refactor: Make role more flexible
This commit is contained in:
parent
451816d2ea
commit
f8ee01a84f
|
@ -3,14 +3,50 @@
|
||||||
# -- yq version
|
# -- yq version
|
||||||
# --------------------------------------
|
# --------------------------------------
|
||||||
yq:
|
yq:
|
||||||
version: v4.2.0
|
version: v4.31.2
|
||||||
binary: yq_linux_amd64
|
binary: yq_linux_amd64
|
||||||
# --------------------------------------
|
# --------------------------------------
|
||||||
# -- Path to k8s admin config
|
# -- Path to k8s admin config
|
||||||
# --------------------------------------
|
# --------------------------------------
|
||||||
k8s_config_path: /etc/kubernetes/admin.conf
|
k8s_config_path: /etc/kubernetes/admin.conf
|
||||||
k8s_cert_path: /etc/kubernetes/pki
|
k8s_cert_path: /etc/kubernetes/pki
|
||||||
|
k8s_cert_crt_file: ca.crt
|
||||||
|
k8s_cert_key_file: ca.key
|
||||||
# --------------------------------------
|
# --------------------------------------
|
||||||
# -- K8s username
|
# -- K8s username
|
||||||
# --------------------------------------
|
# --------------------------------------
|
||||||
username: "admin"
|
username: "admin"
|
||||||
|
# --------------------------------------
|
||||||
|
# -- How many days certificate
|
||||||
|
# -- will be valid
|
||||||
|
# --------------------------------------
|
||||||
|
certificate_expires_in: 500
|
||||||
|
# --------------------------------------
|
||||||
|
# -- K8s cluster name
|
||||||
|
# --------------------------------------
|
||||||
|
cluster: "microk8s-cluster"
|
||||||
|
# --------------------------------------
|
||||||
|
# -- RoleBinding parameters
|
||||||
|
# --------------------------------------
|
||||||
|
# -- Binding type:
|
||||||
|
# ---- ClusterRoleBinding
|
||||||
|
# ---- RoleBinding
|
||||||
|
# --------------------------------------
|
||||||
|
binding_type: ClusterRoleBinding
|
||||||
|
# --------------------------------------
|
||||||
|
# -- Role type
|
||||||
|
# -- ClusterRole
|
||||||
|
# -- Role
|
||||||
|
# --------------------------------------
|
||||||
|
role_type: ClusterRole
|
||||||
|
# --------------------------------------
|
||||||
|
# -- Cluster role name
|
||||||
|
# -- https://kubernetes.io/docs/reference/access-authn-authz/rbac/
|
||||||
|
# --------------------------------------
|
||||||
|
role: cluster-admin
|
||||||
|
|
||||||
|
# --------------------------------------
|
||||||
|
# -- Use with microk8s
|
||||||
|
# --------------------------------------
|
||||||
|
# k8s_config_path: /var/snap/microk8s/current/credentials/client.config
|
||||||
|
# k8s_cert_path: /var/snap/microk8s/current/certs
|
||||||
|
|
|
@ -11,7 +11,7 @@
|
||||||
block:
|
block:
|
||||||
- name: Set workdir as fact
|
- name: Set workdir as fact
|
||||||
set_fact:
|
set_fact:
|
||||||
working_dir: "{{ ansible_env.HOME }}/.certs/{{ username }}"
|
working_dir: "{{ working_dir | ansible_env.HOME }}/.certs/{{ username }}"
|
||||||
|
|
||||||
- name: Create a directory if it does not exist
|
- name: Create a directory if it does not exist
|
||||||
ansible.builtin.file:
|
ansible.builtin.file:
|
||||||
|
@ -20,6 +20,7 @@
|
||||||
mode: "0775"
|
mode: "0775"
|
||||||
|
|
||||||
- name: Ensure required packages are installed
|
- name: Ensure required packages are installed
|
||||||
|
tags: packages
|
||||||
block:
|
block:
|
||||||
# -------------------------
|
# -------------------------
|
||||||
# -- Prepare kubectl repo
|
# -- Prepare kubectl repo
|
||||||
|
@ -38,8 +39,7 @@
|
||||||
filename: kubernetes.list
|
filename: kubernetes.list
|
||||||
|
|
||||||
# --------------------------------------
|
# --------------------------------------
|
||||||
# -- yq is a lightweight and portable
|
# -- Install yq
|
||||||
# -- command-line YAML processor
|
|
||||||
# --------------------------------------
|
# --------------------------------------
|
||||||
- name: Ensure yq is installed
|
- name: Ensure yq is installed
|
||||||
become: yes
|
become: yes
|
||||||
|
@ -57,9 +57,9 @@
|
||||||
packages:
|
packages:
|
||||||
- kubectl
|
- kubectl
|
||||||
- openssl
|
- openssl
|
||||||
tags: packages
|
|
||||||
|
|
||||||
- name: Generate openssl certificate
|
- name: Generate openssl certificate
|
||||||
|
tags: openssl
|
||||||
block:
|
block:
|
||||||
- name: Generate an OpenSSL private key
|
- name: Generate an OpenSSL private key
|
||||||
community.crypto.openssl_privatekey:
|
community.crypto.openssl_privatekey:
|
||||||
|
@ -77,13 +77,11 @@
|
||||||
community.crypto.x509_certificate:
|
community.crypto.x509_certificate:
|
||||||
path: "{{ working_dir }}/{{ username }}.crt"
|
path: "{{ working_dir }}/{{ username }}.crt"
|
||||||
csr_path: "{{ working_dir }}/{{ username }}.csr"
|
csr_path: "{{ working_dir }}/{{ username }}.csr"
|
||||||
ownca_path: "{{ k8s_cert_path }}/ca.crt"
|
ownca_path: "{{ k8s_cert_path }}/{{ k8s_cert_crt_file }}"
|
||||||
ownca_privatekey_path: "{{ k8s_cert_path }}/ca.key"
|
ownca_privatekey_path: "{{ k8s_cert_path }}/{{ k8s_cert_key_file }}"
|
||||||
provider: ownca
|
provider: ownca
|
||||||
entrust_not_after: "+{{ certificate_expires_in }}d"
|
entrust_not_after: "+{{ certificate_expires_in }}d"
|
||||||
|
|
||||||
tags: openssl
|
|
||||||
|
|
||||||
- name: Add user to cluster
|
- name: Add user to cluster
|
||||||
block:
|
block:
|
||||||
# --------------------------------------
|
# --------------------------------------
|
||||||
|
@ -147,5 +145,7 @@
|
||||||
dest: "{{ working_dir }}/{{ username }}.yaml"
|
dest: "{{ working_dir }}/{{ username }}.yaml"
|
||||||
|
|
||||||
- name: Apply role binding manifest
|
- name: Apply role binding manifest
|
||||||
|
environment:
|
||||||
|
KUBECONFIG: "{{ k8s_config_path }}"
|
||||||
shell: kubectl apply -f "{{ working_dir }}/{{ username }}.yaml"
|
shell: kubectl apply -f "{{ working_dir }}/{{ username }}.yaml"
|
||||||
tags: add_user
|
tags: add_user
|
||||||
|
|
|
@ -1,34 +1 @@
|
||||||
---
|
---
|
||||||
# --------------------------------------
|
|
||||||
# -- How many days certificate
|
|
||||||
# -- will be valid
|
|
||||||
# --------------------------------------
|
|
||||||
certificate_expires_in: 500
|
|
||||||
# --------------------------------------
|
|
||||||
# -- K8s cluster name
|
|
||||||
# --------------------------------------
|
|
||||||
cluster: "microk8s-cluster"
|
|
||||||
# --------------------------------------
|
|
||||||
# -- RoleBinding parameters
|
|
||||||
# --------------------------------------
|
|
||||||
# -- Binding type:
|
|
||||||
# ---- ClusterRoleBinding
|
|
||||||
# ---- RoleBinding
|
|
||||||
# --------------------------------------
|
|
||||||
binding_type: ClusterRoleBinding
|
|
||||||
# --------------------------------------
|
|
||||||
# -- Role type
|
|
||||||
# -- ClusterRole
|
|
||||||
# -- Role
|
|
||||||
# --------------------------------------
|
|
||||||
role_type: ClusterRole
|
|
||||||
# --------------------------------------
|
|
||||||
# -- Cluster role name
|
|
||||||
# -- https://kubernetes.io/docs/reference/access-authn-authz/rbac/
|
|
||||||
# --------------------------------------
|
|
||||||
role: cluster-admin
|
|
||||||
# --------------------------------------
|
|
||||||
# -- Uncomment if you use microk8s
|
|
||||||
# --------------------------------------
|
|
||||||
# k8s_config_path: /var/snap/microk8s/current/credentials/client.config
|
|
||||||
# k8s_cert_path: /var/snap/microk8s/current/certs
|
|
||||||
|
|
Loading…
Reference in New Issue