refactor: Make role more flexible
This commit is contained in:
parent
451816d2ea
commit
f8ee01a84f
|
@ -3,14 +3,50 @@
|
|||
# -- yq version
|
||||
# --------------------------------------
|
||||
yq:
|
||||
version: v4.2.0
|
||||
version: v4.31.2
|
||||
binary: yq_linux_amd64
|
||||
# --------------------------------------
|
||||
# -- Path to k8s admin config
|
||||
# --------------------------------------
|
||||
k8s_config_path: /etc/kubernetes/admin.conf
|
||||
k8s_cert_path: /etc/kubernetes/pki
|
||||
k8s_cert_crt_file: ca.crt
|
||||
k8s_cert_key_file: ca.key
|
||||
# --------------------------------------
|
||||
# -- K8s username
|
||||
# --------------------------------------
|
||||
username: "admin"
|
||||
# --------------------------------------
|
||||
# -- How many days certificate
|
||||
# -- will be valid
|
||||
# --------------------------------------
|
||||
certificate_expires_in: 500
|
||||
# --------------------------------------
|
||||
# -- K8s cluster name
|
||||
# --------------------------------------
|
||||
cluster: "microk8s-cluster"
|
||||
# --------------------------------------
|
||||
# -- RoleBinding parameters
|
||||
# --------------------------------------
|
||||
# -- Binding type:
|
||||
# ---- ClusterRoleBinding
|
||||
# ---- RoleBinding
|
||||
# --------------------------------------
|
||||
binding_type: ClusterRoleBinding
|
||||
# --------------------------------------
|
||||
# -- Role type
|
||||
# -- ClusterRole
|
||||
# -- Role
|
||||
# --------------------------------------
|
||||
role_type: ClusterRole
|
||||
# --------------------------------------
|
||||
# -- Cluster role name
|
||||
# -- https://kubernetes.io/docs/reference/access-authn-authz/rbac/
|
||||
# --------------------------------------
|
||||
role: cluster-admin
|
||||
|
||||
# --------------------------------------
|
||||
# -- Use with microk8s
|
||||
# --------------------------------------
|
||||
# k8s_config_path: /var/snap/microk8s/current/credentials/client.config
|
||||
# k8s_cert_path: /var/snap/microk8s/current/certs
|
||||
|
|
|
@ -11,7 +11,7 @@
|
|||
block:
|
||||
- name: Set workdir as fact
|
||||
set_fact:
|
||||
working_dir: "{{ ansible_env.HOME }}/.certs/{{ username }}"
|
||||
working_dir: "{{ working_dir | ansible_env.HOME }}/.certs/{{ username }}"
|
||||
|
||||
- name: Create a directory if it does not exist
|
||||
ansible.builtin.file:
|
||||
|
@ -20,6 +20,7 @@
|
|||
mode: "0775"
|
||||
|
||||
- name: Ensure required packages are installed
|
||||
tags: packages
|
||||
block:
|
||||
# -------------------------
|
||||
# -- Prepare kubectl repo
|
||||
|
@ -38,8 +39,7 @@
|
|||
filename: kubernetes.list
|
||||
|
||||
# --------------------------------------
|
||||
# -- yq is a lightweight and portable
|
||||
# -- command-line YAML processor
|
||||
# -- Install yq
|
||||
# --------------------------------------
|
||||
- name: Ensure yq is installed
|
||||
become: yes
|
||||
|
@ -57,9 +57,9 @@
|
|||
packages:
|
||||
- kubectl
|
||||
- openssl
|
||||
tags: packages
|
||||
|
||||
- name: Generate openssl certificate
|
||||
tags: openssl
|
||||
block:
|
||||
- name: Generate an OpenSSL private key
|
||||
community.crypto.openssl_privatekey:
|
||||
|
@ -77,13 +77,11 @@
|
|||
community.crypto.x509_certificate:
|
||||
path: "{{ working_dir }}/{{ username }}.crt"
|
||||
csr_path: "{{ working_dir }}/{{ username }}.csr"
|
||||
ownca_path: "{{ k8s_cert_path }}/ca.crt"
|
||||
ownca_privatekey_path: "{{ k8s_cert_path }}/ca.key"
|
||||
ownca_path: "{{ k8s_cert_path }}/{{ k8s_cert_crt_file }}"
|
||||
ownca_privatekey_path: "{{ k8s_cert_path }}/{{ k8s_cert_key_file }}"
|
||||
provider: ownca
|
||||
entrust_not_after: "+{{ certificate_expires_in }}d"
|
||||
|
||||
tags: openssl
|
||||
|
||||
- name: Add user to cluster
|
||||
block:
|
||||
# --------------------------------------
|
||||
|
@ -147,5 +145,7 @@
|
|||
dest: "{{ working_dir }}/{{ username }}.yaml"
|
||||
|
||||
- name: Apply role binding manifest
|
||||
environment:
|
||||
KUBECONFIG: "{{ k8s_config_path }}"
|
||||
shell: kubectl apply -f "{{ working_dir }}/{{ username }}.yaml"
|
||||
tags: add_user
|
||||
|
|
|
@ -1,34 +1 @@
|
|||
---
|
||||
# --------------------------------------
|
||||
# -- How many days certificate
|
||||
# -- will be valid
|
||||
# --------------------------------------
|
||||
certificate_expires_in: 500
|
||||
# --------------------------------------
|
||||
# -- K8s cluster name
|
||||
# --------------------------------------
|
||||
cluster: "microk8s-cluster"
|
||||
# --------------------------------------
|
||||
# -- RoleBinding parameters
|
||||
# --------------------------------------
|
||||
# -- Binding type:
|
||||
# ---- ClusterRoleBinding
|
||||
# ---- RoleBinding
|
||||
# --------------------------------------
|
||||
binding_type: ClusterRoleBinding
|
||||
# --------------------------------------
|
||||
# -- Role type
|
||||
# -- ClusterRole
|
||||
# -- Role
|
||||
# --------------------------------------
|
||||
role_type: ClusterRole
|
||||
# --------------------------------------
|
||||
# -- Cluster role name
|
||||
# -- https://kubernetes.io/docs/reference/access-authn-authz/rbac/
|
||||
# --------------------------------------
|
||||
role: cluster-admin
|
||||
# --------------------------------------
|
||||
# -- Uncomment if you use microk8s
|
||||
# --------------------------------------
|
||||
# k8s_config_path: /var/snap/microk8s/current/credentials/client.config
|
||||
# k8s_cert_path: /var/snap/microk8s/current/certs
|
||||
|
|
Loading…
Reference in New Issue