diff --git a/roles/kubernetes/secrets/tasks/gen_certs_vault.yml b/roles/kubernetes/secrets/tasks/gen_certs_vault.yml index ca28b537f..5b3b46edc 100644 --- a/roles/kubernetes/secrets/tasks/gen_certs_vault.yml +++ b/roles/kubernetes/secrets/tasks/gen_certs_vault.yml @@ -93,3 +93,29 @@ issue_cert_mount_path: "{{ kube_vault_mount_path }}" with_items: "{{ kube_proxy_certs_needed|d([]) }}" when: inventory_hostname in groups['k8s-cluster'] + +# Issue front proxy cert to kube-master hosts +- include_tasks: ../../../vault/tasks/shared/issue_cert.yml + vars: + issue_cert_common_name: "front-proxy-client" + issue_cert_alt_names: "{{ kube_cert_alt_names }}" + issue_cert_file_group: "{{ kube_cert_group }}" + issue_cert_file_owner: kube + issue_cert_hosts: "{{ groups['kube-master'] }}" + issue_cert_ip_sans: >- + [ + {%- for host in groups['kube-master'] -%} + "{{ hostvars[host]['ansible_default_ipv4']['address'] }}", + {%- if hostvars[host]['ip'] is defined -%} + "{{ hostvars[host]['ip'] }}", + {%- endif -%} + {%- endfor -%} + "127.0.0.1","::1","{{ kube_apiserver_ip }}" + ] + issue_cert_path: "{{ item }}" + issue_cert_role: front-proxy-client + issue_cert_url: "{{ hostvars[groups.vault|first]['vault_leader_url'] }}" + issue_cert_mount_path: "{{ kube_vault_mount_path }}" + with_items: "{{ kube_master_components_certs_needed|d([]) }}" + when: inventory_hostname in groups['kube-master'] + notify: set secret_changed diff --git a/roles/vault/defaults/main.yml b/roles/vault/defaults/main.yml index 3e41cb00c..5c44dd80b 100644 --- a/roles/vault/defaults/main.yml +++ b/roles/vault/defaults/main.yml @@ -162,3 +162,11 @@ vault_pki_mounts: allow_any_name: true enforce_hostnames: false organization: "system:node-proxier" + - name: front-proxy-client + group: k8s-cluster + password: "{{ lookup('password', 'credentials/vault/kube-proxy length=15') }}" + policy_rules: default + role_options: + allow_any_name: true + enforce_hostnames: false + organization: "system:front-proxy"