--- - name: Prepare cert directory block: - name: Using host_user to bootstrap config when: host_user | length > 0 block: - name: Set workdir with a custom host user as a fact set_fact: cert_dir: "/home/{{ host_user }}/.k8s/certs/{{ username }}" conf_dir: "/home/{{ host_user }}/.kube/{{ username }}" is_host_user: true - name: Using user to bootstrap config when: host_user | length == 0 block: - name: Set workdir with a custom host user as a fact set_fact: cert_dir: "/home/{{ username }}/.k8s/certs/" conf_dir: "/home/{{ username }}/.kube" is_host_user: false - name: create a directory if it does not exist ansible.builtin.file: path: "{{ cert_dir }}" state: directory mode: "0775" owner: "{{ lookup('vars','host_user') if (is_host_user) else lookup('vars','username')}}" - name: create a directory if it does not exist ansible.builtin.file: path: "{{ conf_dir }}" state: directory mode: "0775" owner: "{{ lookup('vars','host_user') if (is_host_user) else lookup('vars','username')}}" - block: - name: Generate openssl certificate tags: openssl block: - name: Generate an OpenSSL private key community.crypto.openssl_privatekey: path: "{{ cert_dir }}/{{ username }}.key" size: 2048 - name: Generate an OpenSSL Certificate Signing Request community.crypto.openssl_csr: path: "{{ cert_dir }}/{{ username }}.csr" privatekey_path: "{{ cert_dir }}/{{ username }}.key" common_name: "{{ username }}" - name: Generate an OpenSSL certificate signed with your own CA certificate become: true community.crypto.x509_certificate: path: "{{ cert_dir }}/{{ username }}.crt" csr_path: "{{ cert_dir }}/{{ username }}.csr" ownca_path: "{{ k8s_cert_path }}/{{ k8s_cert_crt_file }}" ownca_privatekey_path: "{{ k8s_cert_path }}/{{ k8s_cert_key_file }}" provider: ownca entrust_not_after: "+{{ certificate_expires_in }}d" - name: Add user to cluster block: # -------------------------------------- # -- Get k8s server from admin.conf # -------------------------------------- - name: Get k8s server shell: "{{ working_dir }}/bin/yq e '.clusters[0] | select(.name == \"{{ cluster }}\").cluster.server' {{ k8s_config_path }}" register: kubernetes_server_output # -------------------------------------- # -- Get k8s certificate authority data # -- from admin-conf # -------------------------------------- - name: Get k8s certificate authority data shell: "{{ working_dir }}/bin/yq e '.clusters[0] | select(.name == \"{{ cluster }}\").cluster.certificate-authority-data' {{ k8s_config_path }}" register: kubernetes_cad_output - name: Get user cert data shell: cat "{{ cert_dir }}/{{ username }}.crt" | base64 -w 0 register: user_cert_data_output - name: Get user key data shell: cat "{{ cert_dir }}/{{ username }}.key" | base64 -w 0 register: user_key_data_output - name: Set variables for template set_fact: kubernetes_server: "{{ kubernetes_server | default(kubernetes_server_output.stdout) }}" kubernetes_cad: "{{ kubernetes_cad_output.stdout }}" user_cert_data: " {{ user_cert_data_output.stdout }}" user_key_data: " {{ user_key_data_output.stdout }}" - name: Create k8s user ansible.builtin.shell: >- {{ working_dir }}/bin/kubectl config set-credentials {{ username }} \ --client-certificate="{{ cert_dir }}/{{ username }}.crt" \ --client-key="{{ cert_dir }}/{{ username }}.key" notify: remove certificates - name: Set user context ansible.builtin.shell: >- {{ working_dir }}/bin/kubectl config set-context {{ username }}@{{ cluster }} \ --cluster={{ cluster }} --user="{{ username }}" - name: Create config file from template template: src: config.j2 dest: "{{ conf_dir }}/config" force: false owner: "{{ lookup('vars','host_user') if (is_host_user) else lookup('vars','username')}}" tags: config - name: Bind user to role block: - name: Generate role binding yaml template: src: role-binding.j2 dest: "{{ cert_dir }}/{{ username }}.yaml" - name: Apply role binding manifest environment: KUBECONFIG: "{{ k8s_config_path }}" shell: "{{ working_dir }}/bin/kubectl apply -f {{ cert_dir }}/{{ username }}.yaml" tags: add_user