cloudlabsinfra.etcd_cluster_certificates

ansible-etcd-cluster-certificates

Ansible role to create and manage SSL certificates on single or multi-node ETCD setup. CFSSL now is the only supported certificate provider. Read more about ETCD TLS support at Transport security model and Generate self-signed certificates

Role generates the following certificates bunch on each host:

# ls -1 /etc/ssl/private
ca-config.json
ca-csr.json
ca-key.pem
ca.pem
client-key.pem
client.csr
client.json
client.pem
peer-key.pem
peer.csr
peer.json
peer.pem
server-key.pem
server.csr
server.json
server.pem

Requirements

CFSSL binaries are not supplied with this role and should be installed using other roles or manually (it's not recommended)
iproute2 package in Debian-like systems is required to gather network facts but may not be supplied in basic installations (or in containers) by default

Role Variables

All variables are defined as defaults in defaults/main.yml and may be overrided.

Name	Default value	Description
`etcd_cert_user`	root	Certificate owner user
`etcd_cert_group`	root	Certificate owner group
`etcd_cert_dir`	/etc/ssl/private/	Directory to store certificates
`etcd_cert_init_ca_node`	false	Initial node to generate CA certificate pair and distribute it to other nodes. Should be the only in the whole play
`etcd_cert_ca_cert_remote_path`	-	A path to the CA certificate on the remote node (not in Ansible play host). CA certificate should be copied to the remote node in advance
`etcd_cert_ca_key_remote_path`	-	A path to the CA key on the remote node (not in Ansible play host). CA key should be copied to the remote node in advance
`etcd_cert_expiry`	43800h	Certificate expiry in hours
`etcd_cert_ca_config`	See defaults/main.yml	CA config with all required certificate profiles. Certificates should include appropriate X509v3 certificate extentions depending on usage type (client, server or peer). Read more at Transport security model and Standard X.509 v3 Certificate Extension Reference
`etcd_cert_ca_csr`	See defaults/main.yml	CA Certificate Signing Request (CSR)
`etcd_cert_matrix`	See defaults/main.yml	A list with three mandatory fields: - `profile_name` - name of certificate profile from `etcd_cert_ca_config` variable - `output_name` - output certificate file names - `csr` - a SCR in yaml format, will be converted in json Output file names will be the following: `{{output_name}}-key.pem` `{{output_name}}.csr` `{{output_name}}.pem`

Dependencies

You may use any Ansible role to install CFSSL binaries but we recommend you the following:

andrewrothstein.cfssl

Example Playbook

You can also find role usage examples in converge playbooks from molecule/ direcotry. Here is another example:

- hosts: all
  become: true
  roles:
    - { role: andrewrothstein.cfssl }
    - { role: ansible-etcd-cluster-certificates }

And also requirements.yml:

- name: andrewrothstein.cfssl

- name: ansible-etcd-cluster-certificates
  scm: git
  src: https://github.com/cloud-labs-infra/ansible-etcd-cluster-certificates.git

License

Apache 2.0

Author Information

Cloud Labs shared roles

About

Ansible role for managing SSL certificates bunch for multinode ETCD cluster

role certificates etcd k8s kubernetes ssl tls

Install

ansible-galaxy install cloudlabsinfra.etcd_cluster_certificates

GitHub repository

0 stars

0 forks

3 open issues

License

apache-2.0

Downloads

600

Owner

Cloud Labs Shared Infrastructure