Add SSL certs for kubelet

Generate SSL cert/key for kubelet and configure it to use those instead of generating self-signed ones. Closes #1035
2017-02-16 17:27:49 +01:00 · 2017-02-16 17:27:49 +01:00 · c3f369d5b8
commit c3f369d5b8
parent ee5f009b95
5 changed files with 50 additions and 2 deletions
--- a/inventory/group_vars/k8s-cluster.yml
+++ b/inventory/group_vars/k8s-cluster.yml
@ -15,6 +15,7 @@ bin_dir: /usr/local/bin
 kube_config_dir: /etc/kubernetes
 kube_script_dir: "{{ bin_dir }}/kubernetes-scripts"
 kube_manifest_dir: "{{ kube_config_dir }}/manifests"
+kube_crt_tmp_dir: "/var/tmp/kubecrt"
 system_namespace: kube-system

 # Logging directory (sysvinit systems)
--- a/roles/kubernetes/node/templates/kubelet.j2
+++ b/roles/kubernetes/node/templates/kubelet.j2
@ -12,6 +12,8 @@ KUBELET_HOSTNAME="--hostname-override={{ ansible_hostname }}"
 {% set kubelet_args_base %}--pod-manifest-path={{ kube_manifest_dir }} \
 --pod-infra-container-image={{ pod_infra_image_repo }}:{{ pod_infra_image_tag }} \
 --kube-reserved cpu={{ kubelet_cpu_limit }},memory={{ kubelet_memory_limit|regex_replace('Mi', 'M') }} \
+--tls-cert-file={{ kube_cert_dir }}/node-{{ inventory_hostname }}.pem \
+--tls-private-key-file={{ kube_cert_dir }}/node-{{ inventory_hostname }}-key.pem \
 --node-status-update-frequency={{ kubelet_status_update_frequency }}{% endset %}

 {# DNS settings for kubelet #}
--- a/roles/kubernetes/secrets/files/make-ssl.sh
+++ b/roles/kubernetes/secrets/files/make-ssl.sh
@ -96,8 +96,16 @@ if [ -n "$HOSTS" ]; then
        cn="${host%%.*}"
        # node key
        openssl genrsa -out node-${host}-key.pem 2048 > /dev/null 2>&1
-        openssl req -new -key node-${host}-key.pem -out node-${host}.csr -subj "/CN=kube-node-${cn}" > /dev/null 2>&1
-        openssl x509 -req -in node-${host}.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out node-${host}.pem -days 3650 > /dev/null 2>&1
+        # Let's add SAN if needed
+        if [ -e "${CRT_TMP_DIR}/${host}.san" ]; then
+          CSR_OPTS="-config ${CRT_TMP_DIR}/${host}.san"
+          CRT_OPTS="-extensions v3_req -extfile ${CRT_TMP_DIR}/${host}.san"
+        else
+          CSR_OPTS=""
+          CRT_OPTS=""
+        fi
+        openssl req -new -key node-${host}-key.pem -out node-${host}.csr -subj "/CN=kube-node-${cn}" $CSR_OPTS > /dev/null 2>&1
+        openssl x509 -req -in node-${host}.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out node-${host}.pem -days 3650 $CRT_OPTS > /dev/null 2>&1
    done
 fi

--- a/roles/kubernetes/secrets/tasks/gen_certs_script.yml
+++ b/roles/kubernetes/secrets/tasks/gen_certs_script.yml
@ -19,6 +19,16 @@
  tags: [k8s-secrets, bootstrap-os]
  when: gen_certs|default(false)

+- name: "Gen_certs | Create kubernetes cert temp directory (on {{groups['kube-master'][0]}})"
+  file:
+    path: "{{ kube_crt_tmp_dir }}"
+    state: directory
+    owner: kube
+  run_once: yes
+  delegate_to: "{{groups['kube-master'][0]}}"
+  tags: [k8s-secrets, bootstrap-os]
+  when: gen_certs|default(false)
+
 - name: Gen_certs | write openssl config
  template:
    src: "openssl.conf.j2"
@ -27,6 +37,13 @@
  delegate_to: "{{groups['kube-master'][0]}}"
  when: gen_certs|default(false)

+- name: Gen_certs | write SubjectAltNames file
+  template:
+    src: "openssl-san.j2"
+    dest: "{{ kube_crt_tmp_dir }}/{{ inventory_hostname }}.san"
+  delegate_to: "{{groups['kube-master'][0]}}"
+  when: gen_certs|default(false)
+
 - name: Gen_certs | copy certs generation script
  copy:
    src: "make-ssl.sh"
@ -49,6 +66,7 @@
                    {{ h }}
                {% endif %}
              {% endfor %}"
+    - CRT_TMP_DIR: "{{ kube_crt_tmp_dir }}"
  run_once: yes
  delegate_to: "{{groups['kube-master'][0]}}"
  when: gen_certs|default(false)
@ -74,6 +92,7 @@
                    'node-{{ node }}-key.pem',
                    {% endfor %}]"
    my_node_certs: ['ca.pem', 'node-{{ inventory_hostname }}.pem', 'node-{{ inventory_hostname }}-key.pem']
+
  tags: facts

 - name: Gen_certs | Gather master certs
--- a/roles/kubernetes/secrets/templates/openssl-san.j2
+++ b/roles/kubernetes/secrets/templates/openssl-san.j2
@ -0,0 +1,18 @@
+[req]
+req_extensions = v3_req
+distinguished_name = req_distinguished_name
+
+[req_distinguished_name]
+
+[v3_req]
+basicConstraints = CA:FALSE
+keyUsage = digitalSignature, keyEncipherment
+subjectAltName = @alt_names
+
+[alt_names]
+DNS.1 = localhost
+DNS.2 = {{ ansible_hostname }}
+DNS.3 = {{ inventory_hostname }}
+IP.1 = 127.0.0.1
+IP.2 = {{ access_ip | default(ansible_default_ipv4['address']) }}
+IP.3 = {{ ip | default(ansible_default_ipv4['address']) }}