generate_certs.yml

- name: Generate CA Cert
  hosts: localhost
  connection: local
  tags: cacert
  tasks:
    - name: Create certs dir
      file: path=certs state=directory
    - name: Generate CA primary key
      shell: openssl genrsa -out ca-key.pem 2048
      args:
        chdir: certs/
        creates: ca-key.pem
    - name: Generate CA certificate
      shell: openssl req -x509 -new -nodes -key ca-key.pem -days 10000 -out ca.pem -subj "/CN=kube-ca"
      args:
        chdir: certs/
        creates: ca.pem

- name: Generate apiserver Cert
  hosts: localhost
  connection: local
  tags: apiservercert
  tasks:
    - name: Generate apiserver template
      template: src=openssl.cnf dest=certs/openssl.cnf
    - name: Generate apiserver primary key
      shell: openssl genrsa -out apiserver-key.pem 2048
      args:
        chdir: certs/
        creates: apiserver-key.pem
    - name: Generate apiserver CSR
      shell: openssl req -new -key apiserver-key.pem -out apiserver.csr -subj "/CN=kube-apiserver-{{ resource_group }}" -config openssl.cnf
      args:
        chdir: certs/
        creates: apiserver.csr
    - name: Generate apiserver certificate
      shell: openssl x509 -req -in apiserver.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out apiserver.pem -days 720 -extensions v3_req -extfile openssl.cnf
      args:
        chdir: certs/
        creates: apiserver.pem

- name: Generate kube-proxy Cert
  hosts: localhost
  connection: local
  tags: proxycert
  tasks:
    - name: Generate kube-proxy primary key
      shell: openssl genrsa -out proxy-key.pem 2048
      args:
        chdir: certs/
        creates: proxy-key.pem
    - name: Generate kube-proxy CSR
      shell: openssl req -new -key proxy-key.pem -out proxy.csr -subj "/CN=system:kube-proxy" -config ../files/proxy-openssl.cnf
      args:
        chdir: certs/
        creates: proxy.csr
    - name: Generate kube-proxy certificate
      shell: openssl x509 -req -in proxy.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out proxy.pem -days 720 -extensions v3_req -extfile ../files/proxy-openssl.cnf
      args:
        chdir: certs/
        creates: proxy.pem

- name: Generate k8s secret encryption key
  hosts: localhost
  connection: local
  tags: k8scert
  tasks:
    - name: Check for already generated k8s key
      stat:
        path: certs/enc-config-{{ resource_group }}.yaml
      register: k8sfile

    - name: Generate k8s secret
      shell: head -c 32 /dev/urandom | base64
      register: k8sSecretKey
      when: not k8sfile.stat.exists

    - name: Generate encryption config
      template: src=enc-config.yaml dest=certs/enc-config-{{ resource_group }}.yaml
      when: not k8sfile.stat.exists

- name: Generate workers Certs
  hosts: node:&{{ resource_group }}
  connection: local
  tags: workerscerts
  vars:
    ansible_python_interpreter: "python"
  tasks:
    - name: Generate worker template
      template: src=worker-openssl.cnf dest=certs/{{ name }}-worker-openssl.cnf
    - name: Generate worker primary key
      shell: openssl genrsa -out {{ name }}-worker-key.pem 2048
      args:
        chdir: certs/
        creates: "{{ name }}-worker-key.pem"
    - name: Generate worker CSR
      shell: openssl req -new -key {{ name }}-worker-key.pem -out {{ name }}-worker.csr -subj "/CN=system:node:{{ name }}/O=system:nodes" -config {{ name }}-worker-openssl.cnf
      args:
        chdir: certs/
        creates: "{{ name }}-worker.csr"
    - name: Generate worker certificate
      shell: openssl x509 -req -in {{ name }}-worker.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out {{ name }}-worker.pem -days 720 -extensions v3_req -extfile {{ name }}-worker-openssl.cnf
      args:
        chdir: certs/
        creates: "{{ name }}-worker.pem"

- name: Generate etcd Certs
  hosts: etcd:&{{ resource_group }}
  connection: local
  tags: etcdcerts
  vars:
    ansible_python_interpreter: "python"
  tasks:
    - name: Generate worker template
      template: src=worker-openssl.cnf dest=certs/{{ name }}-worker-openssl.cnf
    - name: Generate worker primary key
      shell: openssl genrsa -out {{ name }}-worker-key.pem 2048
      args:
        chdir: certs/
        creates: "{{ name }}-worker-key.pem"
    - name: Generate worker CSR
      shell: openssl req -new -key {{ name }}-worker-key.pem -out {{ name }}-worker.csr -subj "/CN={{ name }}" -config {{ name }}-worker-openssl.cnf
      args:
        chdir: certs/
        creates: "{{ name }}-worker.csr"
    - name: Generate worker certificate
      shell: openssl x509 -req -in {{ name }}-worker.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out {{ name }}-worker.pem -days 720 -extensions v3_req -extfile {{ name }}-worker-openssl.cnf
      args:
        chdir: certs/
        creates: "{{ name }}-worker.pem"