Issue front proxy certs for vault

roles/kubernetes/secrets/tasks/gen_certs_vault.yml

@@ -93,3 +93,29 @@
     issue_cert_mount_path: "{{ kube_vault_mount_path }}"
   with_items: "{{ kube_proxy_certs_needed|d([]) }}"
   when: inventory_hostname in groups['k8s-cluster']
+
+# Issue front proxy cert to kube-master hosts
+- include_tasks: ../../../vault/tasks/shared/issue_cert.yml
+  vars:
+    issue_cert_common_name: "front-proxy-client"
+    issue_cert_alt_names: "{{ kube_cert_alt_names }}"
+    issue_cert_file_group: "{{ kube_cert_group }}"
+    issue_cert_file_owner: kube
+    issue_cert_hosts: "{{ groups['kube-master'] }}"
+    issue_cert_ip_sans: >-
+        [
+        {%- for host in groups['kube-master']  -%}
+        "{{ hostvars[host]['ansible_default_ipv4']['address'] }}",
+        {%- if hostvars[host]['ip'] is defined -%}
+        "{{ hostvars[host]['ip'] }}",
+        {%- endif -%}
+        {%- endfor -%}
+        "127.0.0.1","::1","{{ kube_apiserver_ip }}"
+        ]
+    issue_cert_path: "{{ item }}"
+    issue_cert_role: front-proxy-client
+    issue_cert_url: "{{ hostvars[groups.vault|first]['vault_leader_url'] }}"
+    issue_cert_mount_path: "{{ kube_vault_mount_path }}"
+  with_items: "{{ kube_master_components_certs_needed|d([]) }}"
+  when: inventory_hostname in groups['kube-master']
+  notify: set secret_changed

roles/vault/defaults/main.yml

@@ -162,3 +162,11 @@ vault_pki_mounts:
           allow_any_name: true
           enforce_hostnames: false
           organization: "system:node-proxier"
+      - name: front-proxy-client
+        group: k8s-cluster
+        password: "{{ lookup('password', 'credentials/vault/kube-proxy length=15') }}"
+        policy_rules: default
+        role_options:
+          allow_any_name: true
+          enforce_hostnames: false
+          organization: "system:front-proxy"