{"id":16777335,"url":"https://github.com/githubixx/ansible-role-kubernetes-ca","last_synced_at":"2025-08-31T20:10:29.301Z","repository":{"id":22402569,"uuid":"83592287","full_name":"githubixx/ansible-role-kubernetes-ca","owner":"githubixx","description":"Generates certificate authority and certificates needed for Kubernetes","archived":false,"fork":false,"pushed_at":"2024-01-11T22:01:50.000Z","size":70,"stargazers_count":19,"open_issues_count":4,"forks_count":15,"subscribers_count":4,"default_branch":"master","last_synced_at":"2025-04-10T20:53:09.140Z","etag":null,"topics":["ansible","ansible-role","ca","certificate","certificate-authority","etcd","kubernetes"],"latest_commit_sha":null,"homepage":"https://www.tauceti.blog/post/kubernetes-the-not-so-hard-way-with-ansible-certificate-authority/","language":"Jinja","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/githubixx.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2017-03-01T19:25:14.000Z","updated_at":"2024-12-09T13:11:52.000Z","dependencies_parsed_at":"2024-01-12T02:14:44.582Z","dependency_job_id":null,"html_url":"https://github.com/githubixx/ansible-role-kubernetes-ca","commit_stats":null,"previous_names":[],"tags_count":7,"template":false,"template_full_name":null,"purl":"pkg:github/githubixx/ansible-role-kubernetes-ca","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/githubixx%2Fansible-role-kubernetes-ca","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/githubixx%2Fansible-role-kubernetes-ca/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/githubixx%2Fansible-role-kubernetes-ca/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/githubixx%2Fansible-role-kubernetes-ca/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/githubixx","download_url":"https://codeload.github.com/githubixx/ansible-role-kubernetes-ca/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/githubixx%2Fansible-role-kubernetes-ca/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":273032934,"owners_count":25034067,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-08-31T02:00:09.071Z","response_time":79,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ansible","ansible-role","ca","certificate","certificate-authority","etcd","kubernetes"],"created_at":"2024-10-13T07:24:24.817Z","updated_at":"2025-08-31T20:10:29.263Z","avatar_url":"https://github.com/githubixx.png","language":"Jinja","funding_links":[],"categories":[],"sub_categories":[],"readme":"# ansible-role-kubernetes-ca\n\nThis role is used in [Kubernetes the not so hard way with Ansible - Certificate authority (CA)](https://www.tauceti.blog/post/kubernetes-the-not-so-hard-way-with-ansible-certificate-authority/). It basically creates two CA's: One for `etcd` and one for Kubernetes components (needed to secure communication of the Kubernetes components). Besides the Kubernetes API server none of the Kubernetes components should have a need to communicate with the `etcd` cluster directly. For infrastructure components like [Cilium](https://cilium.io/) for K8s networking or [Traefik](https://traefik.io) for ingress it may make sense to reuse the already existing `etcd` cluster. For more information see [Kubernetes the not so hard way with Ansible - Certificate authority (CA)](https://www.tauceti.blog/post/kubernetes-the-not-so-hard-way-with-ansible-certificate-authority/).\n\n## Versions\n\nI tag every release and try to stay with [semantic versioning](http://semver.org). If you want to use the role I recommend to checkout the latest tag. The master branch is basically development while the tags mark stable releases. But in general I try to keep master in good shape too. A tag `12.0.0+1.28.5` means this is release `12.0.0` of this role and it's meant to be used with Kubernetes version \u003e= `1.28.5` (while normally it should work with basically any Kubernetes version \u003e= 1.18.0 but I tested it with the version tagged). If the role itself changes `X.Y.Z` before `+` will increase. If the Kubernetes version changes `X.Y.Z` after `+` will increase and also the role patch version will increase (e.g. from `12.0.0` to `12.0.1`). This allows to tag bugfixes and new major versions of the role while it's still developed for a specific Kubernetes release.\n\n## Changelog\n\n**Change history:**\n\nsee [CHANGELOG.md](https://github.com/githubixx/ansible-role-kubernetes-ca/blob/master/CHANGELOG.md)\n\n**Recent changes:**\n\n## 12.0.0+1.28.5\n\n### BREAKING\n\n- change default value of `k8s_controller_manager_sa_csr_cn` from `service-accounts` to `k8s-service-accounts`\n- change default value of `k8s_interface` from `tap0` to `eth0`\n- change default values of `ca_etcd_csr_cn`, `etcd_peer_csr_cn` and `etcd_client_csr_cn_prefix`\n- change default value of `k8s_apiserver_csr_cn` from `kubernetes` to `kube-apiserver`\n\n### OTHER CHANGES\n\n- remove tests directory\n- add `namespace` to `meta/main.yml`\n- update Github workflow\n- add important note to `k8s_apiserver_csr_cn` variable\n- `.ansible-lint`: remove `role-name`\n- remove `vars` directory\n\n### MOLECULE\n\n- remove `requirements.yml`\n- fix `ansible-lint` issues\n- use Ubuntu 22.04 for some VMs\n- change IPs from `192.168.10.0/24` to `172.16.10.0/24`\n- remove `etcd_cert_hosts` variable from `group_vars` (use default setting)\n- remove `role_name_check`\n- extend `verify.yml`\n- Molecule: rename role `harden-linux` to `harden_linux`\n\n## Requirements\n\nThis playbook needs [CFSSL](https://github.com/cloudflare/cfssl) PKI toolkit binaries installed. You can use [ansible-role-cfssl](https://github.com/githubixx/ansible-role-cfssl) to install CFSSL locally on your machine. If you want to store the generated certificates and CA's locally or on a network share specify the role variables below in `host_vars/localhost` or in `group_vars/all` e.g.\n\n## Role Variables\n\nThis playbook has quite a few variables. But that's mainly information needed for the certificates.\n\n```yaml\n# The directory where to store the certificates. By default this\n# will expand to user's LOCAL $HOME (the user that runs \"ansible-playbook ...\")\n# plus \"/k8s/certs\". That means if the user's $HOME directory is e.g.\n# \"/home/da_user\" then \"k8s_ca_conf_directory\" will have a value of\n# \"/home/da_user/k8s/certs\".\nk8s_ca_conf_directory: \"{{ '~/k8s/certs' | expanduser }}\"\n\n# Directory permissions for directory specified in \"k8s_ca_conf_directory\"\nk8s_ca_conf_directory_perm: \"0770\"\n\n# File permissions for certificates, csr, and so on\nk8s_ca_file_perm: \"0660\"\n\n# Owner of the certificate files (you should probably change this)\nk8s_ca_certificate_owner: \"root\"\n\n# Group to which the certificate files belongs to (you should probably change this)\nk8s_ca_certificate_group: \"root\"\n\n# Specifies Ansible's hosts group which contains all K8s controller\n# nodes (as specified in Ansible's \"hosts\" file).\nk8s_ca_controller_nodes_group: \"k8s_controller\"\n\n# As above but for the K8s etcd nodes.\nk8s_ca_etcd_nodes_group: \"k8s_etcd\"\n\n# As above but for the K8s worker nodes.\nk8s_ca_worker_nodes_group: \"k8s_worker\"\n\n# This role will include the IP address of the interface you specify here in\n# the etcd, kube-apiserver and kubelet certificate SAN (subject alternative name).\n# This is the interface where all the Kubernetes cluster services communicates\n# and should be an encrypted network. Some examples for interface names:\n# \"wg0\" (WireGuard), \"peervpn0\" (PeerVPN), \"eth0\", \"tap0\"\nk8s_interface: \"eth0\"\n\n# Expiry for etcd root certificate\nca_etcd_expiry: \"87600h\"\n\n# Certificate authority (CA) parameters for etcd certificates. This CA is used\n# to sign certificates used by etcd (like peer and server certificates) and\n# etcd clients (like \"Kube API Server\", \"Traefik\" and \"Cilium\" e.g.).\nca_etcd_csr_cn: \"etcd\"\nca_etcd_csr_key_algo: \"rsa\"\nca_etcd_csr_key_size: \"2048\"\nca_etcd_csr_names_c: \"DE\"\nca_etcd_csr_names_l: \"The_Internet\"\nca_etcd_csr_names_o: \"Kubernetes\"\nca_etcd_csr_names_ou: \"BY\"\nca_etcd_csr_names_st: \"Bayern\"\n\n# Expiry for Kubernetes API server root certificate\nca_k8s_apiserver_expiry: \"87600h\"\n\n# Certificate authority (CA) parameters for Kubernetes API server. The CA is\n# used to sign certifcates for various Kubernetes services like Kubernetes API\n# server e.g.\nca_k8s_apiserver_csr_cn: \"Kubernetes\"\nca_k8s_apiserver_csr_key_algo: \"rsa\"\nca_k8s_apiserver_csr_key_size: \"2048\"\nca_k8s_apiserver_csr_names_c: \"DE\"\nca_k8s_apiserver_csr_names_l: \"The_Internet\"\nca_k8s_apiserver_csr_names_o: \"Kubernetes\"\nca_k8s_apiserver_csr_names_ou: \"BY\"\nca_k8s_apiserver_csr_names_st: \"Bayern\"\n\n# CSR parameter for etcd server certificate. The server certificate is used by\n# etcd server and verified by client for server identity (for example\n# \"Kubernetes API server\").\n# etcd parameter: --cert-file and --key-file\netcd_server_csr_cn: \"etcd-server\"\netcd_server_csr_key_algo: \"rsa\"\netcd_server_csr_key_size: \"2048\"\netcd_server_csr_names_c: \"DE\"\netcd_server_csr_names_l: \"The_Internet\"\netcd_server_csr_names_o: \"Kubernetes\"\netcd_server_csr_names_ou: \"BY\"\netcd_server_csr_names_st: \"Bayern\"\n\n# CSR parameter for etcd peer certificate. The peer certificate is used by etcd\n# cluster members as they communicate with each other in both ways.\n# etcd parameter: --peer-cert-file and --peer-key-file\netcd_peer_csr_cn: \"etcd-peer\"\netcd_peer_csr_key_algo: \"rsa\"\netcd_peer_csr_key_size: \"2048\"\netcd_peer_csr_names_c: \"DE\"\netcd_peer_csr_names_l: \"The_Internet\"\netcd_peer_csr_names_o: \"Kubernetes\"\netcd_peer_csr_names_ou: \"BY\"\netcd_peer_csr_names_st: \"Bayern\"\n\n# CSR parameter for etcd clients. One such client is \"kube-apiserver\" e.g.\n# and is defined in \"etcd_additional_clients\" variable (see below). All\n# certificates issued for etcd clients will use this parameters.\netcd_client_csr_cn_prefix: \"etcd-client\"\netcd_client_csr_key_algo: \"rsa\"\netcd_client_csr_key_size: \"2048\"\netcd_client_csr_names_c: \"DE\"\netcd_client_csr_names_l: \"The_Internet\"\netcd_client_csr_names_o: \"Kubernetes\"\netcd_client_csr_names_ou: \"BY\"\netcd_client_csr_names_st: \"Bayern\"\n\n# CSR parameter for Kubernetes API server certificate. Used to secure the\n# Kubernetes API server communication.\n#\n# NOTE: It's important that the value of \"ca_k8s_apiserver_csr_cn\" and\n# \"k8s_apiserver_csr_cn\" are different! Otherwise Python clients and libraries\n# like \"urllib3\" and \"requests\" might have connection issues with the https\n# endpoint of \"kube-apiserver\". For more details see:\n# https://www.tauceti.blog/posts/kubernetes-the-not-so-hard-way-with-ansible-certificate-authority/\nk8s_apiserver_csr_cn: \"k8s-apiserver\"\nk8s_apiserver_csr_key_algo: \"rsa\"\nk8s_apiserver_csr_key_size: \"2048\"\nk8s_apiserver_csr_names_c: \"DE\"\nk8s_apiserver_csr_names_l: \"The_Internet\"\nk8s_apiserver_csr_names_o: \"Kubernetes\"\nk8s_apiserver_csr_names_ou: \"BY\"\nk8s_apiserver_csr_names_st: \"Bayern\"\n\n# CSR parameter for the admin user (used for the admin user and which \"kubectl\"\n# will use).\nk8s_admin_csr_cn: \"admin\"\nk8s_admin_csr_key_algo: \"rsa\"\nk8s_admin_csr_key_size: \"2048\"\nk8s_admin_csr_names_c: \"DE\"\nk8s_admin_csr_names_l: \"The_Internet\"\nk8s_admin_csr_names_o: \"system:masters\" # DO NOT CHANGE!\nk8s_admin_csr_names_ou: \"BY\"\nk8s_admin_csr_names_st: \"Bayern\"\n\n# CSR parameter for kubelet client certificates. The `kubelet` process\n# (a.k.a. Kubernetes worker) also needs to authenticate itself against the\n# API server. These variables are used to create the CSR file which in turn\n# is used to create the `kubelet` certificate. Kubernetes uses a special-purpose\n# authorization mode (https://kubernetes.io/docs/admin/authorization/node/)\n# called \"Node Authorizer\", that specifically authorizes API requests made by\n# kubelets (https://kubernetes.io/docs/concepts/overview/components/#kubelet).\n# In order to be authorized by the \"Node Authorizer\", Kubelets must use a\n# credential that identifies them as being in the `system:nodes` group,\n# with a username of `system:node:\u003cnodeName\u003e`\nk8s_worker_csr_key_algo: \"rsa\"\nk8s_worker_csr_key_size: \"2048\"\nk8s_worker_csr_names_c: \"DE\"\nk8s_worker_csr_names_l: \"The_Internet\"\nk8s_worker_csr_names_o: \"system:nodes\" # DO NOT CHANGE!\nk8s_worker_csr_names_ou: \"BY\"\nk8s_worker_csr_names_st: \"Bayern\"\n\n# CSR parameter for the kube-proxy client certificate\nk8s_kube_proxy_csr_cn: \"system:kube-proxy\" # DO NOT CHANGE!\nk8s_kube_proxy_csr_key_algo: \"rsa\"\nk8s_kube_proxy_csr_key_size: \"2048\"\nk8s_kube_proxy_csr_names_c: \"DE\"\nk8s_kube_proxy_csr_names_l: \"The_Internet\"\nk8s_kube_proxy_csr_names_o: \"system:node-proxier\" # DO NOT CHANGE!\nk8s_kube_proxy_csr_names_ou: \"BY\"\nk8s_kube_proxy_csr_names_st: \"Bayern\"\n\n# CSR parameter for the kube-scheduler client certificate\nk8s_scheduler_csr_cn: \"system:kube-scheduler\" # DO NOT CHANGE!\nk8s_scheduler_csr_key_algo: \"rsa\"\nk8s_scheduler_csr_key_size: \"2048\"\nk8s_scheduler_csr_names_c: \"DE\"\nk8s_scheduler_csr_names_l: \"The_Internet\"\nk8s_scheduler_csr_names_o: \"system:kube-scheduler\" # DO NOT CHANGE!\nk8s_scheduler_csr_names_ou: \"BY\"\nk8s_scheduler_csr_names_st: \"Bayern\"\n\n# CSR parameter for the kube-controller-manager client certificate\nk8s_controller_manager_csr_cn: \"system:kube-controller-manager\" # DO NOT CHANGE!\nk8s_controller_manager_csr_key_algo: \"rsa\"\nk8s_controller_manager_csr_key_size: \"2048\"\nk8s_controller_manager_csr_names_c: \"DE\"\nk8s_controller_manager_csr_names_l: \"The_Internet\"\nk8s_controller_manager_csr_names_o: \"system:kube-controller-manager\" # DO NOT CHANGE!\nk8s_controller_manager_csr_names_ou: \"BY\"\nk8s_controller_manager_csr_names_st: \"Bayern\"\n\n# CSR parameter for kube-controller-manager service account key pair.\n# The \"kube-controller-manager\" leverages a key pair to generate and sign\n# service account tokens as described in the managing service accounts\n# documentation: https://kubernetes.io/docs/admin/service-accounts-admin/\n# Hint: Think twice if you want to change this key pair for a K8s cluster\n# that has already pods deployed. The private key will be used to sign\n# generated service account tokens. The public key will be used to verify\n# the tokens during authentication. So if you have pods running e.g. with\n# the `default` service account and you roll out a new key pair the \"Token\n# Controller\" (https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin/#token-controller)\n# which is part of the controller manager won't be able to verify the\n# already existing service accounts anymore. So this might cause trouble\n# for your running pods.\nk8s_controller_manager_sa_csr_cn: \"k8s-service-accounts\"\nk8s_controller_manager_sa_csr_key_algo: \"rsa\"\nk8s_controller_manager_sa_csr_key_size: \"2048\"\nk8s_controller_manager_sa_csr_names_c: \"DE\"\nk8s_controller_manager_sa_csr_names_l: \"The_Internet\"\nk8s_controller_manager_sa_csr_names_o: \"Kubernetes\"\nk8s_controller_manager_sa_csr_names_ou: \"BY\"\nk8s_controller_manager_sa_csr_names_st: \"Bayern\"\n\n# Add additional etcd hosts that should be included in the certificates SAN.\n# The task \"Generate list of IP addresses and hostnames needed for etcd certificate\"\n# in this role will automatically add the hostname, the fully qualified domain name\n# (FQDN), the internal IP address and the VPN IP address (e.g. the WireGuard IP)\n# of your etcd hosts to a list which is needed to create the certificate.\n# But \"127.0.0.1\" and \"localhost\" should be included too.\n#\n# If you plan to expand your etcd cluster from 3 to 5 hosts later e.g. and know the\n# hostname, the fully qualified domain name (FQDN), the internal IP address and\n# esp. the VPN IP address (e.g. the WireGuard IP) of that hosts upfront then add\n# them here too. This will save you a lot of work later as you don't need to\n# change the certificate files of the already running etcd daemons.\netcd_cert_hosts:\n  - 127.0.0.1\n  - localhost\n\n# For \"k8s_apiserver_cert_hosts\" the same is basically true as with\n# `etcd_cert_hosts` but we also include the Kubernetes service IP `10.32.0.1`\n# (which you will get btw if you execute `nslookup kubernetes` later in one\n# of the pods). We also include \"127.0.0.1\" and \"localhost\" and we include\n# some Kubernetes hostname's that are available by default if \"CoreDNS\"\n# is deployed.\nk8s_apiserver_cert_hosts:\n  - localhost\n  - 127.0.0.1\n  - 10.32.0.1\n  - kubernetes\n  - kubernetes.default\n  - kubernetes.default.svc\n  - kubernetes.default.svc.cluster\n  - kubernetes.default.svc.cluster.local\n\n# This list should contain all etcd clients that wants to connect to the etcd\n# cluster. The most important client is \"kube-apiserver\" of course. So you\n# definitely want to keep \"k8s-apiserver-etcd\" in this list.\n# If other clients like \"Traefik\" or \"Cilium\" should also be able to connect\n# to the Kubernetes etcd cluster and store their state there further client\n# certificates can be issued. So if \"Traefik\" and \"Cilium\" should be able to\n# connect to the etcd cluster via TLS the list would look like this:\n#\n# etcd_additional_clients:\n#   - k8s-apiserver-etcd\n#   - traefik\n#   - cilium\n#\n# This will generate additional files in the directory specified in \n# \"k8s_ca_conf_directory\" variable e.g. \"cert-traefik*\" and \"cert-cilium*\".\n# So instead of running a separate etcd cluster for \"Traefik\" and/or\n# \"Cilium\" the already running etcd cluster for Kubernetes can be used in\n# this case.\n#\netcd_additional_clients:\n  - k8s-apiserver-etcd\n```\n\n## Example Playbook\n\n```yaml\n- hosts: k8s_ca\n\n  roles:\n    - githubixx.kubernetes_ca\n```\n\n## License\n\nGNU GENERAL PUBLIC LICENSE Version 3\n\n## Author Information\n\n[http://www.tauceti.blog](http://www.tauceti.blog)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgithubixx%2Fansible-role-kubernetes-ca","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fgithubixx%2Fansible-role-kubernetes-ca","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgithubixx%2Fansible-role-kubernetes-ca/lists"}