--- /dev/null
+---
+# Copyright 2019 Nokia
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- name: template node.conf
+ template:
+ src: "node.conf.j2"
+ dest: /etc/openssl/node.conf
+ mode: 0000
+
+- name: check instance cert directory
+ stat:
+ path: "{{ cert_path }}/ca.pem"
+ register: cert_path_register
+
+- name: create cert directory
+ file:
+ name: "{{ cert_path }}"
+ state: directory
+ when: not cert_path_register.stat.exists
+
+# The 'create cert directory' and 'changing permissions of cert directory' tasks cannot merged together!
+# Since 'state: directory' creates the directory recursively.
+# So, if cert_path is e.g: /etc/kubernetes/ssl, then /etc/kubernetes would get 700 as it's permisson.
+# And in that case the admin user would get access denied for the /etc/kubernetes folder.
+- name: changing permissions of cert directory
+ file:
+ path: "{{ cert_path }}"
+ mode: 0700
+ when: not cert_path_register.stat.exists
+
+- name: adding default acl read to {{ users.admin_user_name }} to {{ cert_path }}
+ acl:
+ default: yes
+ name: "{{ cert_path }}"
+ entity: "{{ users.admin_user_name }}"
+ etype: user
+ permissions: rx
+ recursive: yes
+ state: present
+
+- name: adding acl read to {{ users.admin_user_name }} to {{ cert_path }}
+ acl:
+ name: "{{ cert_path }}"
+ entity: "{{ users.admin_user_name }}"
+ etype: user
+ permissions: rx
+ recursive: yes
+ state: present
+
+- name: check instance cert
+ stat:
+ path: "{{ cert_path }}/{{ _cert }}"
+ register: cert
+
+- name: copy CA to {{ cert_path }}
+ copy:
+ src: "/etc/openssl/ca.pem"
+ dest: "{{ cert_path }}/ca.pem"
+ when: not cert_path_register.stat.exists
+
+- name: generate instance certificate
+ command: "{{ item }}"
+ with_items:
+ - "/usr/bin/openssl genrsa -out {{ _key }} 2048"
+ - "/usr/bin/openssl req -new -key {{ _key }} -out {{ instance }}.csr -subj '{{ _subject }}' {% if _common_key is sameas false %} -config /etc/openssl/{{ _conf_file }} {% endif %} -sha256"
+ - "/usr/bin/openssl x509 -req -in {{ instance }}.csr -CA ca.pem -CAserial {{ instance }}.slr -CAkey /etc/openssl/ca-key.pem -CAcreateserial -out {{ _cert }} -days {{ _expiry }} -extensions v3_req -extfile /etc/openssl/{{ _conf_file }} -sha256"
+ args:
+ chdir: "{{ cert_path }}"
+ when: not cert.stat.exists
+
+- name: reducing permission of key file and cert file
+ file:
+ path: "{{ cert_path }}/{{ item }}"
+ mode: 0000
+ with_items:
+ - "{{ _key }}"
+ - "{{ _cert }}"
+ when: not cert.stat.exists
+
+- name: remove cert request and serial file
+ file:
+ path: "{{ cert_path }}/{{ item }}"
+ state: absent
+ with_items:
+ - "{{ instance }}.csr"
+ - "{{ instance }}.slr"
+ when: not cert.stat.exists
+
+- name: setting ca.pem permission
+ file:
+ path: "{{ cert_path }}/ca.pem"
+ mode: 0000
+ when: not cert_path_register.stat.exists
+
+- name: adding default acl read to {{ users.admin_user_name }} to {{ cert_path }}/ca.epm
+ acl:
+ name: "{{ cert_path }}/ca.pem"
+ entity: "{{ users.admin_user_name }}"
+ etype: user
+ permissions: rx
+ state: present
+
+- name: allowing users to access keys
+ acl:
+ name: "{{ item[0] }}"
+ entity: "{{ item[1] }}"
+ etype: user
+ permissions: "r"
+ state: present
+ with_nested:
+ - [ "{{ cert_path }}/{{ _key }}", "{{ cert_path }}/{{ _cert }}", "{{ cert_path }}/ca.pem" ]
+ - "{{ add_users | default([]) }}"
+
+- name: adding exec flag to {{ cert_path }} directory for users
+ acl:
+ name: "{{ cert_path }}"
+ entity: "{{ item }}"
+ etype: user
+ permissions: "rx"
+ state: present
+ with_items: "{{ add_users | default([]) }}"
+
+- name: create kubeconfig from cert
+ include_role:
+ name: kubeconfig
+ vars:
+ config:
+ path: "{{ item.path }}"
+ owner: "{{ item.owner | default('root') }}"
+ group: "{{ item.group | default('root') }}"
+ restricted: "{{ item.restricted | default(true) }}"
+ user: "{{ _cn }}"
+ cert: "{{ cert_path }}/{{ _cert }}"
+ key: "{{ cert_path }}/{{ _key }}"
+ apiserver: "{{ item.apiserver }}"
+ apiserver_port: "{{ item.apiserver_port }}"
+ add_users: "{{ add_users | default([]) }}"
+ with_items: "{{ kube_conf | default([]) }}"
+
+- name: force IO to write data to disk
+ shell: "sync"
Code Review / ta / caas-security.git / blobdiff