refactor: Make role more flexible

2023-03-09 14:41:35 +01:00 · 2023-03-09 14:41:35 +01:00 · f8ee01a84f
parent 451816d2ea
commit f8ee01a84f
3 changed files with 45 additions and 42 deletions
--- a/create-kubernetes-rbac/defaults/main.yml
+++ b/create-kubernetes-rbac/defaults/main.yml
@ -3,14 +3,50 @@
 # -- yq version
 # --------------------------------------
 yq:
-  version: v4.2.0
+  version: v4.31.2
  binary: yq_linux_amd64
 # --------------------------------------
 # -- Path to k8s admin config
 # --------------------------------------
 k8s_config_path: /etc/kubernetes/admin.conf
 k8s_cert_path: /etc/kubernetes/pki 
+k8s_cert_crt_file: ca.crt
+k8s_cert_key_file: ca.key
 # --------------------------------------
 # -- K8s username
 # --------------------------------------
 username: "admin"
+# --------------------------------------
+# -- How many days certificate 
+# -- will be valid
+# --------------------------------------
+certificate_expires_in: 500
+# --------------------------------------
+# -- K8s cluster name
+# --------------------------------------
+cluster: "microk8s-cluster"
+# --------------------------------------
+# -- RoleBinding parameters
+# --------------------------------------
+# -- Binding type: 
+# ---- ClusterRoleBinding
+# ---- RoleBinding
+# --------------------------------------
+binding_type: ClusterRoleBinding
+# --------------------------------------
+# -- Role type
+# -- ClusterRole
+# -- Role
+# --------------------------------------
+role_type: ClusterRole
+# --------------------------------------
+# -- Cluster role name
+# -- https://kubernetes.io/docs/reference/access-authn-authz/rbac/
+# --------------------------------------
+role: cluster-admin
+  
+# --------------------------------------
+# -- Use with microk8s
+# --------------------------------------
+# k8s_config_path: /var/snap/microk8s/current/credentials/client.config 
+# k8s_cert_path: /var/snap/microk8s/current/certs
--- a/create-kubernetes-rbac/tasks/main.yml
+++ b/create-kubernetes-rbac/tasks/main.yml
@ -11,7 +11,7 @@
  block:
    - name: Set workdir as fact
      set_fact:
-        working_dir: "{{ ansible_env.HOME }}/.certs/{{ username }}"
+        working_dir: "{{ working_dir | ansible_env.HOME }}/.certs/{{ username }}"

    - name: Create a directory if it does not exist
      ansible.builtin.file:
@ -20,6 +20,7 @@
        mode: "0775"

 - name: Ensure required packages are installed
+  tags: packages
  block:
  # -------------------------
  # -- Prepare kubectl repo
@ -38,8 +39,7 @@
        filename: kubernetes.list

    # --------------------------------------
-    # -- yq is a lightweight and portable
-    # -- command-line YAML processor
+    # -- Install yq
    # --------------------------------------
    - name: Ensure yq is installed
      become: yes
@ -57,9 +57,9 @@
        packages:
          - kubectl
          - openssl
-  tags: packages

 - name: Generate openssl certificate
+  tags: openssl
  block:
    - name: Generate an OpenSSL private key
      community.crypto.openssl_privatekey:
@ -77,13 +77,11 @@
      community.crypto.x509_certificate:
        path: "{{ working_dir }}/{{ username }}.crt"
        csr_path: "{{ working_dir }}/{{ username }}.csr"
-        ownca_path: "{{ k8s_cert_path }}/ca.crt"
-        ownca_privatekey_path: "{{ k8s_cert_path }}/ca.key"
+        ownca_path: "{{ k8s_cert_path }}/{{ k8s_cert_crt_file }}"
+        ownca_privatekey_path: "{{ k8s_cert_path }}/{{ k8s_cert_key_file }}"
        provider: ownca
        entrust_not_after: "+{{ certificate_expires_in }}d"

-  tags: openssl
-
 - name: Add user to cluster
  block:
    # --------------------------------------
@ -147,5 +145,7 @@
        dest: "{{ working_dir }}/{{ username }}.yaml"

    - name: Apply role binding manifest
+      environment:
+        KUBECONFIG: "{{ k8s_config_path }}"
      shell: kubectl apply -f "{{ working_dir }}/{{ username }}.yaml"
  tags: add_user
--- a/create-kubernetes-rbac/vars/main.yml
+++ b/create-kubernetes-rbac/vars/main.yml
@ -1,34 +1 @@
 ---
-# --------------------------------------
-# -- How many days certificate 
-# -- will be valid
-# --------------------------------------
-certificate_expires_in: 500
-# --------------------------------------
-# -- K8s cluster name
-# --------------------------------------
-cluster: "microk8s-cluster"
-# --------------------------------------
-# -- RoleBinding parameters
-# --------------------------------------
-# -- Binding type: 
-# ---- ClusterRoleBinding
-# ---- RoleBinding
-# --------------------------------------
-binding_type: ClusterRoleBinding
-# --------------------------------------
-# -- Role type
-# -- ClusterRole
-# -- Role
-# --------------------------------------
-role_type: ClusterRole
-# --------------------------------------
-# -- Cluster role name
-# -- https://kubernetes.io/docs/reference/access-authn-authz/rbac/
-# --------------------------------------
-role: cluster-admin
-# --------------------------------------
-# -- Uncomment if you use microk8s
-# --------------------------------------
-# k8s_config_path: /var/snap/microk8s/current/credentials/client.config 
-# k8s_cert_path: /var/snap/microk8s/current/certs