diff --git a/create-kubernetes-rbac/defaults/main.yml b/create-kubernetes-rbac/defaults/main.yml index 067a8dc..91083f6 100644 --- a/create-kubernetes-rbac/defaults/main.yml +++ b/create-kubernetes-rbac/defaults/main.yml @@ -3,14 +3,50 @@ # -- yq version # -------------------------------------- yq: - version: v4.2.0 + version: v4.31.2 binary: yq_linux_amd64 # -------------------------------------- # -- Path to k8s admin config # -------------------------------------- k8s_config_path: /etc/kubernetes/admin.conf k8s_cert_path: /etc/kubernetes/pki +k8s_cert_crt_file: ca.crt +k8s_cert_key_file: ca.key # -------------------------------------- # -- K8s username # -------------------------------------- username: "admin" +# -------------------------------------- +# -- How many days certificate +# -- will be valid +# -------------------------------------- +certificate_expires_in: 500 +# -------------------------------------- +# -- K8s cluster name +# -------------------------------------- +cluster: "microk8s-cluster" +# -------------------------------------- +# -- RoleBinding parameters +# -------------------------------------- +# -- Binding type: +# ---- ClusterRoleBinding +# ---- RoleBinding +# -------------------------------------- +binding_type: ClusterRoleBinding +# -------------------------------------- +# -- Role type +# -- ClusterRole +# -- Role +# -------------------------------------- +role_type: ClusterRole +# -------------------------------------- +# -- Cluster role name +# -- https://kubernetes.io/docs/reference/access-authn-authz/rbac/ +# -------------------------------------- +role: cluster-admin + +# -------------------------------------- +# -- Use with microk8s +# -------------------------------------- +# k8s_config_path: /var/snap/microk8s/current/credentials/client.config +# k8s_cert_path: /var/snap/microk8s/current/certs diff --git a/create-kubernetes-rbac/tasks/main.yml b/create-kubernetes-rbac/tasks/main.yml index f03e4f3..0b3b475 100644 --- a/create-kubernetes-rbac/tasks/main.yml +++ b/create-kubernetes-rbac/tasks/main.yml @@ -11,7 +11,7 @@ block: - name: Set workdir as fact set_fact: - working_dir: "{{ ansible_env.HOME }}/.certs/{{ username }}" + working_dir: "{{ working_dir | ansible_env.HOME }}/.certs/{{ username }}" - name: Create a directory if it does not exist ansible.builtin.file: @@ -20,6 +20,7 @@ mode: "0775" - name: Ensure required packages are installed + tags: packages block: # ------------------------- # -- Prepare kubectl repo @@ -38,8 +39,7 @@ filename: kubernetes.list # -------------------------------------- - # -- yq is a lightweight and portable - # -- command-line YAML processor + # -- Install yq # -------------------------------------- - name: Ensure yq is installed become: yes @@ -57,9 +57,9 @@ packages: - kubectl - openssl - tags: packages - name: Generate openssl certificate + tags: openssl block: - name: Generate an OpenSSL private key community.crypto.openssl_privatekey: @@ -77,13 +77,11 @@ community.crypto.x509_certificate: path: "{{ working_dir }}/{{ username }}.crt" csr_path: "{{ working_dir }}/{{ username }}.csr" - ownca_path: "{{ k8s_cert_path }}/ca.crt" - ownca_privatekey_path: "{{ k8s_cert_path }}/ca.key" + ownca_path: "{{ k8s_cert_path }}/{{ k8s_cert_crt_file }}" + ownca_privatekey_path: "{{ k8s_cert_path }}/{{ k8s_cert_key_file }}" provider: ownca entrust_not_after: "+{{ certificate_expires_in }}d" - tags: openssl - - name: Add user to cluster block: # -------------------------------------- @@ -147,5 +145,7 @@ dest: "{{ working_dir }}/{{ username }}.yaml" - name: Apply role binding manifest + environment: + KUBECONFIG: "{{ k8s_config_path }}" shell: kubectl apply -f "{{ working_dir }}/{{ username }}.yaml" tags: add_user diff --git a/create-kubernetes-rbac/vars/main.yml b/create-kubernetes-rbac/vars/main.yml index 0457d68..ed97d53 100644 --- a/create-kubernetes-rbac/vars/main.yml +++ b/create-kubernetes-rbac/vars/main.yml @@ -1,34 +1 @@ --- -# -------------------------------------- -# -- How many days certificate -# -- will be valid -# -------------------------------------- -certificate_expires_in: 500 -# -------------------------------------- -# -- K8s cluster name -# -------------------------------------- -cluster: "microk8s-cluster" -# -------------------------------------- -# -- RoleBinding parameters -# -------------------------------------- -# -- Binding type: -# ---- ClusterRoleBinding -# ---- RoleBinding -# -------------------------------------- -binding_type: ClusterRoleBinding -# -------------------------------------- -# -- Role type -# -- ClusterRole -# -- Role -# -------------------------------------- -role_type: ClusterRole -# -------------------------------------- -# -- Cluster role name -# -- https://kubernetes.io/docs/reference/access-authn-authz/rbac/ -# -------------------------------------- -role: cluster-admin -# -------------------------------------- -# -- Uncomment if you use microk8s -# -------------------------------------- -# k8s_config_path: /var/snap/microk8s/current/credentials/client.config -# k8s_cert_path: /var/snap/microk8s/current/certs