Skip to content

Commit

Permalink
feat: Generate CA and TLS certificates using Ansible
Browse files Browse the repository at this point in the history 
This commit introduces changes to generate Certificate Authority (CA) and TLS certificates using Ansible.
It includes tasks to create private keys, certificate signing requests (CSRs), and sign certificates for various components:

- Admin user
- Kube-controller-manager
- Kube-proxy
- Kube-scheduler
- Kubernetes API Server
- API Server Kubelet Client
- ETCD Server
- Service Account

The certificates are generated successfully and can be found in the specified location.
A command `cert_verify.sh` is provided to verify the certificates.
  • Loading branch information
@Searge
Searge committed Apr 17, 2024
1 parent e2d1cfe commit 14e5f91
Show file tree
Hide file tree
Showing 4 changed files with 81 additions and 66 deletions.
Empty file added ansible/files/pki/.keep
View file
Empty file.
12 changes: 12 additions & 0 deletions ansible/inventory/group_vars/all.yml
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,18 @@
---
ansible_user: core

#############################################
# MARK: - Kubernetes specific variables
#############################################
# Kubernetes directories paths
k8s_dir: "/etc/kubernetes"
k8s_conf_dir: "{{ k8s_dir }}/conf"
k8s_cert_dir: "{{ k8s_dir }}/certs"
k8s_manifest_dir: "{{ k8s_dir }}/manifests"
k8s_lib_dir: "/var/lib/kubernetes"
k8s_log_dir: "/var/log/kubernetes"
k8s_bin_dir: "/usr/local/bin"

#############################################
# MARK: - Ansible specific variables
#############################################
Expand Down
3 changes: 2 additions & 1 deletion ansible/inventory/group_vars/vagrant.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,4 +3,5 @@ ansible_user: vagrant

service_cidr: "10.96.0.0/24"

certs_path: "{{ ansible_user_dir }}/"
# certs_path: "{{ ansible_user_dir }}/"
local_certs_path: "files/pki"
132 changes: 67 additions & 65 deletions ansible/tasks/create_ca_and_tls.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -47,108 +47,110 @@
- "loadbalancer: {{ loadbalancer_ip }}"

- name: Generate Certificate Authority
run_once: true
delegate_to: localhost
# run_once: true
block:
- name: Generate a CA private key
community.crypto.openssl_privatekey:
path: "{{ certs_path }}/ca.key"
path: "{{ local_certs_path }}/ca.key"

- name: Create CSR using the private key
community.crypto.openssl_csr:
path: "{{ certs_path }}/ca.csr"
privatekey_path: "{{ certs_path }}/ca.key"
path: "{{ local_certs_path }}/ca.csr"
privatekey_path: "{{ local_certs_path }}/ca.key"
subject:
CN: "KUBERNETES-CA"
O: "Kubernetes"

- name: Self sign the csr using its own private key
community.crypto.x509_certificate:
path: "{{ certs_path }}/ca.crt"
privatekey_path: "{{ certs_path }}/ca.key"
csr_path: "{{ certs_path }}/ca.csr"
path: "{{ local_certs_path }}/ca.crt"
privatekey_path: "{{ local_certs_path }}/ca.key"
csr_path: "{{ local_certs_path }}/ca.csr"
provider: selfsigned

- name: Generate Client and Server Certificates
run_once: true
delegate_to: localhost
# run_once: true
block:
- name: Generate private key for admin user
community.crypto.openssl_privatekey:
path: "{{ certs_path }}/admin.key"
path: "{{ local_certs_path }}/admin.key"

- name: Create CSR using the private key
community.crypto.openssl_csr:
path: "{{ certs_path }}/admin.csr"
privatekey_path: "{{ certs_path }}/admin.key"
path: "{{ local_certs_path }}/admin.csr"
privatekey_path: "{{ local_certs_path }}/admin.key"
subject:
CN: "admin"
O: "system:masters"

- name: Sign certificate for admin user using CA servers private key
community.crypto.x509_certificate:
path: "{{ certs_path }}/admin.crt"
ownca_path: "{{ certs_path }}/ca.crt"
ownca_privatekey_path: "{{ certs_path }}/ca.key"
csr_path: "{{ certs_path }}/admin.csr"
path: "{{ local_certs_path }}/admin.crt"
ownca_path: "{{ local_certs_path }}/ca.crt"
ownca_privatekey_path: "{{ local_certs_path }}/ca.key"
csr_path: "{{ local_certs_path }}/admin.csr"
provider: ownca

- name: Generate Controller Manager Client Certificate
community.crypto.openssl_privatekey:
path: "{{ certs_path }}/kube-controller-manager.key"
path: "{{ local_certs_path }}/kube-controller-manager.key"

- name: Create CSR using the private key
community.crypto.openssl_csr:
path: "{{ certs_path }}/kube-controller-manager.csr"
privatekey_path: "{{ certs_path }}/kube-controller-manager.key"
path: "{{ local_certs_path }}/kube-controller-manager.csr"
privatekey_path: "{{ local_certs_path }}/kube-controller-manager.key"
subject:
CN: "system:kube-controller-manager"
O: "system:kube-controller-manager"

- name: Sign certificate for kube-controller-manager using CA servers private key
community.crypto.x509_certificate:
path: "{{ certs_path }}/kube-controller-manager.crt"
ownca_path: "{{ certs_path }}/ca.crt"
ownca_privatekey_path: "{{ certs_path }}/ca.key"
csr_path: "{{ certs_path }}/kube-controller-manager.csr"
path: "{{ local_certs_path }}/kube-controller-manager.crt"
ownca_path: "{{ local_certs_path }}/ca.crt"
ownca_privatekey_path: "{{ local_certs_path }}/ca.key"
csr_path: "{{ local_certs_path }}/kube-controller-manager.csr"
provider: ownca

- name: Generate Kube Proxy Client Certificate
community.crypto.openssl_privatekey:
path: "{{ certs_path }}/kube-proxy.key"
path: "{{ local_certs_path }}/kube-proxy.key"

- name: Create CSR using the private key
community.crypto.openssl_csr:
path: "{{ certs_path }}/kube-proxy.csr"
privatekey_path: "{{ certs_path }}/kube-proxy.key"
path: "{{ local_certs_path }}/kube-proxy.csr"
privatekey_path: "{{ local_certs_path }}/kube-proxy.key"
subject:
CN: "system:kube-proxy"
O: "system:node-proxier"

- name: Sign certificate for kube-proxy using CA servers private key
community.crypto.x509_certificate:
path: "{{ certs_path }}/kube-proxy.crt"
ownca_path: "{{ certs_path }}/ca.crt"
ownca_privatekey_path: "{{ certs_path }}/ca.key"
csr_path: "{{ certs_path }}/kube-proxy.csr"
path: "{{ local_certs_path }}/kube-proxy.crt"
ownca_path: "{{ local_certs_path }}/ca.crt"
ownca_privatekey_path: "{{ local_certs_path }}/ca.key"
csr_path: "{{ local_certs_path }}/kube-proxy.csr"
provider: ownca

- name: Generate Scheduler Client Certificate
community.crypto.openssl_privatekey:
path: "{{ certs_path }}/kube-scheduler.key"
path: "{{ local_certs_path }}/kube-scheduler.key"

- name: Create CSR using the private key
community.crypto.openssl_csr:
path: "{{ certs_path }}/kube-scheduler.csr"
privatekey_path: "{{ certs_path }}/kube-scheduler.key"
path: "{{ local_certs_path }}/kube-scheduler.csr"
privatekey_path: "{{ local_certs_path }}/kube-scheduler.key"
subject:
CN: "system:kube-scheduler"
O: "system:kube-scheduler"

- name: Sign certificate for kube-scheduler using CA servers private key
community.crypto.x509_certificate:
path: "{{ certs_path }}/kube-scheduler.crt"
ownca_path: "{{ certs_path }}/ca.crt"
ownca_privatekey_path: "{{ certs_path }}/ca.key"
csr_path: "{{ certs_path }}/kube-scheduler.csr"
path: "{{ local_certs_path }}/kube-scheduler.crt"
ownca_path: "{{ local_certs_path }}/ca.crt"
ownca_privatekey_path: "{{ local_certs_path }}/ca.key"
csr_path: "{{ local_certs_path }}/kube-scheduler.csr"
provider: ownca

# The Kubernetes API Server Certificate
Expand All @@ -162,12 +164,12 @@

- name: Generate Kubernetes API Server Certificate
community.crypto.openssl_privatekey:
path: "{{ certs_path }}/kube-apiserver.key"
path: "{{ local_certs_path }}/kube-apiserver.key"

- name: Generate a CSR for the Kubernetes API Server
community.crypto.openssl_csr:
path: "{{ certs_path }}/kube-apiserver.csr"
privatekey_path: "{{ certs_path }}/kube-apiserver.key"
path: "{{ local_certs_path }}/kube-apiserver.csr"
privatekey_path: "{{ local_certs_path }}/kube-apiserver.key"
basic_constraints_critical: true
basic_constraints: "CA:FALSE"
key_usage_critical: true
Expand All @@ -194,10 +196,10 @@
- name: Sign the CSR using the CA private key
community.crypto.x509_certificate:
path: "{{ certs_path }}/kube-apiserver.crt"
ownca_path: "{{ certs_path }}/ca.crt"
ownca_privatekey_path: "{{ certs_path }}/ca.key"
csr_path: "{{ certs_path }}/kube-apiserver.csr"
path: "{{ local_certs_path }}/kube-apiserver.crt"
ownca_path: "{{ local_certs_path }}/ca.crt"
ownca_privatekey_path: "{{ local_certs_path }}/ca.key"
csr_path: "{{ local_certs_path }}/kube-apiserver.csr"
provider: ownca

# The API Server Kubelet Client Certificate
Expand All @@ -206,12 +208,12 @@

- name: Generate API Server Kubelet Client Certificate
community.crypto.openssl_privatekey:
path: "{{ certs_path }}/apiserver-kubelet-client.key"
path: "{{ local_certs_path }}/apiserver-kubelet-client.key"

- name: Create CSR using the private key
community.crypto.openssl_csr:
path: "{{ certs_path }}/apiserver-kubelet-client.csr"
privatekey_path: "{{ certs_path }}/apiserver-kubelet-client.key"
path: "{{ local_certs_path }}/apiserver-kubelet-client.csr"
privatekey_path: "{{ local_certs_path }}/apiserver-kubelet-client.key"
subject:
CN: "kube-apiserver-kubelet-client"
O: "system:masters"
Expand All @@ -227,10 +229,10 @@

- name: Sign certificate for apiserver-kubelet-client using CA servers private key
community.crypto.x509_certificate:
path: "{{ certs_path }}/apiserver-kubelet-client.crt"
ownca_path: "{{ certs_path }}/ca.crt"
ownca_privatekey_path: "{{ certs_path }}/ca.key"
csr_path: "{{ certs_path }}/apiserver-kubelet-client.csr"
path: "{{ local_certs_path }}/apiserver-kubelet-client.crt"
ownca_path: "{{ local_certs_path }}/ca.crt"
ownca_privatekey_path: "{{ local_certs_path }}/ca.key"
csr_path: "{{ local_certs_path }}/apiserver-kubelet-client.csr"
provider: ownca

# The ETCD Server Certificate
Expand All @@ -240,12 +242,12 @@

- name: Generate ETCD Server Certificate
community.crypto.openssl_privatekey:
path: "{{ certs_path }}/etcd-server.key"
path: "{{ local_certs_path }}/etcd-server.key"

- name: Create CSR using the private key for etcd-server
community.crypto.openssl_csr:
path: "{{ certs_path }}/etcd-server.csr"
privatekey_path: "{{ certs_path }}/etcd-server.key"
path: "{{ local_certs_path }}/etcd-server.csr"
privatekey_path: "{{ local_certs_path }}/etcd-server.key"
basic_constraints: "CA:FALSE"
key_usage:
- nonRepudiation
Expand All @@ -262,33 +264,33 @@
- name: Sign certificate for etcd-server using CA servers private key
community.crypto.x509_certificate:
path: "{{ certs_path }}/etcd-server.crt"
ownca_path: "{{ certs_path }}/ca.crt"
ownca_privatekey_path: "{{ certs_path }}/ca.key"
csr_path: "{{ certs_path }}/etcd-server.csr"
path: "{{ local_certs_path }}/etcd-server.crt"
ownca_path: "{{ local_certs_path }}/ca.crt"
ownca_privatekey_path: "{{ local_certs_path }}/ca.key"
csr_path: "{{ local_certs_path }}/etcd-server.csr"
provider: ownca

# The Service Account Key Pair
# The service account key pair is used by the API server to sign tokens
# that are used by the kubelet to prove its identity.
- name: Generate Service Account Key Pair
community.crypto.openssl_privatekey:
path: "{{ certs_path }}/service-account.key"
path: "{{ local_certs_path }}/service-account.key"

- name: Create CSR using the private key
community.crypto.openssl_csr:
path: "{{ certs_path }}/service-account.csr"
privatekey_path: "{{ certs_path }}/service-account.key"
path: "{{ local_certs_path }}/service-account.csr"
privatekey_path: "{{ local_certs_path }}/service-account.key"
subject:
CN: "service-accounts"
O: "Kubernetes"

- name: Sign certificate for service-account using CA servers private key
community.crypto.x509_certificate:
path: "{{ certs_path }}/service-account.crt"
ownca_path: "{{ certs_path }}/ca.crt"
ownca_privatekey_path: "{{ certs_path }}/ca.key"
csr_path: "{{ certs_path }}/service-account.csr"
path: "{{ local_certs_path }}/service-account.crt"
ownca_path: "{{ local_certs_path }}/ca.crt"
ownca_privatekey_path: "{{ local_certs_path }}/ca.key"
csr_path: "{{ local_certs_path }}/service-account.csr"
provider: ownca

- name: Display the generated certificates
Expand All @@ -298,6 +300,6 @@
The certificates have been generated successfully
Please find the certificates in the following location:
{{ certs_path }}
{{ local_certs_path }}
And run the following command to verify the certificates:
./cert_verify.sh

0 comments on commit 14e5f91

Please sign in to comment.