C12s/c12s-kubespray
3
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Add SSL certs for kubelet

Browse source 
Generate SSL cert/key for kubelet and configure it to use those
instead of generating self-signed ones.

Closes #1035
This commit is contained in:
Aleksandr Didenko 2017-02-16 17:27:49 +01:00
parent ee5f009b95
commit c3f369d5b8
5 changed files with 50 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
inventory/group_vars/k8s-cluster.yml
View file

@ -15,6 +15,7 @@ bin_dir: /usr/local/bin
kube_config_dir: /etc/kubernetes kube_config_dir: /etc/kubernetes
kube_script_dir: "{{ bin_dir }}/kubernetes-scripts" kube_script_dir: "{{ bin_dir }}/kubernetes-scripts"
kube_manifest_dir: "{{ kube_config_dir }}/manifests" kube_manifest_dir: "{{ kube_config_dir }}/manifests"
kube_crt_tmp_dir: "/var/tmp/kubecrt"
system_namespace: kube-system system_namespace: kube-system
# Logging directory (sysvinit systems) # Logging directory (sysvinit systems)

2
roles/kubernetes/node/templates/kubelet.j2
View file

@ -12,6 +12,8 @@ KUBELET_HOSTNAME="--hostname-override={{ ansible_hostname }}"
{% set kubelet_args_base %}--pod-manifest-path={{ kube_manifest_dir }} \ {% set kubelet_args_base %}--pod-manifest-path={{ kube_manifest_dir }} \
--pod-infra-container-image={{ pod_infra_image_repo }}:{{ pod_infra_image_tag }} \ --pod-infra-container-image={{ pod_infra_image_repo }}:{{ pod_infra_image_tag }} \
--kube-reserved cpu={{ kubelet_cpu_limit }},memory={{ kubelet_memory_limit|regex_replace('Mi', 'M') }} \ --kube-reserved cpu={{ kubelet_cpu_limit }},memory={{ kubelet_memory_limit|regex_replace('Mi', 'M') }} \
--tls-cert-file={{ kube_cert_dir }}/node-{{ inventory_hostname }}.pem \
--tls-private-key-file={{ kube_cert_dir }}/node-{{ inventory_hostname }}-key.pem \
--node-status-update-frequency={{ kubelet_status_update_frequency }}{% endset %} --node-status-update-frequency={{ kubelet_status_update_frequency }}{% endset %}
{# DNS settings for kubelet #} {# DNS settings for kubelet #}

12
roles/kubernetes/secrets/files/make-ssl.sh
View file

@ -96,8 +96,16 @@ if [ -n "$HOSTS" ]; then
cn="${host%%.*}" cn="${host%%.*}"
# node key # node key
openssl genrsa -out node-${host}-key.pem 2048 > /dev/null 2>&1 openssl genrsa -out node-${host}-key.pem 2048 > /dev/null 2>&1
openssl req -new -key node-${host}-key.pem -out node-${host}.csr -subj "/CN=kube-node-${cn}" > /dev/null 2>&1 # Let's add SAN if needed
openssl x509 -req -in node-${host}.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out node-${host}.pem -days 3650 > /dev/null 2>&1 if [ -e "${CRT_TMP_DIR}/${host}.san" ]; then
CSR_OPTS="-config ${CRT_TMP_DIR}/${host}.san"
CRT_OPTS="-extensions v3_req -extfile ${CRT_TMP_DIR}/${host}.san"
else
CSR_OPTS=""
CRT_OPTS=""
fi
openssl req -new -key node-${host}-key.pem -out node-${host}.csr -subj "/CN=kube-node-${cn}" $CSR_OPTS > /dev/null 2>&1
openssl x509 -req -in node-${host}.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out node-${host}.pem -days 3650 $CRT_OPTS > /dev/null 2>&1
done done
fi fi

19
roles/kubernetes/secrets/tasks/gen_certs_script.yml
View file

@ -19,6 +19,16 @@
tags: [k8s-secrets, bootstrap-os] tags: [k8s-secrets, bootstrap-os]
when: gen_certs|default(false) when: gen_certs|default(false)
- name: "Gen_certs | Create kubernetes cert temp directory (on {{groups['kube-master'][0]}})"
file:
path: "{{ kube_crt_tmp_dir }}"
state: directory
owner: kube
run_once: yes
delegate_to: "{{groups['kube-master'][0]}}"
tags: [k8s-secrets, bootstrap-os]
when: gen_certs|default(false)
- name: Gen_certs | write openssl config - name: Gen_certs | write openssl config
template: template:
src: "openssl.conf.j2" src: "openssl.conf.j2"
@ -27,6 +37,13 @@
delegate_to: "{{groups['kube-master'][0]}}" delegate_to: "{{groups['kube-master'][0]}}"
when: gen_certs|default(false) when: gen_certs|default(false)
- name: Gen_certs | write SubjectAltNames file
template:
src: "openssl-san.j2"
dest: "{{ kube_crt_tmp_dir }}/{{ inventory_hostname }}.san"
delegate_to: "{{groups['kube-master'][0]}}"
when: gen_certs|default(false)
- name: Gen_certs | copy certs generation script - name: Gen_certs | copy certs generation script
copy: copy:
src: "make-ssl.sh" src: "make-ssl.sh"
@ -49,6 +66,7 @@
{{ h }} {{ h }}
{% endif %} {% endif %}
{% endfor %}" {% endfor %}"
- CRT_TMP_DIR: "{{ kube_crt_tmp_dir }}"
run_once: yes run_once: yes
delegate_to: "{{groups['kube-master'][0]}}" delegate_to: "{{groups['kube-master'][0]}}"
when: gen_certs|default(false) when: gen_certs|default(false)
@ -74,6 +92,7 @@
'node-{{ node }}-key.pem', 'node-{{ node }}-key.pem',
{% endfor %}]" {% endfor %}]"
my_node_certs: ['ca.pem', 'node-{{ inventory_hostname }}.pem', 'node-{{ inventory_hostname }}-key.pem'] my_node_certs: ['ca.pem', 'node-{{ inventory_hostname }}.pem', 'node-{{ inventory_hostname }}-key.pem']
tags: facts tags: facts
- name: Gen_certs | Gather master certs - name: Gen_certs | Gather master certs

18
roles/kubernetes/secrets/templates/openssl-san.j2 Normal file
View file

@ -0,0 +1,18 @@
[req]
req_extensions = v3_req
distinguished_name = req_distinguished_name
[req_distinguished_name]
[v3_req]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = localhost
DNS.2 = {{ ansible_hostname }}
DNS.3 = {{ inventory_hostname }}
IP.1 = 127.0.0.1
IP.2 = {{ access_ip | default(ansible_default_ipv4['address']) }}
IP.3 = {{ ip | default(ansible_default_ipv4['address']) }}