4 # Licensed under the Apache License, Version 2.0 (the "License");
5 # you may not use this file except in compliance with the License.
6 # You may obtain a copy of the License at
8 # http://www.apache.org/licenses/LICENSE-2.0
10 # Unless required by applicable law or agreed to in writing, software
11 # distributed under the License is distributed on an "AS IS" BASIS,
12 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 # See the License for the specific language governing permissions and
14 # limitations under the License.
16 - name: template node.conf
19 dest: /etc/openssl/node.conf
22 - name: check instance cert directory
24 path: "{{ cert_path }}/ca.pem"
25 register: cert_path_register
27 - name: create cert directory
29 name: "{{ cert_path }}"
31 when: not cert_path_register.stat.exists
33 # The 'create cert directory' and 'changing permissions of cert directory' tasks cannot merged together!
34 # Since 'state: directory' creates the directory recursively.
35 # So, if cert_path is e.g: /etc/kubernetes/ssl, then /etc/kubernetes would get 700 as it's permisson.
36 # And in that case the admin user would get access denied for the /etc/kubernetes folder.
37 - name: changing permissions of cert directory
39 path: "{{ cert_path }}"
41 when: not cert_path_register.stat.exists
43 - name: adding default acl read to {{ users.admin_user_name }} to {{ cert_path }}
46 name: "{{ cert_path }}"
47 entity: "{{ users.admin_user_name }}"
53 - name: adding acl read to {{ users.admin_user_name }} to {{ cert_path }}
55 name: "{{ cert_path }}"
56 entity: "{{ users.admin_user_name }}"
62 - name: check instance cert
64 path: "{{ cert_path }}/{{ _cert }}"
67 - name: copy CA to {{ cert_path }}
69 src: "/etc/openssl/ca.pem"
70 dest: "{{ cert_path }}/ca.pem"
71 when: not cert_path_register.stat.exists
73 - name: generate instance certificate
76 - "/usr/bin/openssl genrsa -out {{ _key }} 2048"
77 - "/usr/bin/openssl req -new -key {{ _key }} -out {{ instance }}.csr -subj '{{ _subject }}' {% if _common_key is sameas false %} -config /etc/openssl/{{ _conf_file }} {% endif %} -sha256"
78 - "/usr/bin/openssl x509 -req -in {{ instance }}.csr -CA ca.pem -CAserial {{ instance }}.slr -CAkey /etc/openssl/ca-key.pem -CAcreateserial -out {{ _cert }} -days {{ _expiry }} -extensions v3_req -extfile /etc/openssl/{{ _conf_file }} -sha256"
80 chdir: "{{ cert_path }}"
81 when: not cert.stat.exists
83 - name: reducing permission of key file and cert file
85 path: "{{ cert_path }}/{{ item }}"
90 when: not cert.stat.exists
92 - name: remove cert request and serial file
94 path: "{{ cert_path }}/{{ item }}"
97 - "{{ instance }}.csr"
98 - "{{ instance }}.slr"
99 when: not cert.stat.exists
101 - name: setting ca.pem permission
103 path: "{{ cert_path }}/ca.pem"
105 when: not cert_path_register.stat.exists
107 - name: adding default acl read to {{ users.admin_user_name }} to {{ cert_path }}/ca.pem
109 name: "{{ cert_path }}/ca.pem"
110 entity: "{{ users.admin_user_name }}"
115 - name: allowing users to access keys
117 name: "{{ item[0] }}"
118 entity: "{{ item[1] }}"
123 - [ "{{ cert_path }}/{{ _key }}", "{{ cert_path }}/{{ _cert }}", "{{ cert_path }}/ca.pem" ]
124 - "{{ add_users | default([]) }}"
126 - name: adding exec flag to {{ cert_path }} directory for users
128 name: "{{ cert_path }}"
133 with_items: "{{ add_users | default([]) }}"
135 - name: adding mask to the acl
137 name: "{{ cert_path }}"
143 - name: create kubeconfig from cert
148 path: "{{ item.path }}"
149 owner: "{{ item.owner | default('root') }}"
150 group: "{{ item.group | default('root') }}"
151 restricted: "{{ item.restricted | default(true) }}"
153 cert: "{{ cert_path }}/{{ _cert }}"
154 key: "{{ cert_path }}/{{ _key }}"
155 apiserver: "{{ item.apiserver }}"
156 apiserver_port: "{{ item.apiserver_port }}"
157 add_users: "{{ add_users | default([]) }}"
158 with_items: "{{ kube_conf | default([]) }}"
160 - name: force IO to write data to disk