Create certificates for each node too (#3698)
This commit is contained in:
parent
e8901a2422
commit
afc3f7dce4
3 changed files with 38 additions and 13 deletions
|
@ -28,14 +28,21 @@
|
||||||
tags:
|
tags:
|
||||||
- k8s-secrets
|
- k8s-secrets
|
||||||
|
|
||||||
- name: Gen_certs | write openssl config
|
- name: Gen_certs | write masters openssl config
|
||||||
template:
|
template:
|
||||||
src: "openssl.conf.j2"
|
src: "openssl-master.conf.j2"
|
||||||
dest: "{{ kube_config_dir }}/openssl.conf"
|
dest: "{{ kube_config_dir }}/openssl-master.conf"
|
||||||
run_once: yes
|
run_once: yes
|
||||||
delegate_to: "{{groups['kube-master'][0]}}"
|
delegate_to: "{{ groups['kube-master']|first }}"
|
||||||
when: gen_certs|default(false)
|
when: gen_certs|default(false)
|
||||||
|
|
||||||
|
- name: Gen_certs | write nodes openssl config
|
||||||
|
template:
|
||||||
|
src: "openssl-node.conf.j2"
|
||||||
|
dest: "{{ kube_config_dir }}/{{ inventory_hostname }}-openssl.conf"
|
||||||
|
delegate_to: "{{ groups['kube-master']|first }}"
|
||||||
|
when: gen_certs|default(false) and inventory_hostname in groups['k8s-cluster']
|
||||||
|
|
||||||
- name: Gen_certs | copy certs generation script
|
- name: Gen_certs | copy certs generation script
|
||||||
template:
|
template:
|
||||||
src: "make-ssl.sh.j2"
|
src: "make-ssl.sh.j2"
|
||||||
|
@ -45,24 +52,26 @@
|
||||||
delegate_to: "{{groups['kube-master'][0]}}"
|
delegate_to: "{{groups['kube-master'][0]}}"
|
||||||
when: gen_certs|default(false)
|
when: gen_certs|default(false)
|
||||||
|
|
||||||
- name: Gen_certs | run cert generation script
|
- name: Gen_certs | run master cert generation script
|
||||||
command: "{{ kube_script_dir }}/make-ssl.sh -f {{ kube_config_dir }}/openssl.conf -d {{ kube_cert_dir }}"
|
command: "{{ kube_script_dir }}/make-ssl.sh -f {{ kube_config_dir }}/openssl-master.conf -d {{ kube_cert_dir }}"
|
||||||
environment:
|
environment:
|
||||||
- MASTERS: "{% for m in groups['kube-master'] %}
|
- MASTERS: "{% for m in groups['kube-master'] %}
|
||||||
{% if gen_master_certs|default(false) %}
|
{% if gen_master_certs|default(false) %}
|
||||||
{{ m }}
|
{{ m }}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% endfor %}"
|
{% endfor %}"
|
||||||
- HOSTS: "{% for h in groups['k8s-cluster'] %}
|
delegate_to: "{{ groups['kube-master']|first }}"
|
||||||
{% if gen_node_certs[h]|default(true) %}
|
|
||||||
{{ h }}
|
|
||||||
{% endif %}
|
|
||||||
{% endfor %}"
|
|
||||||
run_once: yes
|
|
||||||
delegate_to: "{{groups['kube-master'][0]}}"
|
|
||||||
when: gen_certs|default(false)
|
when: gen_certs|default(false)
|
||||||
notify: set secret_changed
|
notify: set secret_changed
|
||||||
|
|
||||||
|
- name: Gen_certs | run nodes cert generation script
|
||||||
|
command: "{{ kube_script_dir }}/make-ssl.sh -f {{ kube_config_dir }}/{{ inventory_hostname }}-openssl.conf -d {{ kube_cert_dir }}"
|
||||||
|
environment:
|
||||||
|
- HOSTS: "{{ inventory_hostname }}"
|
||||||
|
delegate_to: "{{ groups['kube-master']|first }}"
|
||||||
|
when: gen_certs|default(false) and inventory_hostname in groups['k8s-cluster']
|
||||||
|
notify: set secret_changed
|
||||||
|
|
||||||
- set_fact:
|
- set_fact:
|
||||||
all_master_certs: "['ca-key.pem',
|
all_master_certs: "['ca-key.pem',
|
||||||
'apiserver.pem',
|
'apiserver.pem',
|
||||||
|
|
16
roles/kubernetes/secrets/templates/openssl-node.conf.j2
Normal file
16
roles/kubernetes/secrets/templates/openssl-node.conf.j2
Normal file
|
@ -0,0 +1,16 @@
|
||||||
|
{% set counter = {'dns': 2,'ip': 1,} %}{% macro increment(dct, key, inc=1)%}{% if dct.update({key: dct[key] + inc}) %} {% endif %}{% endmacro %}[req]
|
||||||
|
req_extensions = v3_req
|
||||||
|
distinguished_name = req_distinguished_name
|
||||||
|
[req_distinguished_name]
|
||||||
|
[ v3_req ]
|
||||||
|
basicConstraints = CA:FALSE
|
||||||
|
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
|
||||||
|
subjectAltName = @alt_names
|
||||||
|
[alt_names]
|
||||||
|
DNS.1 = localhost
|
||||||
|
DNS.{{ counter["dns"] }} = {{ inventory_hostname }}{{ increment(counter, 'dns') }}
|
||||||
|
{% if hostvars[inventory_hostname]['access_ip'] is defined %}
|
||||||
|
IP.{{ counter["ip"] }} = {{ hostvars[inventory_hostname]['access_ip'] }}{{ increment(counter, 'ip') }}
|
||||||
|
{% endif %}
|
||||||
|
IP.{{ counter["ip"] }} = {{ hostvars[inventory_hostname]['ip'] | default(hostvars[inventory_hostname]['ansible_default_ipv4']['address']) }}{{ increment(counter, 'ip') }}
|
||||||
|
IP.{{ counter["ip"] }} = 127.0.0.1
|
Loading…
Reference in a new issue