C12s/c12s-kubespray
3
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Create certificates for each node too (#3698)

Browse source
This commit is contained in:
Andreas Krüger 2018-11-13 16:10:59 +01:00 committed by k8s-ci-robot
parent e8901a2422
commit afc3f7dce4
3 changed files with 38 additions and 13 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

35
roles/kubernetes/secrets/tasks/gen_certs_script.yml
View file

@ -28,14 +28,21 @@
tags:
- k8s-secrets
- name: Gen_certs | write openssl config
- name: Gen_certs | write masters openssl config
template:
src: "openssl.conf.j2"
dest: "{{ kube_config_dir }}/openssl.conf"
src: "openssl-master.conf.j2"
dest: "{{ kube_config_dir }}/openssl-master.conf"
run_once: yes
delegate_to: "{{groups['kube-master'][0]}}"
delegate_to: "{{ groups['kube-master']|first }}"
when: gen_certs|default(false)
- name: Gen_certs | write nodes openssl config
template:
src: "openssl-node.conf.j2"
dest: "{{ kube_config_dir }}/{{ inventory_hostname }}-openssl.conf"
delegate_to: "{{ groups['kube-master']|first }}"
when: gen_certs|default(false) and inventory_hostname in groups['k8s-cluster']
- name: Gen_certs | copy certs generation script
template:
src: "make-ssl.sh.j2"
@ -45,24 +52,26 @@
delegate_to: "{{groups['kube-master'][0]}}"
when: gen_certs|default(false)
- name: Gen_certs | run cert generation script
command: "{{ kube_script_dir }}/make-ssl.sh -f {{ kube_config_dir }}/openssl.conf -d {{ kube_cert_dir }}"
- name: Gen_certs | run master cert generation script
command: "{{ kube_script_dir }}/make-ssl.sh -f {{ kube_config_dir }}/openssl-master.conf -d {{ kube_cert_dir }}"
environment:
- MASTERS: "{% for m in groups['kube-master'] %}
{% if gen_master_certs|default(false) %}
{{ m }}
{% endif %}
{% endfor %}"
- HOSTS: "{% for h in groups['k8s-cluster'] %}
{% if gen_node_certs[h]|default(true) %}
{{ h }}
{% endif %}
{% endfor %}"
run_once: yes
delegate_to: "{{groups['kube-master'][0]}}"
delegate_to: "{{ groups['kube-master']|first }}"
when: gen_certs|default(false)
notify: set secret_changed
- name: Gen_certs | run nodes cert generation script
command: "{{ kube_script_dir }}/make-ssl.sh -f {{ kube_config_dir }}/{{ inventory_hostname }}-openssl.conf -d {{ kube_cert_dir }}"
environment:
- HOSTS: "{{ inventory_hostname }}"
delegate_to: "{{ groups['kube-master']|first }}"
when: gen_certs|default(false) and inventory_hostname in groups['k8s-cluster']
notify: set secret_changed
- set_fact:
all_master_certs: "['ca-key.pem',
'apiserver.pem',

0
roles/kubernetes/secrets/templates/openssl.conf.j2 → roles/kubernetes/secrets/templates/openssl-master.conf.j2
View file

16
roles/kubernetes/secrets/templates/openssl-node.conf.j2 Normal file
View file

@ -0,0 +1,16 @@
{% set counter = {'dns': 2,'ip': 1,} %}{% macro increment(dct, key, inc=1)%}{% if dct.update({key: dct[key] + inc}) %} {% endif %}{% endmacro %}[req]
req_extensions = v3_req
distinguished_name = req_distinguished_name
[req_distinguished_name]
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = localhost
DNS.{{ counter["dns"] }} = {{ inventory_hostname }}{{ increment(counter, 'dns') }}
{% if hostvars[inventory_hostname]['access_ip'] is defined %}
IP.{{ counter["ip"] }} = {{ hostvars[inventory_hostname]['access_ip'] }}{{ increment(counter, 'ip') }}
{% endif %}
IP.{{ counter["ip"] }} = {{ hostvars[inventory_hostname]['ip'] | default(hostvars[inventory_hostname]['ansible_default_ipv4']['address']) }}{{ increment(counter, 'ip') }}
IP.{{ counter["ip"] }} = 127.0.0.1