Tips-Of-Mine/Kubernetes-Home-Lab
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Update

Browse Source
This commit is contained in:
Hubert Cornet
2023-07-04 18:59:39 +02:00
parent 813fd96738
commit 8c3e380d16
115 changed files with 4510 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
roles/certificates/.travis.yml Normal file
View File

@ -0,0 +1,29 @@
---
language: python
python: "2.7"
# Use the new container infrastructure
sudo: false
# Install ansible
addons:
apt:
packages:
- python-pip
install:
# Install ansible
- pip install ansible
# Check ansible version
- ansible --version
# Create ansible.cfg with correct roles_path
- printf '[defaults]\nroles_path=../' >ansible.cfg
script:
# Basic role syntax check
- ansible-playbook tests/test.yml -i tests/inventory --syntax-check
notifications:
webhooks: https://galaxy.ansible.com/api/v1/notifications/

100
roles/certificates/README.md Normal file
View File

@ -0,0 +1,100 @@
Certificates
=========
#.GITIGNORE WARNING
##THIS ROLE WILL PUT ALL THE KEYS AND CERTS CREATED ONTO THE CONTROL NODE IN THE ROLES /FILES DIRECTORY. PLEASE AT THAT DIRECTORY TO YOUR .GITIGNORE SO YOU DO NOT UPLOAD YOUR KEYS AND CERTS TO GITHUB
-------------
Useful links:
- [Adding your own CA trusted to firefox](https://javorszky.co.uk/2019/11/06/get-firefox-to-trust-your-self-signed-certificates/)
- [Adding your own CA to Debian host](https://unix.stackexchange.com/questions/90450/adding-a-self-signed-certificate-to-the-trusted-list)
-------------
Documentation
How to apply OpenSSL extensions:
https://www.openssl.org/docs/man1.0.2/man5/x509v3_config.html
Ansible modules:
- https://docs.ansible.com/ansible/2.7/modules/openssl_certificate_module.html
- https://docs.ansible.com/ansible/2.4/openssl_csr_module.html
- https://docs.ansible.com/ansible/2.5/modules/openssl_privatekey_module.html
.
-------------
Errors I Encountered
When generating some files I was getting:
- "error:2406F079:random number generator:RAND_load_file:Cannot open file:../crypto/rand/randfile.c:88:Filename=/home/user/.rnd"
The fix was to comment out "RANDFILE = $ENV::HOME/.rnd" in /etc/ssl/openssl.cnf
I Also got this:
- "error:0D07A097:asn1 encoding routines:ASN1_mbstring_ncopy:string too long:../crypto/asn1/a_mbstr.c:107:maxsize=2"
If you see "maxsize=#" in the error it means you had more characters than allowed in a field. My case was I had more than 2 characters in the Country field.
--------------
Role to create certificates:
- Create a CA
- Create keys, certiciate signing requests, and certificates
- Fetch files from the host you configured these on TO the Ansible control node
- Distribute certificates based on requirmentes
Manual Commands to match this playbook
-------------
These assume you're running sudo.
Install openssl:
- apt-get install openssl
Create the CA private key
- openssl genrsa -out ca-key.pem 2048
Create CA csr
Creating openssl certs and CSR's requires configurations to be passed in for certain items like extensions. You can either create a .cfg file and pass it into the openssl command or specify the configuration as CONFIG= variable in the bash shell and then echo that variable.
```
CONFIG="
distinguished_name = my_req_distinguished_name
req_extensions = my_extensions
prompt = no
[ my_req_distinguished_name ]
C = US
ST = State
L = City
O = kubernetes
CN = kubernetes
[ my_extensions ]
basicConstraints=critical,CA:TRUE
keyUsage=critical, cRLSign, keyCertSign
"
```
- openssl req -config <(echo "$CONFIG") -new -key ca-key.pem -out ca.csr
To View the CSR so you can verify it has all the right options you want:
- openssl req -text -noout -verify -in ca.csr
Create the CA cert
- openssl req -new -key ca-key.pem -in ca.csr -x509 -days 1000 -out ca.pem
You will repeat these steps; creating a key, csr, and cert over and over. HOWEVER the options in the $CONFIG variable will change depending on what the cert is for. CA:TRUE will only be applied for the CA. Everything else will get CA:FALSE. Pay attentions to key_usages and extended key_usages.
Documentation for openssl extensions can be found:
https://www.openssl.org/docs/man1.0.2/man5/x509v3_config.html
Requirements
------------
- A Sudo user on your hosts you wish to apply this to
- An internet connection or openssl and required dependencies
License
-------
BSD
Author Information
------------------
An optional section for the role authors to include contact information, or a website (HTML is not allowed).

2
roles/certificates/defaults/main.yml Normal file
View File

@ -0,0 +1,2 @@
---
# defaults file for certificates

2
roles/certificates/handlers/main.yml Normal file
View File

@ -0,0 +1,2 @@
---
# handlers file for certificates

53
roles/certificates/meta/main.yml Normal file
View File

@ -0,0 +1,53 @@
galaxy_info:
author: your name
description: your role description
company: your company (optional)
# If the issue tracker for your role is not on github, uncomment the
# next line and provide a value
# issue_tracker_url: http://example.com/issue/tracker
# Choose a valid license ID from https://spdx.org - some suggested licenses:
# - BSD-3-Clause (default)
# - MIT
# - GPL-2.0-or-later
# - GPL-3.0-only
# - Apache-2.0
# - CC-BY-4.0
license: license (GPL-2.0-or-later, MIT, etc)
min_ansible_version: 2.9
# If this a Container Enabled role, provide the minimum Ansible Container version.
# min_ansible_container_version:
#
# Provide a list of supported platforms, and for each platform a list of versions.
# If you don't wish to enumerate all versions for a particular platform, use 'all'.
# To view available platforms and versions (or releases), visit:
# https://galaxy.ansible.com/api/v1/platforms/
#
# platforms:
# - name: Fedora
# versions:
# - all
# - 25
# - name: SomePlatform
# versions:
# - all
# - 1.0
# - 7
# - 99.99
galaxy_tags: []
# List tags for your role here, one per line. A tag is a keyword that describes
# and categorizes the role. Users find roles by searching for tags. Be sure to
# remove the '[]' above, if you add tags to this list.
#
# NOTE: A tag is limited to a single word comprised of alphanumeric characters.
# Maximum 20 tags per role.
dependencies: []
# List your role dependencies here, one per line. Be sure to remove the '[]' above,
# if you add dependencies to this list.

618
roles/certificates/tasks/main.yml Normal file
View File

@ -0,0 +1,618 @@
---
# tasks file for certificates
# Tasks to create a CA and Certificates for the Kubernetes cluster
# The CA will be my NFS server host in this use case.
# I did find that using the openssl_csr module, the key_usage options did not like a comma
# seperated list, but the YAML list did work.
# I got an error:
# "Cannot parse Subject Alternative Name \" IP:192.168.50.240\" (potentially unsupported by cryptography backend)"
# This was due to spaces between the comman sperated values in the subject_alt_name option in the openssl_csr module
##########################################
## CREATE CA ##
##########################################
# Create a directory to store certs
- name: Create certs directory for storing CA stuff
file:
path: '{{ CA_DIR }}'
state: directory
tags:
- certficates
- ca
when: inventory_hostname == groups['management'][0]
# Create the CA private key
- name: Generate CA private key
openssl_privatekey:
path: '{{ CA_DIR }}/ca-key.pem'
tags:
- certficates
- ca
when: inventory_hostname == groups['management'][0]
# Creates a CSR for the CA
# Any CA cert must have the keyCertSign usage option
- name: Generate CA CSR
openssl_csr:
path: '{{ CA_DIR }}/ca.csr'
privatekey_path: '{{ CA_DIR }}/ca-key.pem'
basic_constraints: 'CA:TRUE'
basic_constraints_critical: True
key_usage:
- cRLSign
- keyCertSign
key_usage_critical: True
organizational_unit_name: kubernetes
common_name: kubernetes
tags:
- certficates
- ca
when: inventory_hostname == groups['management'][0]
# Creare the CA cert from the CSR
- name: Generate CA certificate
openssl_certificate:
path: '{{ CA_DIR }}/ca.pem'
privatekey_path: '{{ CA_DIR }}/ca-key.pem'
csr_path: '{{ CA_DIR }}/ca.csr'
provider: selfsigned
tags:
- certficates
- ca
when: inventory_hostname == groups['management'][0]
##########################################
## KUBE ADMIN CERTS ##
##########################################
# Create the k8sadmin private key
- name: Generate Admin private key
openssl_privatekey:
path: '{{ CA_DIR }}/admin-key.pem'
tags:
- certficates
- admin_cert
when: inventory_hostname == groups['management'][0]
# Create admin CSR
- name: Generate Admin CSR
openssl_csr:
path: '{{ CA_DIR }}/admin.csr'
privatekey_path: '{{ CA_DIR }}/admin-key.pem'
basic_constraints: "CA:FALSE"
basic_constraints_critical: True
key_usage:
- digitalSignature
- keyEncipherment
key_usage_critical: True
extended_key_usage:
- serverAuth
- clientAuth
common_name: k8sadmin
organization_name: "system:masters"
organizational_unit_name: kubernetes
tags:
- certficates
- admin_cert
when: inventory_hostname == groups['management'][0]
# Create Admin cert. Using the CSR created above and the ca.pem generated in the first tasks,
# can generate the certifiacte for the admin
- name: Generate Admin certificate
openssl_certificate:
path: '{{ CA_DIR }}/admin.pem'
csr_path: '{{ CA_DIR }}/admin.csr'
ownca_path: '{{ CA_DIR }}/ca.pem'
ownca_privatekey_path: '{{ CA_DIR }}/ca-key.pem'
provider: ownca
tags:
- certficates
- admin_cert
when: inventory_hostname == groups['management'][0]
##########################################
## MASTER CERTS ##
##########################################
# Create master keys
- name: Generate Masters private key
openssl_privatekey:
path: '{{ CA_DIR }}/k8smasterkey.pem'
tags:
- certficates
- master_cert
- master
when: inventory_hostname == groups['management'][0]
# Localhost and 127.0.0.1 are added for k8s services on controller nodes to access local k8s API
# kubernetes.default is added because it can be used from inside the cluster to access the API
# 10.32.0.1 is a well known address used by services and pods in the cluster
# Create masters CSR
- name: Generate Masters CSR
openssl_csr:
path: '{{ CA_DIR }}/k8smaster.csr'
privatekey_path: '{{ CA_DIR }}/k8smasterkey.pem'
common_name: 'k8s-master'
basic_constraints: "CA:FALSE"
basic_constraints_critical: True
key_usage:
- digitalSignature
- keyEncipherment
key_usage_critical: True
extended_key_usage:
- serverAuth
- clientAuth
organization_name: 'system:masters'
organizational_unit_name: 'kubernetes'
subject_alt_name: "DNS:kubernetes.default,IP:{{ groups['masters'][0] }},DNS:{{ k8smaster01_hostname }},IP:{{ groups['load_balancers'][0] }},DNS:{{ load_balancer_hostname }},IP:127.0.0.1,DNS:localhost,IP:{{ APISERVER_SERVICE_IP }}"
tags:
- certficates
- master_cert
- master
when: inventory_hostname == groups['management'][0]
# Create master cert using master CSR and CA.pem
- name: Generate Masters certificate
openssl_certificate:
path: '{{ CA_DIR }}/k8s-master.pem'
csr_path: '{{ CA_DIR }}/k8smaster.csr'
ownca_path: '{{ CA_DIR }}/ca.pem'
ownca_privatekey_path: '{{ CA_DIR }}/ca-key.pem'
provider: ownca
tags:
- certficates
- master_cert
- master
when: inventory_hostname == groups['management'][0]
##########################################
## KUBELET CERTS ##
##########################################
# Create worker keys
- name: Generate Workers private keys
openssl_privatekey:
path: '{{ CA_DIR }}/{{ item }}-key.pem'
loop:
- "{{ k8sworker01_hostname }}"
- "{{ k8sworker02_hostname }}"
- "{{ k8sworker03_hostname }}"
tags:
- certficates
- worker_cert
- worker
when: inventory_hostname == groups['management'][0]
# Create worker CSRs
- name: Generate Workers CSRs
openssl_csr:
path: '{{ CA_DIR }}/{{ item[0] }}.csr'
privatekey_path: '{{ CA_DIR }}/{{ item[0] }}-key.pem'
common_name: 'system:node:{{ item[0] }}'
basic_constraints: "CA:FALSE"
basic_constraints_critical: True
key_usage:
- digitalSignature
- keyEncipherment
key_usage_critical: True
extended_key_usage:
- serverAuth
- clientAuth
organization_name: 'system:nodes'
organizational_unit_name: 'kubernetes'
subject_alt_name: 'DNS:{{ item[0] }},IP:{{ item[1] }}'
loop:
- ["{{ k8sworker01_hostname }}", "{{ k8sworker01_ip }}" ]
- ["{{ k8sworker02_hostname }}", "{{ k8sworker02_ip }}" ]
- ["{{ k8sworker03_hostname }}", "{{ k8sworker03_ip }}" ]
tags:
- certficates
- worker_cert
- worker
when: inventory_hostname == groups['management'][0]
# Create worker Certs
- name: Generate Workers certificates
openssl_certificate:
path: '{{ CA_DIR }}/{{ item }}.pem'
csr_path: '{{ CA_DIR }}/{{ item }}.csr'
ownca_path: '{{ CA_DIR }}/ca.pem'
ownca_privatekey_path: '{{ CA_DIR }}/ca-key.pem'
provider: ownca
loop:
- "{{ k8sworker01_hostname }}"
- "{{ k8sworker02_hostname }}"
- "{{ k8sworker03_hostname }}"
tags:
- certficates
- worker_cert
- worker
when: inventory_hostname == groups['management'][0]
##########################################
## KUBEPROXY CERTS ##
##########################################
# Create kubeproxy key
- name: Generating Kube Proxy private key
openssl_privatekey:
path: '{{ CA_DIR }}/kube-proxy-key.pem'
tags:
- certficates
- kubeproxy_cert
- kubeproxy
when: inventory_hostname == groups['management'][0]
# Create kubeproxy CSR
- name: Generate Kube Proxy CSR
openssl_csr:
path: '{{ CA_DIR }}/kube-proxy.csr'
privatekey_path: '{{ CA_DIR }}/kube-proxy-key.pem'
basic_constraints: "CA:FALSE"
basic_constraints_critical: True
key_usage:
- digitalSignature
- keyEncipherment
key_usage_critical: True
extended_key_usage:
- serverAuth
- clientAuth
common_name: 'system:kube-proxy'
organization_name: 'system:node-proxier'
organizational_unit_name: 'kubernetes'
tags:
- certficates
- kubeproxy_cert
- kubeproxy
when: inventory_hostname == groups['management'][0]
# Create kubeproxy cert
- name: Generate Kube Proxy certificate
openssl_certificate:
path: '{{ CA_DIR }}/kube-proxy.pem'
csr_path: '{{ CA_DIR }}/kube-proxy.csr'
ownca_path: '{{ CA_DIR }}/ca.pem'
ownca_privatekey_path: '{{ CA_DIR }}/ca-key.pem'
provider: ownca
tags:
- certficates
- kubeproxy_cert
- kubeproxy
when: inventory_hostname == groups['management'][0]
##########################################
## KUBE SCHEDULER CERTS ##
##########################################
# Create kube scheduler key
- name: Generating Kube scheduler private key
openssl_privatekey:
path: '{{ CA_DIR }}/kube-scheduler-key.pem'
tags:
- certficates
- kubescheduler_cert
- kubescheduler
when: inventory_hostname == groups['management'][0]
# Create kube scheduler CSR
- name: Generate Kube scheduler CSR
openssl_csr:
path: '{{ CA_DIR }}/kube-scheduler.csr'
privatekey_path: '{{ CA_DIR }}/kube-scheduler-key.pem'
basic_constraints: "CA:FALSE"
basic_constraints_critical: True
key_usage:
- digitalSignature
- keyEncipherment
key_usage_critical: True
extended_key_usage:
- serverAuth
- clientAuth
common_name: 'system:kube-scheduler'
organization_name: 'system:kube-scheduler'
organizational_unit_name: 'kubernetes'
tags:
- certficates
- kubescheduler_cert
- kubescheduler
when: inventory_hostname == groups['management'][0]
# Create kube scheduler cert
- name: Generate Kube scheduler certificate
openssl_certificate:
path: '{{ CA_DIR }}/kube-scheduler.pem'
csr_path: '{{ CA_DIR }}/kube-scheduler.csr'
ownca_path: '{{ CA_DIR }}/ca.pem'
ownca_privatekey_path: '{{ CA_DIR }}/ca-key.pem'
provider: ownca
tags:
- certficates
- kubescheduler_cert
- kubescheduler
when: inventory_hostname == groups['management'][0]
##########################################
## KUBE CONTROLLER MANAGER CERTS ##
##########################################
# Create kube controller manager key
- name: Generating Kube controller-manager private key
openssl_privatekey:
path: '{{ CA_DIR }}/kube-controller-manager-key.pem'
tags:
- certficates
- kubecontroller_cert
- kubecontroller
when: inventory_hostname == groups['management'][0]
# Create kube controller manager CSR
- name: Generate Kube controller-manager CSR
openssl_csr:
path: '{{ CA_DIR }}/kube-controller-manager.csr'
privatekey_path: '{{ CA_DIR }}/kube-controller-manager-key.pem'
basic_constraints: "CA:FALSE"
basic_constraints_critical: True
key_usage:
- digitalSignature
- keyEncipherment
key_usage_critical: True
extended_key_usage:
- serverAuth
- clientAuth
common_name: 'system:kube-controller-manager'
organization_name: 'system:kube-controller-manager'
organizational_unit_name: 'kubernetes'
tags:
- certficates
- kubecontroller_cert
- kubecontroller
when: inventory_hostname == groups['management'][0]
# Create kube controller manager cert
- name: Generate Kube controller-manager certificate
openssl_certificate:
path: '{{ CA_DIR }}/kube-controller-manager.pem'
csr_path: '{{ CA_DIR }}/kube-controller-manager.csr'
ownca_path: '{{ CA_DIR }}/ca.pem'
ownca_privatekey_path: '{{ CA_DIR }}/ca-key.pem'
provider: ownca
tags:
- certficates
- kubecontroller_cert
- kubecontroller
when: inventory_hostname == groups['management'][0]
##########################################
## CREATE SERVICE ACCOUNT KEY PAIR ##
##########################################
# This certificate is used to sign service account tokens
# Create service-account key
- name: Generating service-account private key
openssl_privatekey:
path: '{{ CA_DIR }}/service-account-key.pem'
tags:
- certficates
- serviceaccount_cert
- serviceaccount
when: inventory_hostname == groups['management'][0]
# Create service-account CSR
- name: Generate service-account CSR
openssl_csr:
path: '{{ CA_DIR }}/service-account.csr'
privatekey_path: '{{ CA_DIR }}/service-account-key.pem'
basic_constraints: "CA:FALSE"
basic_constraints_critical: True
key_usage:
- digitalSignature
- keyEncipherment
key_usage_critical: True
extended_key_usage:
- serverAuth
- clientAuth
common_name: 'service-accounts'
organization_name: 'kubernetes'
organizational_unit_name: 'kubernetes'
tags:
- certficates
- serviceaccount_cert
- serviceaccount
when: inventory_hostname == groups['management'][0]
# Create service-account cert
- name: Generate service-account certificate
openssl_certificate:
path: '{{ CA_DIR }}/service-account.pem'
csr_path: '{{ CA_DIR }}/service-account.csr'
ownca_path: '{{ CA_DIR }}/ca.pem'
ownca_privatekey_path: '{{ CA_DIR }}/ca-key.pem'
provider: ownca
tags:
- certficates
- serviceaccount_cert
- serviceaccount
when: inventory_hostname == groups['management'][0]
##########################################
## KUBE DASHBOARD CERTS ##
##########################################
# Create dashboard key
- name: Generate k8s Dashboard private key
openssl_privatekey:
path: '{{ CA_DIR }}/k8s-dashboard-key.pem'
tags:
- certficates
- kubedashboard_cert
- kubedashboard
when: inventory_hostname == groups['management'][0]
# Create dashboard CSR
- name: Generate k8s Dashboard CSR
openssl_csr:
path: '{{ CA_DIR }}/k8s-dashboard.csr'
privatekey_path: '{{ CA_DIR }}/k8s-dashboard-key.pem'
basic_constraints: "CA:FALSE"
basic_constraints_critical: True
key_usage:
- digitalSignature
- keyEncipherment
key_usage_critical: True
extended_key_usage:
- serverAuth
- clientAuth
common_name: 'k8s-Dashboard'
organization_name: 'addons:Dashboard'
organizational_unit_name: 'kubernetes'
tags:
- certficates
- kubedashboard_cert
- kubedashboard
when: inventory_hostname == groups['management'][0]
# Create dashboard cert
- name: Generate k8s Dashboard certificate
openssl_certificate:
path: '{{ CA_DIR }}/k8s-dashboard.pem'
csr_path: '{{ CA_DIR }}/k8s-dashboard.csr'
ownca_path: '{{ CA_DIR }}/ca.pem'
ownca_privatekey_path: '{{ CA_DIR }}/ca-key.pem'
provider: ownca
tags:
- certficates
- kubedashboard_cert
- kubedashboard
when: inventory_hostname == groups['management'][0]
# Create cert bundle for dashboard
- name: Generate k8s-dashboard bundle
shell: "cat {{ CA_DIR }}/k8s-dashboard.pem {{ CA_DIR }}/k8s-dashboard-key.pem > {{ CA_DIR }}/k8s-dashboard.bundle"
args:
creates: '{{ CA_DIR }}/k8s-dashboard.bundle'
tags:
- certficates
- kubedashboard_cert
- kubedashboard
when: inventory_hostname == groups['management'][0]
# Create encryption-config
#- name: Generate encryption-config.yml
# shell: echo "{{ encryption_config }}" > {{ CA_DIR }}/encryption-config.yml
# args:
# creates: '{{ CA_DIR }}/encryption-config.yml'
# tags:
# - certficates
# - kubedashboard_cert
# - kubedashboard
# when: inventory_hostname == groups['management'][0]
##########################################
## GATHER CERTS FOR DISTRIBUTION ##
##########################################
##########################################
## WARNING: ADD THIS ROLES /FILES ##
## DIRECTORY TO YOUR .GITIGNORE ##
## OR EVERYONE WILL ##
# HAVE YOUR CERTS ##
##########################################
- name: Gather the cert files to be fetched
find:
paths: /root/k8scerts
recurse: no
patterns: "*"
register: files_to_copy
tags:
- certificates
- fetch
- distribute
when: inventory_hostname == groups['management'][0]
- name: Fetch certs from CA and place them into this roles file directory
fetch:
src: "{{ item.path }}"
dest: roles/certificates/files/
flat: yes
with_items: "{{ files_to_copy.files }}"
tags:
- certificates
- fetch
- distribute
when: inventory_hostname == groups['management'][0]
- name: Distribute worker01 certs
copy:
src: "{{ item.src }}"
dest: "/home/k8sadmin"
with_items:
- { src: ca.pem }
- { src: k8sworker01-key.pem }
- { src: k8sworker01.pem }
- { src: kube-proxy.pem }
- { src: kube-proxy-key.pem}
tags:
- certificates
- distribute
#when: inventory_hostname == groups['workers'][0]
when: ansible_hostname == 'k8sworker01'
- name: Distribute worker02 certs
copy:
src: "{{ item.src }}"
dest: "/home/k8sadmin"
with_items:
- { src: ca.pem }
- { src: k8sworker02-key.pem }
- { src: k8sworker02.pem }
- { src: kube-proxy.pem }
- { src: kube-proxy-key.pem}
tags:
- certificates
- distribute
#when: inventory_hostname == groups['workers'][1]
when: ansible_hostname == 'k8sworker02'
- name: Distribute worker03 certs
copy:
src: "{{ item.src }}"
dest: "/home/k8sadmin"
with_items:
- { src: ca.pem }
- { src: k8sworker03-key.pem }
- { src: k8sworker03.pem }
- { src: kube-proxy.pem }
- { src: kube-proxy-key.pem}
tags:
- certificates
- distribute
#when: inventory_hostname == groups['workers'][2]
when: ansible_hostname == 'k8sworker03'
- name: Distribute master01 certs
copy:
src: "{{ item.src }}"
dest: "/home/k8sadmin"
with_items:
- { src: ca.pem }
- { src: ca-key.pem }
- { src: k8smasterkey.pem }
- { src: k8s-master.pem }
- { src: service-account-key.pem }
- { src: service-account.pem }
- { src: kube-controller-manager-key.pem }
- { src: kube-controller-manager.pem}
- { src: kube-scheduler-key.pem }
- { src: kube-scheduler.pem}
- { src: admin-key.pem }
- { src: admin.pem}
tags:
- certificates
- distribute
when: inventory_hostname == groups['masters'][0]

2
roles/certificates/tests/inventory Normal file
View File

@ -0,0 +1,2 @@
localhost

5
roles/certificates/tests/test.yml Normal file
View File

@ -0,0 +1,5 @@
---
- hosts: localhost
remote_user: root
roles:
- certificates

28
roles/certificates/vars/main.yml Normal file
View File

@ -0,0 +1,28 @@
---
# vars file for certificates
# The directory on the CA host where all the keys, CSRs, and certificates will be stored
CA_DIR: /root/k8scerts
# Well known IP used internally by the k8s cluster
APISERVER_SERVICE_IP: 10.32.0.1
# The hostnames of the 3 worker nodes in the cluster
k8sworker01_hostname: k8sworker01
k8sworker02_hostname: k8sworker02
k8sworker03_hostname: k8sworker03
# The IP of the 3 worker nodes in the cluster
k8sworker01_ip: 192.168.50.177
k8sworker02_ip: 192.168.50.202
k8sworker03_ip: 192.168.50.30
# Load balancer hostname to add to the list of names for the controller/master cert
load_balancer_hostname: k8sbalancer01
load_balancer_ip: 192.168.50.117
# Controller/master hostname to add to the list of names for the controller/master cert
k8smaster01_hostname: k8smaster01
k8smaster01_ip: 192.168.50.240
#
#encryption_config