allanger/ansible-create-k8s-user
1
0
Fork 0
Code Issues 2 Pull Requests Actions Packages Projects Releases Activity
1f12d21059
ansible-create-k8s-user/tasks/create-user.yaml

124 lines
4.7 KiB
YAML
Raw Blame History

---
- name: Prepare cert directory
block:
- name: Using host_user to bootstrap config
when: host_user | length > 0
block:
- name: Set workdir with a custom host user as a fact
set_fact:
cert_dir: "/home/{{ host_user }}/.k8s/certs/{{ username }}"
conf_dir: "/home/{{ host_user }}/.kube/{{ username }}"
is_host_user: true
- name: Using user to bootstrap config
when: host_user | length == 0
block:
- name: Set workdir with a custom host user as a fact
set_fact:
cert_dir: "/home/{{ username }}/.k8s/certs/"
conf_dir: "/home/{{ username }}/.kube"
is_host_user: false
- name: create a directory if it does not exist
ansible.builtin.file:
path: "{{ cert_dir }}"
state: directory
mode: "0775"
owner: "{{ lookup('vars','host_user') if (is_host_user) else lookup('vars','username')}}"
- name: create a directory if it does not exist
ansible.builtin.file:
path: "{{ conf_dir }}"
state: directory
mode: "0775"
owner: "{{ lookup('vars','host_user') if (is_host_user) else lookup('vars','username')}}"
- block:
- name: Generate openssl certificate
tags: openssl
block:
- name: Generate an OpenSSL private key
community.crypto.openssl_privatekey:
path: "{{ cert_dir }}/{{ username }}.key"
size: 2048
- name: Generate an OpenSSL Certificate Signing Request
community.crypto.openssl_csr:
path: "{{ cert_dir }}/{{ username }}.csr"
privatekey_path: "{{ cert_dir }}/{{ username }}.key"
common_name: "{{ username }}"
- name: Generate an OpenSSL certificate signed with your own CA certificate
become: true
community.crypto.x509_certificate:
path: "{{ cert_dir }}/{{ username }}.crt"
csr_path: "{{ cert_dir }}/{{ username }}.csr"
ownca_path: "{{ k8s_cert_path }}/{{ k8s_cert_crt_file }}"
ownca_privatekey_path: "{{ k8s_cert_path }}/{{ k8s_cert_key_file }}"
provider: ownca
entrust_not_after: "+{{ certificate_expires_in }}d"
- name: Add user to cluster
block:
# --------------------------------------
# -- Get k8s server from admin.conf
# --------------------------------------
- name: Get k8s server
shell: "{{ working_dir }}/bin/yq e '.clusters[0] | select(.name == \"{{ cluster }}\").cluster.server' {{ k8s_config_path }}"
register: kubernetes_server_output
# --------------------------------------
# -- Get k8s certificate authority data
# -- from admin-conf
# --------------------------------------
- name: Get k8s certificate authority data
shell: "{{ working_dir }}/bin/yq e '.clusters[0] | select(.name == \"{{ cluster }}\").cluster.certificate-authority-data' {{ k8s_config_path }}"
register: kubernetes_cad_output
- name: Get user cert data
shell: cat "{{ cert_dir }}/{{ username }}.crt" | base64 -w 0
register: user_cert_data_output
- name: Get user key data
shell: cat "{{ cert_dir }}/{{ username }}.key" | base64 -w 0
register: user_key_data_output
- name: Set variables for template
set_fact:
kubernetes_server: "{{ kubernetes_server | default(kubernetes_server_output.stdout) }}"
kubernetes_cad: "{{ kubernetes_cad_output.stdout }}"
user_cert_data: " {{ user_cert_data_output.stdout }}"
user_key_data: " {{ user_key_data_output.stdout }}"
- name: Create k8s user
ansible.builtin.shell: >-
{{ working_dir }}/bin/kubectl config set-credentials {{ username }} \
--client-certificate="{{ cert_dir }}/{{ username }}.crt" \
--client-key="{{ cert_dir }}/{{ username }}.key"
notify: remove certificates
- name: Set user context
ansible.builtin.shell: >-
{{ working_dir }}/bin/kubectl config set-context {{ username }}@{{ cluster }} \
--cluster={{ cluster }} --user="{{ username }}"
- name: Create config file from template
template:
src: config.j2
dest: "{{ conf_dir }}/config"
force: false
owner: "{{ lookup('vars','host_user') if (is_host_user) else lookup('vars','username')}}"
tags: config
- name: Bind user to role
block:
- name: Generate role binding yaml
template:
src: role-binding.j2
dest: "{{ cert_dir }}/{{ username }}.yaml"
- name: Apply role binding manifest
environment:
KUBECONFIG: "{{ k8s_config_path }}"
shell: "{{ working_dir }}/bin/kubectl apply -f {{ cert_dir }}/{{ username }}.yaml"
tags: add_user
Reference in New Issue View Git Blame Copy Permalink