From cfdfc37cf83e7862562623a861a313078c1c609a Mon Sep 17 00:00:00 2001 From: Zoltan Hegyi Date: Wed, 9 Oct 2019 17:50:15 +0200 Subject: [PATCH] Update cert role to enable to load them to secrets Added secret_ns parameter, Corrected typo(s) Signed-off-by: Zoltan Hegyi Change-Id: Ib83795d637f901c31cbf0a037cfbc5e56d8ff7c8 --- ansible/roles/cert/tasks/main.yml | 137 ++++++++++++++++++++++---------------- ansible/roles/cert/vars/main.yml | 4 ++ 2 files changed, 83 insertions(+), 58 deletions(-) diff --git a/ansible/roles/cert/tasks/main.yml b/ansible/roles/cert/tasks/main.yml index 0691b48..a3f27fc 100644 --- a/ansible/roles/cert/tasks/main.yml +++ b/ansible/roles/cert/tasks/main.yml @@ -80,65 +80,13 @@ chdir: "{{ cert_path }}" when: not cert.stat.exists -- name: reducing permission of key file and cert file - file: - path: "{{ cert_path }}/{{ item }}" - mode: 0000 - with_items: - - "{{ _key }}" - - "{{ _cert }}" - when: not cert.stat.exists - -- name: remove cert request and serial file - file: - path: "{{ cert_path }}/{{ item }}" - state: absent - with_items: - - "{{ instance }}.csr" - - "{{ instance }}.slr" - when: not cert.stat.exists +- name: load certificate into secret + command: "kubectl -n {{ _secret_ns }} create secret {{ _secret_type }} {{ _secret_name }} --cert={{ cert_path }}/{{ _cert }} --key={{ cert_path }}/{{ _key }}" + when: _secret_name != '' -- name: setting ca.pem permission - file: - path: "{{ cert_path }}/ca.pem" - mode: 0000 - when: not cert_path_register.stat.exists - -- name: adding default acl read to {{ users.admin_user_name }} to {{ cert_path }}/ca.pem - acl: - name: "{{ cert_path }}/ca.pem" - entity: "{{ users.admin_user_name }}" - etype: user - permissions: rx - state: present - -- name: allowing users to access keys - acl: - name: "{{ item[0] }}" - entity: "{{ item[1] }}" - etype: user - permissions: "r" - state: present - with_nested: - - [ "{{ cert_path }}/{{ _key }}", "{{ cert_path }}/{{ _cert }}", "{{ cert_path }}/ca.pem" ] - - "{{ add_users | default([]) }}" - -- name: adding exec flag to {{ cert_path }} directory for users - acl: - name: "{{ cert_path }}" - entity: "{{ item }}" - etype: user - permissions: "rx" - state: present - with_items: "{{ add_users | default([]) }}" - -- name: adding mask to the acl - acl: - name: "{{ cert_path }}" - etype: mask - permissions: "rx" - recursive: yes - state: present +- name: Unconditionally delete files in case of secrets + set_fact: + _keep_files: "{{ false if _secret_name != '' else _keep_files }}" - name: create kubeconfig from cert include_role: @@ -157,5 +105,78 @@ add_users: "{{ add_users | default([]) }}" with_items: "{{ kube_conf | default([]) }}" +- name: Unconditionally delete files in case of kubeconfig + set_fact: + _keep_files = "{{ false if kube_conf is defined else _keep_files }}" + +- name: SECURITY settings on cert files + block: + - name: reducing permission of key file and cert file + file: + path: "{{ cert_path }}/{{ item }}" + mode: 0000 + with_items: + - "{{ _key }}" + - "{{ _cert }}" + when: not cert.stat.exists + + - name: remove cert request and serial file + file: + path: "{{ cert_path }}/{{ item }}" + state: absent + with_items: + - "{{ instance }}.csr" + - "{{ instance }}.slr" + when: not cert.stat.exists + + - name: setting ca.pem permission + file: + path: "{{ cert_path }}/ca.pem" + mode: 0000 + when: not cert_path_register.stat.exists + + - name: adding default acl read to {{ users.admin_user_name }} to {{ cert_path }}/ca.pem + acl: + name: "{{ cert_path }}/ca.pem" + entity: "{{ users.admin_user_name }}" + etype: user + permissions: rx + state: present + + - name: allowing users to access keys + acl: + name: "{{ item[0] }}" + entity: "{{ item[1] }}" + etype: user + permissions: "r" + state: present + with_nested: + - [ "{{ cert_path }}/{{ _key }}", "{{ cert_path }}/{{ _cert }}", "{{ cert_path }}/ca.pem" ] + - "{{ add_users | default([]) }}" + + - name: adding exec flag to {{ cert_path }} directory for users + acl: + name: "{{ cert_path }}" + entity: "{{ item }}" + etype: user + permissions: "rx" + state: present + with_items: "{{ add_users | default([]) }}" + + - name: adding mask to the acl + acl: + name: "{{ cert_path }}" + etype: mask + permissions: "rx" + recursive: yes + state: present + when: _keep_files + +- name: Remove directory in case of _keep_files==false + file: + name: "{{ cert_path }}" + state: absent + when: not _keep_files + - name: force IO to write data to disk shell: "sync" diff --git a/ansible/roles/cert/vars/main.yml b/ansible/roles/cert/vars/main.yml index 50c63df..aaf7166 100644 --- a/ansible/roles/cert/vars/main.yml +++ b/ansible/roles/cert/vars/main.yml @@ -21,3 +21,7 @@ _conf_file: "{{ conf_file | default('node.conf') }}" _expiry: "{{ cert_expiry | default('1825') }}" _subject: "/CN={{ _cn }}{% if _org %}/O={{ _org }}{% endif %}" _alt_names: "{{ alt_names | default( {'dns':[], 'ip':[]} ) }}" +_secret_name: "{{ secret_name | default ( '' ) }}" +_secret_type: "{{ sercret_type | default ( 'tls' ) }}" +_secret_ns: "{{ secret_ns | default ( 'kube-system' ) }}" +_keep_files: "{{ keep_files | default ( true ) }}" -- 2.16.6