_critical: yes
basic_constraints:
- 'CA:TRUE'
- 'pathlen:0'
basic_constraints_critical: yes
- name: create self-signed CA certificate
openssl_certificate:
path: /etc/ssl/standalone-kubelet/ca-crt.pem
csr_path: /etc/ssl/standalone-kubelet/ca/csr.pem
privatekey_path: /etc/ssl/standalone-kubelet/ca/key.pem
provider: selfsigned
selfsigned_digest: sha256
selfsigned_not_after: "+18250d" ## 50 years
selfsigned_create_subject_key_identifier: always_create
notify: restart kubelet
- name: create server cert/key directory
file:
path: /etc/ssl/standalone-kubelet/server
state: directory
mode: 0700
- name: create server private key
openssl_privatekey:
path: /etc/ssl/standalone-kubelet/server/key.pem
type: RSA
size: 4096
mode: 0400
notify: restart kubelet
- name: create signing request for server certificate
openssl_csr:
path: /etc/ssl/standalone-kubelet/server/csr.pem
privatekey_path: /etc/ssl/standalone-kubelet/server/key.pem
CN: "{{ kubernetes_standalone_address | default('127.0.0.1') }}"
subject_alt_name:
- "IP:{{ kubernetes_standalone_address | default('127.0.0.1') }}"
key_usage:
- digitalSignature
key_usage_critical: yes
extended_key_usage:
- serverAuth
extended_key_usage_critical: yes
basic_constraints:
- 'CA:FALSE'
basic_constraints_critical: yes
- name: generate server certificate
openssl_certificate:
path: /etc/ssl/standalone-kubelet/server/crt.pem
csr_path: /etc/ssl/standalone-kubelet/server/csr.pem
provider: ownca
ownca_path: /etc/ssl/standalone-kubelet/ca-crt.pem
ownca_privatekey_path: /etc/ssl/standalone-kubelet/ca/key.pem
ownca_digest: sha256
ownca_not_after: "+18250d" ## 50 years
notify: restart kubelet
- name: create client cert/key directory
file:
path: /etc/ssl/standalone-kubelet/client
state: directory
mode: 0700
- name: create private key for client certificate
openssl_privatekey:
path: /etc/ssl/standalone-kubelet/client/key.pem
type: RSA
size: 4096
mode: 0400
- name: create signing request for client certificate
openssl_csr:
path: /etc/ssl/standalone-kubelet/client/csr.pem
privatekey_path: /etc/ssl/standalone-kubelet/client/key.pem
CN: "{{ inventory_hostname }}"
key_usage:
- digitalSignature
key_usage_critical: yes
extended_key_usage:
- clientAuth
extended_key_usage_critical: yes
basic_constraints:
- 'CA:FALSE'
basic_constraints_critical: yes
- name: create client certificate
openssl_certificate:
path: /etc/ssl/standalone-kubelet/client/crt.pem
csr_path: /etc/ssl/standalone-kubelet/client/csr.pem
provider: ownca
ownca_path: /etc/ssl/standalone-kubelet/ca-crt.pem
ownca_privatekey_path: /etc/ssl/standalone-kubelet/ca/key.pem
ownca_digest: sha256
ownca_not_after: "+18250d" ## 50 years
|
