seperate kube-proxy certs for each node
This commit is contained in:
parent
27e3998cb6
commit
8ed48f052c
3 changed files with 16 additions and 10 deletions
|
@ -8,8 +8,8 @@ clusters:
|
||||||
users:
|
users:
|
||||||
- name: kube-proxy
|
- name: kube-proxy
|
||||||
user:
|
user:
|
||||||
client-certificate: {{ kube_cert_dir }}/kube-proxy.pem
|
client-certificate: {{ kube_cert_dir }}/kube-proxy-{{ inventory_hostname }}.pem
|
||||||
client-key: {{ kube_cert_dir }}/kube-proxy-key.pem
|
client-key: {{ kube_cert_dir }}/kube-proxy-{{ inventory_hostname }}-key.pem
|
||||||
contexts:
|
contexts:
|
||||||
- context:
|
- context:
|
||||||
cluster: local
|
cluster: local
|
||||||
|
|
|
@ -103,9 +103,15 @@ if [ -n "$HOSTS" ]; then
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# system:kube-proxy
|
# system:kube-proxy
|
||||||
openssl genrsa -out kube-proxy-key.pem 2048 > /dev/null 2>&1
|
if [ -n "$HOSTS" ]; then
|
||||||
openssl req -new -key kube-proxy-key.pem -out kube-proxy.csr -subj "/CN=system:kube-proxy" > /dev/null 2>&1
|
for host in $HOSTS; do
|
||||||
openssl x509 -req -in kube-proxy.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out kube-proxy.pem -days 3650 > /dev/null 2>&1
|
cn="${host%%.*}"
|
||||||
|
# kube-proxy key
|
||||||
|
openssl genrsa -out kube-proxy-${host}-key.pem 2048 > /dev/null 2>&1
|
||||||
|
openssl req -new -key kube-proxy-${host}-key.pem -out kube-proxy-${host}.csr -subj "/CN=system:kube-proxy" > /dev/null 2>&1
|
||||||
|
openssl x509 -req -in kube-proxy-${host}.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out kube-proxy-${host}.pem -days 3650 > /dev/null 2>&1
|
||||||
|
done
|
||||||
|
fi
|
||||||
|
|
||||||
|
|
||||||
# Install certs
|
# Install certs
|
||||||
|
|
|
@ -69,17 +69,17 @@
|
||||||
'apiserver-key.pem'
|
'apiserver-key.pem'
|
||||||
]
|
]
|
||||||
all_node_certs: "['ca.pem',
|
all_node_certs: "['ca.pem',
|
||||||
'kube-proxy.pem',
|
|
||||||
'kube-proxy-key.pem',
|
|
||||||
{% for node in groups['k8s-cluster'] %}
|
{% for node in groups['k8s-cluster'] %}
|
||||||
'node-{{ node }}.pem',
|
'node-{{ node }}.pem',
|
||||||
'node-{{ node }}-key.pem',
|
'node-{{ node }}-key.pem',
|
||||||
|
'kube-proxy-{{ node }}.pem',
|
||||||
|
'kube-proxy-{{ node }}-key.pem',
|
||||||
{% endfor %}]"
|
{% endfor %}]"
|
||||||
my_node_certs: ['ca.pem',
|
my_node_certs: ['ca.pem',
|
||||||
'kube-proxy.pem',
|
|
||||||
'kube-proxy-key.pem',
|
|
||||||
'node-{{ inventory_hostname }}.pem',
|
'node-{{ inventory_hostname }}.pem',
|
||||||
'node-{{ inventory_hostname }}-key.pem'
|
'node-{{ inventory_hostname }}-key.pem',
|
||||||
|
'kube-proxy-{{ inventory_hostname }}.pem',
|
||||||
|
'kube-proxy-{{ inventory_hostname }}-key.pem',
|
||||||
]
|
]
|
||||||
tags: facts
|
tags: facts
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue