Skip to main content Link Menu Expand (external link) Document Search Copy Copied
Aikes Docs

User management 

---
- hosts: all
  vars:
    certs_path: "/home/aike/.certs"
    kubeconfig_root: "/home/aike/.kube/config.root"
    kubeconfig_user: "/home/aike/.kube/config"
    username: "dev-team"
    namespace: "test2000"
    k8s_address: "https://135.181.98.69:16443"

  tasks:
    - name: Check if there is a kubeconfig
      ansible.builtin.stat:
        path: ""
      register: kubeconfig_stat

    - name: Create namespace
      kubernetes.core.k8s:
        api_version: v1
        kind: Namespace
        state: present
        kubeconfig: ""
        verify_ssl: false
        name: ""

    - name: Generate private key
      ansible.builtin.shell: openssl genrsa -out "/client.key" 2048
      when: not kubeconfig_stat.stat.exists

    - name: Generate certificate signing request (CSR)
      ansible.builtin.shell: openssl req -new -key "/client.key" -out "/client.csr" -subj "/CN=dev-team"
      when: not kubeconfig_stat.stat.exists

    - name: Sign the CSR with the Kubernetes CA
      ansible.builtin.shell: openssl x509 -req -in "/client.csr" -CA "/ca.crt" -CAkey "/ca.key" -CAcreateserial -out "/client.crt" -days '999'
      when: not kubeconfig_stat.stat.exists

#    - name: Read certificate files into variables
#      set_fact:
#        ca_crt_content_b64: ""
#        client_crt_content_b64: ""
#        client_key_content_b64: ""

    - name: Set up kubeconfig for new user
      copy:
        dest: ""
        content: |
          apiVersion: v1
          kind: Config
          clusters:
          - cluster:
              certificate-authority-data: ""
              server: ""
            name: kubernetes
          contexts:
          - context:
              cluster: kubernetes
              user: ""
              namespace: ""
            name: "-context"
          current-context: "-context"
          users:
          - name: ""
            user:
              client-certificate-data: ""
              client-key-data: ""

    - name: Create ClusterRole
      kubernetes.core.k8s:
        kubeconfig: ""
        state: present
        definition:
          apiVersion: rbac.authorization.k8s.io/v1
          kind: ClusterRole
          metadata:
            name: "-role"
          rules:
            - apiGroups: [""]
              resources: ["pods", "services", "deployments"]
              verbs: ["get", "list", "watch", "create", "update", "delete"]

    - name: Create RoleBinding
      kubernetes.core.k8s:
        kubeconfig: ""
        state: present
        definition:
          apiVersion: rbac.authorization.k8s.io/v1
          kind: RoleBinding
          metadata:
            name: "-role-binding"
            namespace: ""
          subjects:
            - kind: User
              name: ""
              apiGroup: rbac.authorization.k8s.io
          roleRef:
            kind: ClusterRole
            name: "-role"
            apiGroup: rbac.authorization.k8s.io