From 14e5f9187361a3a3320170dbe94f796b46be4797 Mon Sep 17 00:00:00 2001 From: Searge Date: Wed, 17 Apr 2024 08:58:05 +0300 Subject: [PATCH] feat: Generate CA and TLS certificates using Ansible This commit introduces changes to generate Certificate Authority (CA) and TLS certificates using Ansible. It includes tasks to create private keys, certificate signing requests (CSRs), and sign certificates for various components: - Admin user - Kube-controller-manager - Kube-proxy - Kube-scheduler - Kubernetes API Server - API Server Kubelet Client - ETCD Server - Service Account The certificates are generated successfully and can be found in the specified location. A command `cert_verify.sh` is provided to verify the certificates. --- ansible/files/pki/.keep | 0 ansible/inventory/group_vars/all.yml | 12 +++ ansible/inventory/group_vars/vagrant.yml | 3 +- ansible/tasks/create_ca_and_tls.yml | 132 ++++++++++++----------- 4 files changed, 81 insertions(+), 66 deletions(-) create mode 100644 ansible/files/pki/.keep diff --git a/ansible/files/pki/.keep b/ansible/files/pki/.keep new file mode 100644 index 0000000..e69de29 diff --git a/ansible/inventory/group_vars/all.yml b/ansible/inventory/group_vars/all.yml index 7bdc9c4..0d99c04 100644 --- a/ansible/inventory/group_vars/all.yml +++ b/ansible/inventory/group_vars/all.yml @@ -1,6 +1,18 @@ --- ansible_user: core +############################################# +# MARK: - Kubernetes specific variables +############################################# +# Kubernetes directories paths +k8s_dir: "/etc/kubernetes" +k8s_conf_dir: "{{ k8s_dir }}/conf" +k8s_cert_dir: "{{ k8s_dir }}/certs" +k8s_manifest_dir: "{{ k8s_dir }}/manifests" +k8s_lib_dir: "/var/lib/kubernetes" +k8s_log_dir: "/var/log/kubernetes" +k8s_bin_dir: "/usr/local/bin" + ############################################# # MARK: - Ansible specific variables ############################################# diff --git a/ansible/inventory/group_vars/vagrant.yml b/ansible/inventory/group_vars/vagrant.yml index a758acb..cb00089 100644 --- a/ansible/inventory/group_vars/vagrant.yml +++ b/ansible/inventory/group_vars/vagrant.yml @@ -3,4 +3,5 @@ ansible_user: vagrant service_cidr: "10.96.0.0/24" -certs_path: "{{ ansible_user_dir }}/" +# certs_path: "{{ ansible_user_dir }}/" +local_certs_path: "files/pki" diff --git a/ansible/tasks/create_ca_and_tls.yml b/ansible/tasks/create_ca_and_tls.yml index 483b79f..f1c613a 100644 --- a/ansible/tasks/create_ca_and_tls.yml +++ b/ansible/tasks/create_ca_and_tls.yml @@ -47,108 +47,110 @@ - "loadbalancer: {{ loadbalancer_ip }}" - name: Generate Certificate Authority - run_once: true + delegate_to: localhost + # run_once: true block: - name: Generate a CA private key community.crypto.openssl_privatekey: - path: "{{ certs_path }}/ca.key" + path: "{{ local_certs_path }}/ca.key" - name: Create CSR using the private key community.crypto.openssl_csr: - path: "{{ certs_path }}/ca.csr" - privatekey_path: "{{ certs_path }}/ca.key" + path: "{{ local_certs_path }}/ca.csr" + privatekey_path: "{{ local_certs_path }}/ca.key" subject: CN: "KUBERNETES-CA" O: "Kubernetes" - name: Self sign the csr using its own private key community.crypto.x509_certificate: - path: "{{ certs_path }}/ca.crt" - privatekey_path: "{{ certs_path }}/ca.key" - csr_path: "{{ certs_path }}/ca.csr" + path: "{{ local_certs_path }}/ca.crt" + privatekey_path: "{{ local_certs_path }}/ca.key" + csr_path: "{{ local_certs_path }}/ca.csr" provider: selfsigned - name: Generate Client and Server Certificates - run_once: true + delegate_to: localhost + # run_once: true block: - name: Generate private key for admin user community.crypto.openssl_privatekey: - path: "{{ certs_path }}/admin.key" + path: "{{ local_certs_path }}/admin.key" - name: Create CSR using the private key community.crypto.openssl_csr: - path: "{{ certs_path }}/admin.csr" - privatekey_path: "{{ certs_path }}/admin.key" + path: "{{ local_certs_path }}/admin.csr" + privatekey_path: "{{ local_certs_path }}/admin.key" subject: CN: "admin" O: "system:masters" - name: Sign certificate for admin user using CA servers private key community.crypto.x509_certificate: - path: "{{ certs_path }}/admin.crt" - ownca_path: "{{ certs_path }}/ca.crt" - ownca_privatekey_path: "{{ certs_path }}/ca.key" - csr_path: "{{ certs_path }}/admin.csr" + path: "{{ local_certs_path }}/admin.crt" + ownca_path: "{{ local_certs_path }}/ca.crt" + ownca_privatekey_path: "{{ local_certs_path }}/ca.key" + csr_path: "{{ local_certs_path }}/admin.csr" provider: ownca - name: Generate Controller Manager Client Certificate community.crypto.openssl_privatekey: - path: "{{ certs_path }}/kube-controller-manager.key" + path: "{{ local_certs_path }}/kube-controller-manager.key" - name: Create CSR using the private key community.crypto.openssl_csr: - path: "{{ certs_path }}/kube-controller-manager.csr" - privatekey_path: "{{ certs_path }}/kube-controller-manager.key" + path: "{{ local_certs_path }}/kube-controller-manager.csr" + privatekey_path: "{{ local_certs_path }}/kube-controller-manager.key" subject: CN: "system:kube-controller-manager" O: "system:kube-controller-manager" - name: Sign certificate for kube-controller-manager using CA servers private key community.crypto.x509_certificate: - path: "{{ certs_path }}/kube-controller-manager.crt" - ownca_path: "{{ certs_path }}/ca.crt" - ownca_privatekey_path: "{{ certs_path }}/ca.key" - csr_path: "{{ certs_path }}/kube-controller-manager.csr" + path: "{{ local_certs_path }}/kube-controller-manager.crt" + ownca_path: "{{ local_certs_path }}/ca.crt" + ownca_privatekey_path: "{{ local_certs_path }}/ca.key" + csr_path: "{{ local_certs_path }}/kube-controller-manager.csr" provider: ownca - name: Generate Kube Proxy Client Certificate community.crypto.openssl_privatekey: - path: "{{ certs_path }}/kube-proxy.key" + path: "{{ local_certs_path }}/kube-proxy.key" - name: Create CSR using the private key community.crypto.openssl_csr: - path: "{{ certs_path }}/kube-proxy.csr" - privatekey_path: "{{ certs_path }}/kube-proxy.key" + path: "{{ local_certs_path }}/kube-proxy.csr" + privatekey_path: "{{ local_certs_path }}/kube-proxy.key" subject: CN: "system:kube-proxy" O: "system:node-proxier" - name: Sign certificate for kube-proxy using CA servers private key community.crypto.x509_certificate: - path: "{{ certs_path }}/kube-proxy.crt" - ownca_path: "{{ certs_path }}/ca.crt" - ownca_privatekey_path: "{{ certs_path }}/ca.key" - csr_path: "{{ certs_path }}/kube-proxy.csr" + path: "{{ local_certs_path }}/kube-proxy.crt" + ownca_path: "{{ local_certs_path }}/ca.crt" + ownca_privatekey_path: "{{ local_certs_path }}/ca.key" + csr_path: "{{ local_certs_path }}/kube-proxy.csr" provider: ownca - name: Generate Scheduler Client Certificate community.crypto.openssl_privatekey: - path: "{{ certs_path }}/kube-scheduler.key" + path: "{{ local_certs_path }}/kube-scheduler.key" - name: Create CSR using the private key community.crypto.openssl_csr: - path: "{{ certs_path }}/kube-scheduler.csr" - privatekey_path: "{{ certs_path }}/kube-scheduler.key" + path: "{{ local_certs_path }}/kube-scheduler.csr" + privatekey_path: "{{ local_certs_path }}/kube-scheduler.key" subject: CN: "system:kube-scheduler" O: "system:kube-scheduler" - name: Sign certificate for kube-scheduler using CA servers private key community.crypto.x509_certificate: - path: "{{ certs_path }}/kube-scheduler.crt" - ownca_path: "{{ certs_path }}/ca.crt" - ownca_privatekey_path: "{{ certs_path }}/ca.key" - csr_path: "{{ certs_path }}/kube-scheduler.csr" + path: "{{ local_certs_path }}/kube-scheduler.crt" + ownca_path: "{{ local_certs_path }}/ca.crt" + ownca_privatekey_path: "{{ local_certs_path }}/ca.key" + csr_path: "{{ local_certs_path }}/kube-scheduler.csr" provider: ownca # The Kubernetes API Server Certificate @@ -162,12 +164,12 @@ - name: Generate Kubernetes API Server Certificate community.crypto.openssl_privatekey: - path: "{{ certs_path }}/kube-apiserver.key" + path: "{{ local_certs_path }}/kube-apiserver.key" - name: Generate a CSR for the Kubernetes API Server community.crypto.openssl_csr: - path: "{{ certs_path }}/kube-apiserver.csr" - privatekey_path: "{{ certs_path }}/kube-apiserver.key" + path: "{{ local_certs_path }}/kube-apiserver.csr" + privatekey_path: "{{ local_certs_path }}/kube-apiserver.key" basic_constraints_critical: true basic_constraints: "CA:FALSE" key_usage_critical: true @@ -194,10 +196,10 @@ - name: Sign the CSR using the CA private key community.crypto.x509_certificate: - path: "{{ certs_path }}/kube-apiserver.crt" - ownca_path: "{{ certs_path }}/ca.crt" - ownca_privatekey_path: "{{ certs_path }}/ca.key" - csr_path: "{{ certs_path }}/kube-apiserver.csr" + path: "{{ local_certs_path }}/kube-apiserver.crt" + ownca_path: "{{ local_certs_path }}/ca.crt" + ownca_privatekey_path: "{{ local_certs_path }}/ca.key" + csr_path: "{{ local_certs_path }}/kube-apiserver.csr" provider: ownca # The API Server Kubelet Client Certificate @@ -206,12 +208,12 @@ - name: Generate API Server Kubelet Client Certificate community.crypto.openssl_privatekey: - path: "{{ certs_path }}/apiserver-kubelet-client.key" + path: "{{ local_certs_path }}/apiserver-kubelet-client.key" - name: Create CSR using the private key community.crypto.openssl_csr: - path: "{{ certs_path }}/apiserver-kubelet-client.csr" - privatekey_path: "{{ certs_path }}/apiserver-kubelet-client.key" + path: "{{ local_certs_path }}/apiserver-kubelet-client.csr" + privatekey_path: "{{ local_certs_path }}/apiserver-kubelet-client.key" subject: CN: "kube-apiserver-kubelet-client" O: "system:masters" @@ -227,10 +229,10 @@ - name: Sign certificate for apiserver-kubelet-client using CA servers private key community.crypto.x509_certificate: - path: "{{ certs_path }}/apiserver-kubelet-client.crt" - ownca_path: "{{ certs_path }}/ca.crt" - ownca_privatekey_path: "{{ certs_path }}/ca.key" - csr_path: "{{ certs_path }}/apiserver-kubelet-client.csr" + path: "{{ local_certs_path }}/apiserver-kubelet-client.crt" + ownca_path: "{{ local_certs_path }}/ca.crt" + ownca_privatekey_path: "{{ local_certs_path }}/ca.key" + csr_path: "{{ local_certs_path }}/apiserver-kubelet-client.csr" provider: ownca # The ETCD Server Certificate @@ -240,12 +242,12 @@ - name: Generate ETCD Server Certificate community.crypto.openssl_privatekey: - path: "{{ certs_path }}/etcd-server.key" + path: "{{ local_certs_path }}/etcd-server.key" - name: Create CSR using the private key for etcd-server community.crypto.openssl_csr: - path: "{{ certs_path }}/etcd-server.csr" - privatekey_path: "{{ certs_path }}/etcd-server.key" + path: "{{ local_certs_path }}/etcd-server.csr" + privatekey_path: "{{ local_certs_path }}/etcd-server.key" basic_constraints: "CA:FALSE" key_usage: - nonRepudiation @@ -262,10 +264,10 @@ - name: Sign certificate for etcd-server using CA servers private key community.crypto.x509_certificate: - path: "{{ certs_path }}/etcd-server.crt" - ownca_path: "{{ certs_path }}/ca.crt" - ownca_privatekey_path: "{{ certs_path }}/ca.key" - csr_path: "{{ certs_path }}/etcd-server.csr" + path: "{{ local_certs_path }}/etcd-server.crt" + ownca_path: "{{ local_certs_path }}/ca.crt" + ownca_privatekey_path: "{{ local_certs_path }}/ca.key" + csr_path: "{{ local_certs_path }}/etcd-server.csr" provider: ownca # The Service Account Key Pair @@ -273,22 +275,22 @@ # that are used by the kubelet to prove its identity. - name: Generate Service Account Key Pair community.crypto.openssl_privatekey: - path: "{{ certs_path }}/service-account.key" + path: "{{ local_certs_path }}/service-account.key" - name: Create CSR using the private key community.crypto.openssl_csr: - path: "{{ certs_path }}/service-account.csr" - privatekey_path: "{{ certs_path }}/service-account.key" + path: "{{ local_certs_path }}/service-account.csr" + privatekey_path: "{{ local_certs_path }}/service-account.key" subject: CN: "service-accounts" O: "Kubernetes" - name: Sign certificate for service-account using CA servers private key community.crypto.x509_certificate: - path: "{{ certs_path }}/service-account.crt" - ownca_path: "{{ certs_path }}/ca.crt" - ownca_privatekey_path: "{{ certs_path }}/ca.key" - csr_path: "{{ certs_path }}/service-account.csr" + path: "{{ local_certs_path }}/service-account.crt" + ownca_path: "{{ local_certs_path }}/ca.crt" + ownca_privatekey_path: "{{ local_certs_path }}/ca.key" + csr_path: "{{ local_certs_path }}/service-account.csr" provider: ownca - name: Display the generated certificates @@ -298,6 +300,6 @@ The certificates have been generated successfully Please find the certificates in the following location: - {{ certs_path }} + {{ local_certs_path }} And run the following command to verify the certificates: ./cert_verify.sh