- change default value of
k8s_controller_manager_sa_csr_cn
fromservice-accounts
tok8s-service-accounts
- change default value of
k8s_interface
fromtap0
toeth0
- change default values of
ca_etcd_csr_cn
,etcd_peer_csr_cn
andetcd_client_csr_cn_prefix
- change default value of
k8s_apiserver_csr_cn
fromkubernetes
tokube-apiserver
- remove tests directory
- add
namespace
tometa/main.yml
- update Github workflow
- add important note to
k8s_apiserver_csr_cn
variable .ansible-lint
: removerole-name
- remove
vars
directory - remove
handlers
directory - remove
files
directory
- remove
requirements.yml
- fix
ansible-lint
issues - use Ubuntu 22.04 for some VMs
- change IPs from
192.168.10.0/24
to172.16.10.0/24
- remove
etcd_cert_hosts
variable fromgroup_vars
(use default setting) - remove
role_name_check
- extend
verify.yml
- Molecule: rename role
harden-linux
toharden_linux
- BREAKING:
meta/main.yml
: change role_name fromkubernetes-ca
tokubernetes_ca
. This is a requirement since quite some time for Ansible Galaxy. But the requirement was introduced after this role already existed for quite some time. So please update the name of the role in your playbook accordingly! - rename
githubixx.kubernetes-ca
togithubixx.kubernetes_ca
molecule/default/requirements.yml
: removegithubixx.kubernetes_ca
meta/main.yml
: addedrole_name
- added support for Ubuntu 22.04
- removed support for Ubuntu 16.04 and 18.04 (reached EOL)
- add Molecule test
- add
.ansible-lint
- add '.yamllint`
- add Github workflow
- increase
min_ansible_version
from2.8
to2.9
- rename internal variable
workerHost
toworker_host
- rename internal variable
etcdHosts
toetcd_hosts
- rename internal variable
k8sApiHosts
tok8s_api_hosts
- fix
ansible-lint
issues (use Ansible FQDN module names)
- splitted etcd profiles in
server
,peer
andclient
. This makes it possible to have separate certificate files foretcd
. E.g. the TLS parameters foretcd
now looks like this:
--cert-file=cert-etcd-server.pem
--key-file=cert-etcd-server-key.pem
--trusted-ca-file=ca-etcd.pem
--peer-cert-file=cert-etcd-peer.pem
--peer-key-file=cert-etcd-peer-key.pem
--peer-trusted-ca-file=ca-etcd.pem
Before this change cert-file
, key-file
, peer-cert-file
and peer-key-file
used the same certificate files.
This change makes it also possible to create certificate files for etcd
clients like Traefik
, Cilium
and so on to use the same TLS enabled etcd
server. As kube-apiserver
is also an etcd
client this change also introduced separate certificate files e.g.:
--etcd-cafile=ca-etcd.pem
--etcd-certfile=cert-k8s-apiserver-etcd.pem
--etcd-keyfile=cert-k8s-apiserver-etcd-key.pem
- add
localhost
toetcd_cert_hosts
andk8s_apiserver_cert_hosts
variables - rename
etcd_csr_*
variables toetcd_server_csr_*
- introduce
etcd_peer_csr_*
variables (see README for more information) - introduce
etcd_client_csr_*
variables (see README for more information) - introduce
etcd_additional_clients
variable (see README for more information) - add Ubuntu 20.04 as supported platform
- increase minimum required Ansible version to 2.8
- deleted old tags not compatible with Ansible Galaxy:
r1.0.0_v1.6.0
r1.0.1_v1.8.0
r3.0.0_v1.8.4
r4.0.0_v1.8.4
r4.0.1_v1.8.4
r4.0.1_v1.9.3
r4.0.1_v1.9.8
r5.0.0_v1.10.4
r6.0.0_v1.10.4
These versions are outdated anyways.
- introduced a few new variables:
k8s_ca_conf_directory_perm
,k8s_ca_file_perm
,k8s_ca_controller_nodes_group
,k8s_ca_etcd_nodes_group
,k8s_ca_worker_nodes_group
. Values were previously hard coded. They can be adjusted now. - added
kubernetes.default.svc.cluster
tok8s_apiserver_cert_hosts
- removed worker hostnames and IPs from kube-apiserver certificate. They are not needed here.
- better formatting of shell scripts in .yaml files.
- gather facts of K8s hosts as first task
- use correct semantic versioning as described in semver. Needed for Ansible Galaxy importer as it now insists on using semantic versioning.
- moved changelog entries to separate file
- make Ansible linter happy
- no major changes but decided to start a new major release as versioning scheme changed quite heavily
-
support Ubuntu 18.04
-
Remove PeerVPN dependency when generating certificates (use
k8s_interface
variable instead ofpeervpn_conf_interface
). When generating certificates previously the values ofpeervpn_conf_interface
variables were used and added to the certificate. Now insteadk8s_interface
variable is used. For almost all people that change shouldn't have any effect because the values of both variables should have been the same. If not check if the generated certificates are ok for you. The reason for this change is to allow the usage of a different VPN solution like WireGuard e.g. -
always gather facts as first task
-
update README
- Implemented changes needed for Kubernetes v1.10.x.
- Renamed certificate files
cert-kube-proxy*
->cert-k8s-proxy*
to be in pair with the other certificate file names - Added
k8s_controller_manager_csr_*
variables for kube-controller-manager client certificate - Added
k8s_scheduler_csr_*
variables for kube-scheduler client certificate
- No changes. Just added Git tag for Kubernetes v1.9.8 to be in pair with controller and worker roles.
- No changes. Just added Git tag for Kubernetes v1.9.3 to be in pair with controller and worker roles.
- Changed default of
k8s_ca_conf_directory
to{{ '~/k8s/certs' | expanduser }}
. By default this will expand to user's LOCAL $HOME (the user that run's ansible-playbook) plus /k8s/certs. That means if the user's$HOME
directory is e.g. /home/da_user then k8s_ca_conf_directory will have a value of /home/da_user/k8s/certs. As the user normally has write access to his $HOME directory we don't rely on the parent directory permission if we deploy the role without root permissions. If you defined this variable with a different value before this change then you don't need to bother about this change.
- include worker node names/ips into CSR (certificate signing request) for kube-apiserver certificate
- renamed
cfssl_*
variables tok8s_ca_*
- change defaults for key algos and sizes to match settings in Kubernetes the not so hard way with Ansible - Certificate authority (CA)
- added admin client certificate
- added kubelet client certificates used in Kubernetes 1.7/1.8
- added kube-proxy client certificate used in Kubernetes 1.7/1.8
- Hostname,FQDN,internal IP and PeerVPN IP of all controller hosts are added automatically to Kubernetes API server certificate now
- Hostname,FQDN,internal IP and PeerVPN IP for every worker host certificate is added automatically to the worker certificate
- Initial Ansible role.