diff --git a/roles/kubernetes/secrets/tasks/gen_certs_script.yml b/roles/kubernetes/secrets/tasks/gen_certs_script.yml
index b6d6cb442f51743350a447fd25ee86b6d3eb9372..cf8881aabb296a4842183ec94fb79beeba35d7ae 100644
--- a/roles/kubernetes/secrets/tasks/gen_certs_script.yml
+++ b/roles/kubernetes/secrets/tasks/gen_certs_script.yml
@@ -28,14 +28,21 @@
tags:
- k8s-secrets
-- name: Gen_certs | write openssl config
+- name: Gen_certs | write masters openssl config
template:
- src: "openssl.conf.j2"
- dest: "{{ kube_config_dir }}/openssl.conf"
+ src: "openssl-master.conf.j2"
+ dest: "{{ kube_config_dir }}/openssl-master.conf"
run_once: yes
- delegate_to: "{{groups['kube-master'][0]}}"
+ delegate_to: "{{ groups['kube-master']|first }}"
when: gen_certs|default(false)
+- name: Gen_certs | write nodes openssl config
+ template:
+ src: "openssl-node.conf.j2"
+ dest: "{{ kube_config_dir }}/{{ inventory_hostname }}-openssl.conf"
+ delegate_to: "{{ groups['kube-master']|first }}"
+ when: gen_certs|default(false) and inventory_hostname in groups['k8s-cluster']
+
- name: Gen_certs | copy certs generation script
template:
src: "make-ssl.sh.j2"
@@ -45,24 +52,26 @@
delegate_to: "{{groups['kube-master'][0]}}"
when: gen_certs|default(false)
-- name: Gen_certs | run cert generation script
- command: "{{ kube_script_dir }}/make-ssl.sh -f {{ kube_config_dir }}/openssl.conf -d {{ kube_cert_dir }}"
+- name: Gen_certs | run master cert generation script
+ command: "{{ kube_script_dir }}/make-ssl.sh -f {{ kube_config_dir }}/openssl-master.conf -d {{ kube_cert_dir }}"
environment:
- MASTERS: "{% for m in groups['kube-master'] %}
{% if gen_master_certs|default(false) %}
{{ m }}
{% endif %}
{% endfor %}"
- - HOSTS: "{% for h in groups['k8s-cluster'] %}
- {% if gen_node_certs[h]|default(true) %}
- {{ h }}
- {% endif %}
- {% endfor %}"
- run_once: yes
- delegate_to: "{{groups['kube-master'][0]}}"
+ delegate_to: "{{ groups['kube-master']|first }}"
when: gen_certs|default(false)
notify: set secret_changed
+- name: Gen_certs | run nodes cert generation script
+ command: "{{ kube_script_dir }}/make-ssl.sh -f {{ kube_config_dir }}/{{ inventory_hostname }}-openssl.conf -d {{ kube_cert_dir }}"
+ environment:
+ - HOSTS: "{{ inventory_hostname }}"
+ delegate_to: "{{ groups['kube-master']|first }}"
+ when: gen_certs|default(false) and inventory_hostname in groups['k8s-cluster']
+ notify: set secret_changed
+
- set_fact:
all_master_certs: "['ca-key.pem',
'apiserver.pem',
diff --git a/roles/kubernetes/secrets/templates/openssl.conf.j2 b/roles/kubernetes/secrets/templates/openssl-master.conf.j2
similarity index 100%
rename from roles/kubernetes/secrets/templates/openssl.conf.j2
rename to roles/kubernetes/secrets/templates/openssl-master.conf.j2
diff --git a/roles/kubernetes/secrets/templates/openssl-node.conf.j2 b/roles/kubernetes/secrets/templates/openssl-node.conf.j2
new file mode 100644
index 0000000000000000000000000000000000000000..610764a5bcaa0c8edfaa455481e083eb1549feb0
--- /dev/null
+++ b/roles/kubernetes/secrets/templates/openssl-node.conf.j2
@@ -0,0 +1,16 @@
+{% set counter = {'dns': 2,'ip': 1,} %}{% macro increment(dct, key, inc=1)%}{% if dct.update({key: dct[key] + inc}) %} {% endif %}{% endmacro %}[req]
+req_extensions = v3_req
+distinguished_name = req_distinguished_name
+[req_distinguished_name]
+[ v3_req ]
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+subjectAltName = @alt_names
+[alt_names]
+DNS.1 = localhost
+DNS.{{ counter["dns"] }} = {{ inventory_hostname }}{{ increment(counter, 'dns') }}
+{% if hostvars[inventory_hostname]['access_ip'] is defined %}
+IP.{{ counter["ip"] }} = {{ hostvars[inventory_hostname]['access_ip'] }}{{ increment(counter, 'ip') }}
+{% endif %}
+IP.{{ counter["ip"] }} = {{ hostvars[inventory_hostname]['ip'] | default(hostvars[inventory_hostname]['ansible_default_ipv4']['address']) }}{{ increment(counter, 'ip') }}
+IP.{{ counter["ip"] }} = 127.0.0.1