实例学习Ansible系列：证书创建

这篇文章介绍一下使用Ansible创建基本证书相关的方法。

所用到的Ansible基础知识：

template模块用于设定证书的csr文件
copy模块用于拷贝文件并设定权限
shell模块用于执行命令

所用到的创建证书的基础知识

使用cfssl进行证书的创建，本示例环境主要创建如下证书信息：

• CA证书
• ca的config配置文件：设定etcd和kubernetes的profile，作为公用配置
• etcd证书
• k8s证书
• admin证书
• controller-manager证书
• scheduler证书

示例代码

## create ca config for etc and k8s profile
- name: create ca config for etcd and k8s profile
  template:
    src: "{{ var_template_ca_config }}"
    dest: "{{ var_ssl_ca_dir }}/{{ var_ssl_file_ca_config }}" 
  tags:
    - "cert" 

- name: create csr file for ca
  template:
    src: "{{ var_template_ca_csr }}"
    dest: "{{ var_ssl_ca_dir }}/{{ var_ssl_file_ca_csr }}" 
  tags:
    - "cert" 

- name: create csr file for etcd
  template:
    src: "{{ var_template_etcd_csr }}"
    dest: "{{ var_ssl_etcd_dir }}/{{ var_ssl_file_etcd_csr }}" 
  tags:
    - "cert" 

- name: create csr file for k8s
  template:
    src: "{{ var_template_k8s_csr }}"
    dest: "{{ var_ssl_k8s_dir }}/{{ var_ssl_file_k8s_csr }}" 
  tags:
    - "cert" 

- name: create csr file for k8s controller manager
  template:
    src: "{{ var_template_k8scm_csr }}"
    dest: "{{ var_ssl_k8s_dir }}/{{ var_ssl_file_k8scm_csr }}" 
  tags:
    - "cert" 

- name: create csr file for k8s scheduler
  template:
    src: "{{ var_template_k8sch_csr }}"
    dest: "{{ var_ssl_k8s_dir }}/{{ var_ssl_file_k8sch_csr }}" 
  tags:
    - "cert" 

- name: create csr file for k8s admin
  template:
    src: "{{ var_template_admin_csr }}"
    dest: "{{ var_ssl_k8s_dir }}/{{ var_ssl_file_admin_csr }}" 
  tags:
    - "cert" 

- name: create ca certificate
  shell: "cd {{ var_ssl_ca_dir }}      \
          && cfssl gencert -initca {{ var_ssl_file_ca_csr }} | cfssljson -bare ca - \
          && cd {{ var_ssl_etcd_dir }} \
          && cfssl gencert -ca={{ var_ssl_ca_dir }}/{{ var_ssl_file_ca_pem }} -ca-key={{ var_ssl_ca_dir }}/{{ var_ssl_file_ca_key }} -config={{ var_ssl_ca_dir }}/{{ var_ssl_file_ca_config }} -profile={{ var_ssl_profile_etcd }} {{ var_ssl_file_etcd_csr }} | cfssljson -bare {{ var_ssl_etcd_cert_prefix }}"
  tags:
    - "cert" 

- name: create kubernetes certificate
  shell: "cd {{ var_ssl_k8s_dir }}   \
          && cfssl gencert -ca={{ var_ssl_ca_dir }}/{{  var_ssl_file_ca_pem }}  -ca-key={{ var_ssl_ca_dir }}/{{ var_ssl_file_ca_key }} -config={{ var_ssl_ca_dir }}/{{ var_ssl_file_ca_config }} -profile={{ var_ssl_profile_k8s }} {{ var_ssl_file_k8s_csr }}  | cfssljson -bare {{ var_ssl_k8s_cert_prefix }}                         \
          && cfssl gencert -ca={{ var_ssl_ca_dir }}/{{ var_ssl_file_ca_pem }}  -ca-key={{ var_ssl_ca_dir }}/{{ var_ssl_file_ca_key }} -config={{ var_ssl_ca_dir }}/{{ var_ssl_file_ca_config }} -profile={{ var_ssl_profile_k8s }} {{ var_ssl_file_k8scm_csr }} | cfssljson -bare {{ var_ssl_k8scm_cert_prefix }}                     \
          && cfssl gencert -ca={{ var_ssl_ca_dir }}/{{ var_ssl_file_ca_pem }}  -ca-key={{ var_ssl_ca_dir }}/{{ var_ssl_file_ca_key }} -config={{ var_ssl_ca_dir }}/{{ var_ssl_file_ca_config }} -profile={{ var_ssl_profile_k8s }} {{ var_ssl_file_k8sch_csr }} | cfssljson -bare {{ var_ssl_k8sch_cert_prefix }}                     \ 
          && cfssl gencert -ca={{ var_ssl_ca_dir }}/{{ var_ssl_file_ca_pem }} -ca-key={{ var_ssl_ca_dir }}/{{ var_ssl_file_ca_key }} -config={{ var_ssl_ca_dir }}/{{ var_ssl_file_ca_config }} -profile={{ var_ssl_profile_k8s }} {{ var_ssl_file_admin_csr }} | cfssljson -bare {{ var_ssl_admin_cert_prefix }}"
  tags:
    - "cert" 

执行示例

[root@host131 ansible]# ansible-playbook prepare/tests/test.yml --tag="cert"

PLAY [localhost] ************************************************************************************************************************************

TASK [prepare : create ca config for etcd and k8s profile] ******************************************************************************************
changed: [localhost]

TASK [prepare : create csr file for ca] *************************************************************************************************************
changed: [localhost]

TASK [prepare : create csr file for etcd] ***********************************************************************************************************
changed: [localhost]

TASK [prepare : create csr file for k8s] ************************************************************************************************************
changed: [localhost]

TASK [prepare : create csr file for k8s controller manager] *****************************************************************************************
changed: [localhost]

TASK [prepare : create csr file for k8s scheduler] **************************************************************************************************
changed: [localhost]

TASK [prepare : create csr file for k8s admin] ******************************************************************************************************
changed: [localhost]

TASK [prepare : create ca certificate] **************************************************************************************************************
changed: [localhost]

TASK [prepare : create kubernetes certificate] ******************************************************************************************************
changed: [localhost]

PLAY RECAP ******************************************************************************************************************************************
localhost                  : ok=9    changed=9    unreachable=0    failed=0   

[root@host131 ansible]# 

ansible vs shell

和Shell脚本的比较可以参看，因为本系列示例主要用于说明类似功能使用Ansible如何实现，详细的K8S相关的设定可参看：

• https://liumiaocn.blog.csdn.net/article/details/88755820

代码路径

• https://github.com/liumiaocn/easypack/tree/master/k8s/ansible

其他Ansible内容

• https://liumiaocn.blog.csdn.net/article/details/87273800