Create certificates for each node too (#3698)

This commit is contained in:
Andreas Krüger 2018-11-13 16:10:59 +01:00 committed by k8s-ci-robot
parent e8901a2422
commit afc3f7dce4
3 changed files with 38 additions and 13 deletions

View file

@ -28,14 +28,21 @@
tags: tags:
- k8s-secrets - k8s-secrets
- name: Gen_certs | write openssl config - name: Gen_certs | write masters openssl config
template: template:
src: "openssl.conf.j2" src: "openssl-master.conf.j2"
dest: "{{ kube_config_dir }}/openssl.conf" dest: "{{ kube_config_dir }}/openssl-master.conf"
run_once: yes run_once: yes
delegate_to: "{{groups['kube-master'][0]}}" delegate_to: "{{ groups['kube-master']|first }}"
when: gen_certs|default(false) when: gen_certs|default(false)
- name: Gen_certs | write nodes openssl config
template:
src: "openssl-node.conf.j2"
dest: "{{ kube_config_dir }}/{{ inventory_hostname }}-openssl.conf"
delegate_to: "{{ groups['kube-master']|first }}"
when: gen_certs|default(false) and inventory_hostname in groups['k8s-cluster']
- name: Gen_certs | copy certs generation script - name: Gen_certs | copy certs generation script
template: template:
src: "make-ssl.sh.j2" src: "make-ssl.sh.j2"
@ -45,24 +52,26 @@
delegate_to: "{{groups['kube-master'][0]}}" delegate_to: "{{groups['kube-master'][0]}}"
when: gen_certs|default(false) when: gen_certs|default(false)
- name: Gen_certs | run cert generation script - name: Gen_certs | run master cert generation script
command: "{{ kube_script_dir }}/make-ssl.sh -f {{ kube_config_dir }}/openssl.conf -d {{ kube_cert_dir }}" command: "{{ kube_script_dir }}/make-ssl.sh -f {{ kube_config_dir }}/openssl-master.conf -d {{ kube_cert_dir }}"
environment: environment:
- MASTERS: "{% for m in groups['kube-master'] %} - MASTERS: "{% for m in groups['kube-master'] %}
{% if gen_master_certs|default(false) %} {% if gen_master_certs|default(false) %}
{{ m }} {{ m }}
{% endif %} {% endif %}
{% endfor %}" {% endfor %}"
- HOSTS: "{% for h in groups['k8s-cluster'] %} delegate_to: "{{ groups['kube-master']|first }}"
{% if gen_node_certs[h]|default(true) %}
{{ h }}
{% endif %}
{% endfor %}"
run_once: yes
delegate_to: "{{groups['kube-master'][0]}}"
when: gen_certs|default(false) when: gen_certs|default(false)
notify: set secret_changed notify: set secret_changed
- name: Gen_certs | run nodes cert generation script
command: "{{ kube_script_dir }}/make-ssl.sh -f {{ kube_config_dir }}/{{ inventory_hostname }}-openssl.conf -d {{ kube_cert_dir }}"
environment:
- HOSTS: "{{ inventory_hostname }}"
delegate_to: "{{ groups['kube-master']|first }}"
when: gen_certs|default(false) and inventory_hostname in groups['k8s-cluster']
notify: set secret_changed
- set_fact: - set_fact:
all_master_certs: "['ca-key.pem', all_master_certs: "['ca-key.pem',
'apiserver.pem', 'apiserver.pem',

View file

@ -0,0 +1,16 @@
{% set counter = {'dns': 2,'ip': 1,} %}{% macro increment(dct, key, inc=1)%}{% if dct.update({key: dct[key] + inc}) %} {% endif %}{% endmacro %}[req]
req_extensions = v3_req
distinguished_name = req_distinguished_name
[req_distinguished_name]
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = localhost
DNS.{{ counter["dns"] }} = {{ inventory_hostname }}{{ increment(counter, 'dns') }}
{% if hostvars[inventory_hostname]['access_ip'] is defined %}
IP.{{ counter["ip"] }} = {{ hostvars[inventory_hostname]['access_ip'] }}{{ increment(counter, 'ip') }}
{% endif %}
IP.{{ counter["ip"] }} = {{ hostvars[inventory_hostname]['ip'] | default(hostvars[inventory_hostname]['ansible_default_ipv4']['address']) }}{{ increment(counter, 'ip') }}
IP.{{ counter["ip"] }} = 127.0.0.1