Add SSL certs for kubelet
Generate SSL cert/key for kubelet and configure it to use those instead of generating self-signed ones. Closes #1035
This commit is contained in:
parent
ee5f009b95
commit
c3f369d5b8
5 changed files with 50 additions and 2 deletions
|
@ -15,6 +15,7 @@ bin_dir: /usr/local/bin
|
||||||
kube_config_dir: /etc/kubernetes
|
kube_config_dir: /etc/kubernetes
|
||||||
kube_script_dir: "{{ bin_dir }}/kubernetes-scripts"
|
kube_script_dir: "{{ bin_dir }}/kubernetes-scripts"
|
||||||
kube_manifest_dir: "{{ kube_config_dir }}/manifests"
|
kube_manifest_dir: "{{ kube_config_dir }}/manifests"
|
||||||
|
kube_crt_tmp_dir: "/var/tmp/kubecrt"
|
||||||
system_namespace: kube-system
|
system_namespace: kube-system
|
||||||
|
|
||||||
# Logging directory (sysvinit systems)
|
# Logging directory (sysvinit systems)
|
||||||
|
|
|
@ -12,6 +12,8 @@ KUBELET_HOSTNAME="--hostname-override={{ ansible_hostname }}"
|
||||||
{% set kubelet_args_base %}--pod-manifest-path={{ kube_manifest_dir }} \
|
{% set kubelet_args_base %}--pod-manifest-path={{ kube_manifest_dir }} \
|
||||||
--pod-infra-container-image={{ pod_infra_image_repo }}:{{ pod_infra_image_tag }} \
|
--pod-infra-container-image={{ pod_infra_image_repo }}:{{ pod_infra_image_tag }} \
|
||||||
--kube-reserved cpu={{ kubelet_cpu_limit }},memory={{ kubelet_memory_limit|regex_replace('Mi', 'M') }} \
|
--kube-reserved cpu={{ kubelet_cpu_limit }},memory={{ kubelet_memory_limit|regex_replace('Mi', 'M') }} \
|
||||||
|
--tls-cert-file={{ kube_cert_dir }}/node-{{ inventory_hostname }}.pem \
|
||||||
|
--tls-private-key-file={{ kube_cert_dir }}/node-{{ inventory_hostname }}-key.pem \
|
||||||
--node-status-update-frequency={{ kubelet_status_update_frequency }}{% endset %}
|
--node-status-update-frequency={{ kubelet_status_update_frequency }}{% endset %}
|
||||||
|
|
||||||
{# DNS settings for kubelet #}
|
{# DNS settings for kubelet #}
|
||||||
|
|
|
@ -96,8 +96,16 @@ if [ -n "$HOSTS" ]; then
|
||||||
cn="${host%%.*}"
|
cn="${host%%.*}"
|
||||||
# node key
|
# node key
|
||||||
openssl genrsa -out node-${host}-key.pem 2048 > /dev/null 2>&1
|
openssl genrsa -out node-${host}-key.pem 2048 > /dev/null 2>&1
|
||||||
openssl req -new -key node-${host}-key.pem -out node-${host}.csr -subj "/CN=kube-node-${cn}" > /dev/null 2>&1
|
# Let's add SAN if needed
|
||||||
openssl x509 -req -in node-${host}.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out node-${host}.pem -days 3650 > /dev/null 2>&1
|
if [ -e "${CRT_TMP_DIR}/${host}.san" ]; then
|
||||||
|
CSR_OPTS="-config ${CRT_TMP_DIR}/${host}.san"
|
||||||
|
CRT_OPTS="-extensions v3_req -extfile ${CRT_TMP_DIR}/${host}.san"
|
||||||
|
else
|
||||||
|
CSR_OPTS=""
|
||||||
|
CRT_OPTS=""
|
||||||
|
fi
|
||||||
|
openssl req -new -key node-${host}-key.pem -out node-${host}.csr -subj "/CN=kube-node-${cn}" $CSR_OPTS > /dev/null 2>&1
|
||||||
|
openssl x509 -req -in node-${host}.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out node-${host}.pem -days 3650 $CRT_OPTS > /dev/null 2>&1
|
||||||
done
|
done
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
|
|
@ -19,6 +19,16 @@
|
||||||
tags: [k8s-secrets, bootstrap-os]
|
tags: [k8s-secrets, bootstrap-os]
|
||||||
when: gen_certs|default(false)
|
when: gen_certs|default(false)
|
||||||
|
|
||||||
|
- name: "Gen_certs | Create kubernetes cert temp directory (on {{groups['kube-master'][0]}})"
|
||||||
|
file:
|
||||||
|
path: "{{ kube_crt_tmp_dir }}"
|
||||||
|
state: directory
|
||||||
|
owner: kube
|
||||||
|
run_once: yes
|
||||||
|
delegate_to: "{{groups['kube-master'][0]}}"
|
||||||
|
tags: [k8s-secrets, bootstrap-os]
|
||||||
|
when: gen_certs|default(false)
|
||||||
|
|
||||||
- name: Gen_certs | write openssl config
|
- name: Gen_certs | write openssl config
|
||||||
template:
|
template:
|
||||||
src: "openssl.conf.j2"
|
src: "openssl.conf.j2"
|
||||||
|
@ -27,6 +37,13 @@
|
||||||
delegate_to: "{{groups['kube-master'][0]}}"
|
delegate_to: "{{groups['kube-master'][0]}}"
|
||||||
when: gen_certs|default(false)
|
when: gen_certs|default(false)
|
||||||
|
|
||||||
|
- name: Gen_certs | write SubjectAltNames file
|
||||||
|
template:
|
||||||
|
src: "openssl-san.j2"
|
||||||
|
dest: "{{ kube_crt_tmp_dir }}/{{ inventory_hostname }}.san"
|
||||||
|
delegate_to: "{{groups['kube-master'][0]}}"
|
||||||
|
when: gen_certs|default(false)
|
||||||
|
|
||||||
- name: Gen_certs | copy certs generation script
|
- name: Gen_certs | copy certs generation script
|
||||||
copy:
|
copy:
|
||||||
src: "make-ssl.sh"
|
src: "make-ssl.sh"
|
||||||
|
@ -49,6 +66,7 @@
|
||||||
{{ h }}
|
{{ h }}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% endfor %}"
|
{% endfor %}"
|
||||||
|
- CRT_TMP_DIR: "{{ kube_crt_tmp_dir }}"
|
||||||
run_once: yes
|
run_once: yes
|
||||||
delegate_to: "{{groups['kube-master'][0]}}"
|
delegate_to: "{{groups['kube-master'][0]}}"
|
||||||
when: gen_certs|default(false)
|
when: gen_certs|default(false)
|
||||||
|
@ -74,6 +92,7 @@
|
||||||
'node-{{ node }}-key.pem',
|
'node-{{ node }}-key.pem',
|
||||||
{% endfor %}]"
|
{% endfor %}]"
|
||||||
my_node_certs: ['ca.pem', 'node-{{ inventory_hostname }}.pem', 'node-{{ inventory_hostname }}-key.pem']
|
my_node_certs: ['ca.pem', 'node-{{ inventory_hostname }}.pem', 'node-{{ inventory_hostname }}-key.pem']
|
||||||
|
|
||||||
tags: facts
|
tags: facts
|
||||||
|
|
||||||
- name: Gen_certs | Gather master certs
|
- name: Gen_certs | Gather master certs
|
||||||
|
|
18
roles/kubernetes/secrets/templates/openssl-san.j2
Normal file
18
roles/kubernetes/secrets/templates/openssl-san.j2
Normal file
|
@ -0,0 +1,18 @@
|
||||||
|
[req]
|
||||||
|
req_extensions = v3_req
|
||||||
|
distinguished_name = req_distinguished_name
|
||||||
|
|
||||||
|
[req_distinguished_name]
|
||||||
|
|
||||||
|
[v3_req]
|
||||||
|
basicConstraints = CA:FALSE
|
||||||
|
keyUsage = digitalSignature, keyEncipherment
|
||||||
|
subjectAltName = @alt_names
|
||||||
|
|
||||||
|
[alt_names]
|
||||||
|
DNS.1 = localhost
|
||||||
|
DNS.2 = {{ ansible_hostname }}
|
||||||
|
DNS.3 = {{ inventory_hostname }}
|
||||||
|
IP.1 = 127.0.0.1
|
||||||
|
IP.2 = {{ access_ip | default(ansible_default_ipv4['address']) }}
|
||||||
|
IP.3 = {{ ip | default(ansible_default_ipv4['address']) }}
|
Loading…
Reference in a new issue