Merge pull request #140 from kubespray/secret_from_localhost

generate secrets on deployment machine

.travis.yml

@@ -63,19 +63,19 @@ env:
       CLOUD_IMAGE=ubuntu-1404-trusty
       CLOUD_REGION=europe-west1-c
 
-    # # Ubuntu 15.10
-    # - >-
-    #   KUBE_NETWORK_PLUGIN=flannel
-    #   CLOUD_IMAGE=ubuntu-1510-wily
-    #   CLOUD_REGION=us-central1-a
-    # - >-
-    #   KUBE_NETWORK_PLUGIN=calico
-    #   CLOUD_IMAGE=ubuntu-1510-wily
-    #   CLOUD_REGION=us-central1-a
-    # - >-
-    #   KUBE_NETWORK_PLUGIN=weave
-    #   CLOUD_IMAGE=ubuntu-1510-wily
-    #   CLOUD_REGION=us-central1-a
+    # Ubuntu 15.10
+    - >-
+      KUBE_NETWORK_PLUGIN=flannel
+      CLOUD_IMAGE=ubuntu-1510-wily
+      CLOUD_REGION=us-central1-a
+    - >-
+      KUBE_NETWORK_PLUGIN=calico
+      CLOUD_IMAGE=ubuntu-1510-wily
+      CLOUD_REGION=us-central1-a
+    - >-
+      KUBE_NETWORK_PLUGIN=weave
+      CLOUD_IMAGE=ubuntu-1510-wily
+      CLOUD_REGION=us-central1-a
 
 
 matrix:
@@ -83,6 +83,7 @@ matrix:
     - env: KUBE_NETWORK_PLUGIN=flannel CLOUD_IMAGE=centos-7-sudo CLOUD_REGION=us-central1-c
     - env: KUBE_NETWORK_PLUGIN=flannel CLOUD_IMAGE=rhel-7-sudo CLOUD_REGION=us-east1-d
     - env: KUBE_NETWORK_PLUGIN=weave CLOUD_IMAGE=ubuntu-1404-trusty CLOUD_REGION=europe-west1-c
+    - env: KUBE_NETWORK_PLUGIN=calico CLOUD_IMAGE=ubuntu-1404-trusty CLOUD_REGION=europe-west1-c
 
 before_install:
   # Install Ansible.

README.md

@@ -23,7 +23,7 @@ in order to avoid any issue during deployment you should disable your firewall
 * Base knowledge on Ansible. Please refer to [Ansible documentation](http://www.ansible.com/how-ansible-works)
 
 ### Components
-* [kubernetes](https://github.com/kubernetes/kubernetes/releases) v1.1.4
+* [kubernetes](https://github.com/kubernetes/kubernetes/releases) v1.1.7
 * [etcd](https://github.com/coreos/etcd/releases) v2.2.4
 * [calicoctl](https://github.com/projectcalico/calico-docker/releases) v0.16.0
 * [flanneld](https://github.com/coreos/flannel/releases) v0.5.5

roles/kubernetes/master/tasks/gen_kube_tokens.yml

@@ -1,31 +0,0 @@
----
-- name: tokens | copy the token gen script
-  copy:
-    src=kube-gen-token.sh
-    dest={{ kube_script_dir }}
-    mode=u+x
-  when: inventory_hostname == groups['kube-master'][0]
-
-- name: tokens | generate tokens for master components
-  command: "{{ kube_script_dir }}/kube-gen-token.sh {{ item[0] }}-{{ item[1] }}"
-  environment:
-    TOKEN_DIR: "{{ kube_token_dir }}"
-  with_nested:
-    - [ "system:kubectl" ]
-    - "{{ groups['kube-master'] }}"
-  register: gentoken_master
-  changed_when: "'Added' in gentoken_master.stdout"
-  when: inventory_hostname == groups['kube-master'][0]
-  notify: restart kube-apiserver
-
-- name: tokens | generate tokens for node components
-  command: "{{ kube_script_dir }}/kube-gen-token.sh {{ item[0] }}-{{ item[1] }}"
-  environment:
-    TOKEN_DIR: "{{ kube_token_dir }}"
-  with_nested:
-    - [ 'system:kubelet' ]
-    - "{{ groups['kube-node'] }}"
-  register: gentoken_node
-  changed_when: "'Added' in gentoken_node.stdout"
-  when: inventory_hostname == groups['kube-master'][0]
-  notify: restart kube-apiserver

roles/kubernetes/master/tasks/main.yml

@@ -1,7 +1,4 @@
 ---
-- include: gen_kube_tokens.yml
-  tags: tokens
-
 - name: Copy kubectl bash completion
   copy:
     src: kubectl_bash_completion.sh
@@ -16,31 +13,6 @@
   command: rsync -piu "{{ local_release_dir }}/kubernetes/bin/kubectl" "{{ bin_dir }}/kubectl"
   changed_when: false
 
-- name: populate users for basic auth in API
-  lineinfile:
-    dest: "{{ kube_users_dir }}/known_users.csv"
-    create: yes
-    line: '{{ item.value.pass }},{{ item.key }},{{ item.value.role }}'
-    backup: yes
-  with_dict: "{{ kube_users }}"
-  notify: restart kube-apiserver
-
-# Sync masters
-- name: synchronize auth directories for masters
-  synchronize:
-    src: "{{ item }}"
-    dest: "{{ kube_config_dir }}"
-    recursive: yes
-    delete: yes
-    rsync_opts: [ '--one-file-system']
-    set_remote_user: false
-  with_items:
-    - "{{ kube_token_dir }}"
-    - "{{ kube_cert_dir }}"
-    - "{{ kube_users_dir }}"
-  delegate_to: "{{ groups['kube-master'][0] }}"
-  when: inventory_hostname != "{{ groups['kube-master'][0] }}"
-
 - name: install | Write kube-apiserver systemd init file
   template:
     src: "kube-apiserver.service.j2"
@@ -119,3 +91,9 @@
     name: kubelet
     state: restarted
   changed_when: false
+
+- name: restart kube-apiserver
+  service:
+    name: kube-apiserver
+    state: restarted
+  when: secret_changed | default(false)

roles/kubernetes/node/meta/main.yml

@@ -0,0 +1,3 @@
+---
+dependencies:
+ - role: kubernetes/secrets

roles/kubernetes/node/tasks/gen_certs.yml

@@ -1,28 +0,0 @@
----
-- name: certs | install cert generation script
-  copy:
-    src=make-ssl.sh
-    dest={{ kube_script_dir }}
-    mode=0500
-  changed_when: false
-
-- name: certs | write openssl config
-  template:
-    src: "openssl.conf.j2"
-    dest: "{{ kube_config_dir }}/.openssl.conf"
-
-- name: certs | run cert generation script
-  shell: >
-    {{ kube_script_dir }}/make-ssl.sh
-    -f {{ kube_config_dir }}/.openssl.conf
-    -g {{ kube_cert_group }}
-    -d {{ kube_cert_dir }}
-  args:
-    creates: "{{ kube_cert_dir }}/apiserver.pem"
-
-- name: certs | check certificate permissions
-  file:
-    path={{ kube_cert_dir }}
-    group={{ kube_cert_group }}
-    owner=kube
-    recurse=yes

roles/kubernetes/node/tasks/main.yml

@@ -1,4 +1,6 @@
 ---
+- include: install.yml
+
 - name: Write Calico cni config
   template:
     src: "cni-calico.conf.j2"
@@ -6,10 +8,6 @@
     owner: kube
   when: kube_network_plugin == "calico"
 
-- include: secrets.yml
-
-- include: install.yml
-
 - name: Write kubelet config file
   template: src=kubelet.j2 dest={{ kube_config_dir }}/kubelet.env backup=yes
   notify:

roles/kubernetes/node/tasks/secrets.yml

@@ -1,50 +0,0 @@
----
-- name: Secrets | certs | make sure the certificate directory exits
-  file:
-    path={{ kube_cert_dir }}
-    state=directory
-    mode=o-rwx
-    group={{ kube_cert_group }}
-
-- name: Secrets | tokens | make sure the tokens directory exits
-  file:
-    path={{ kube_token_dir }}
-    state=directory
-    mode=o-rwx
-    group={{ kube_cert_group }}
-
-- include: gen_certs.yml
-  when: inventory_hostname == groups['kube-master'][0]
-
-# Sync certs between nodes
-- name: Secrets | create user
-  user:
-    name: '{{ansible_user_id}}'
-    generate_ssh_key: yes
-  delegate_to: "{{ groups['kube-master'][0] }}"
-  run_once: yes
-
-- name: Secrets | 'get ssh keypair'
-  slurp: path=~/.ssh/id_rsa.pub
-  register: public_key
-  delegate_to: "{{ groups['kube-master'][0] }}"
-
-- name: Secrets | 'setup keypair on nodes'
-  authorized_key:
-    user: '{{ansible_user_id}}'
-    key: "{{public_key.content|b64decode }}"
-
-- name: Secrets | synchronize certificates for nodes
-  synchronize:
-    src: "{{ item }}"
-    dest: "{{ kube_cert_dir }}"
-    recursive: yes
-    delete: yes
-    rsync_opts: [ '--one-file-system']
-    set_remote_user: false
-  with_items:
-    - "{{ kube_cert_dir}}/ca.pem"
-    - "{{ kube_cert_dir}}/node.pem"
-    - "{{ kube_cert_dir}}/node-key.pem"
-  delegate_to: "{{ groups['kube-master'][0] }}"
-  when: inventory_hostname not in "{{ groups['kube-master'] }}"

roles/kubernetes/preinstall/defaults/main.yml

@@ -6,6 +6,7 @@ common_required_pkgs:
   - openssl
   - curl
   - rsync
+  - bash-completion
 
 pypy_version: 2.4.0
 python_pypy_url: "https://bitbucket.org/pypy/pypy/downloads/pypy-{{ pypy_version }}.tar.bz2"

roles/kubernetes/secrets/handlers/main.yml

@@ -0,0 +1,4 @@
+---
+- name: set secret_changed
+  set_fact:
+    secret_changed: true

roles/kubernetes/node/files/make-ssl.sh → roles/kubernetes/secrets/scripts/make-ssl.sh

@@ -1,6 +1,6 @@
 #!/bin/bash
 
-# Author: skahlouc@skahlouc-laptop
+# Author: Smana smainklh@gmail.com
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -22,15 +22,13 @@ usage()
     cat << EOF
 Create self signed certificates
 
-Usage : $(basename $0) -f <config> [-c <cloud_provider>] [-d <ssldir>] [-g <ssl_group>]
+Usage : $(basename $0) -f <config> [-d <ssldir>]
       -h | --help         : Show this message
       -f | --config       : Openssl configuration file
-      -c | --cloud        : Cloud provider (GCE, AWS or AZURE)
       -d | --ssldir       : Directory where the certificates will be installed
-      -g | --sslgrp       : Group of the certificates
                
                ex : 
-               $(basename $0) -f openssl.conf -c GCE -d /srv/ssl -g kube
+               $(basename $0) -f openssl.conf -d /srv/ssl
 EOF
 }
 
@@ -39,9 +37,7 @@ while (($#)); do
     case "$1" in
         -h | --help)   usage;   exit 0;;
         -f | --config) CONFIG=${2}; shift 2;;
-        -c | --cloud) CLOUD=${2}; shift 2;;
         -d | --ssldir) SSLDIR="${2}"; shift 2;; 
-        -g | --group) SSLGRP="${2}"; shift 2;;
         *)
             usage
             echo "ERROR : Unknown option"
@@ -57,26 +53,6 @@ fi
 if [ -z ${SSLDIR} ]; then
     SSLDIR="/etc/kubernetes/certs"
 fi
-if [ -z ${SSLGRP} ]; then
-    SSLGRP="kube-cert"
-fi
-
-#echo "config=$CONFIG, cloud=$CLOUD, certdir=$SSLDIR, certgroup=$SSLGRP"
-
-SUPPORTED_CLOUDS="GCE AWS AZURE"
-
-# TODO: Add support for discovery on other providers?
-if [ "${CLOUD}" == "GCE" ]; then
-  CLOUD_IP=$(curl -s -H Metadata-Flavor:Google http://metadata.google.internal./computeMetadata/v1/instance/network-interfaces/0/access-configs/0/external-ip)
-fi
-
-if [ "${CLOUD}" == "AWS" ]; then
-  CLOUD_IP=$(curl -s http://169.254.169.254/latest/meta-data/public-ipv4)
-fi
-
-if [ "${CLOUD}" == "AZURE" ]; then
-  CLOUD_IP=$(uname -n | awk -F. '{ print $2 }').cloudapp.net
-fi
 
 tmpdir=$(mktemp -d --tmpdir kubernetes_cacert.XXXXXX)
 trap 'rm -rf "${tmpdir}"' EXIT
@@ -102,6 +78,3 @@ done
 
 # Install certs
 mv *.pem ${SSLDIR}/
-chgrp ${SSLGRP} ${SSLDIR}/*
-chmod 600 ${SSLDIR}/*-key.pem
-chown root:root ${SSLDIR}/*-key.pem

roles/kubernetes/secrets/tasks/gen_certs.yml

@@ -0,0 +1,51 @@
+---
+- name: certs | write openssl config
+  sudo: False
+  local_action: template src="openssl.conf.j2" dest="{{ role_path }}/files/openssl.conf"
+  run_once: yes
+
+- name: certs | run cert generation script
+  sudo: False
+  local_action: shell
+    {{ role_path }}/scripts/make-ssl.sh
+    -f {{ role_path }}/files/openssl.conf
+    -d {{ role_path }}/files/certs/
+  run_once: yes
+
+- name: certs | Copy certs on nodes
+  copy:
+    src: "certs/{{ item }}"
+    dest: "{{ kube_cert_dir }}"
+  with_items:
+    - ca.pem
+    - node.pem
+    - node-key.pem
+  when: inventory_hostname in "{{ groups['k8s-cluster'] }}"
+
+- name: certs | Copy certs on master
+  copy:
+    src: "certs/{{ item }}"
+    dest: "{{ kube_cert_dir }}"
+  with_items:
+    - ca-key.pem
+    - admin.pem
+    - admin-key.pem
+    - apiserver-key.pem
+    - apiserver.pem
+  when: inventory_hostname in "{{ groups['kube-master'] }}"
+
+- name: certs | check certificate permissions
+  file:
+    path={{ kube_cert_dir }}
+    group={{ kube_cert_group }}
+    owner=kube
+    recurse=yes
+
+- shell: ls {{ kube_cert_dir}}/*key.pem
+  register: keyfiles
+
+- name: certs | set permissions on keys
+  file:
+    path: "{{ item }}"
+    mode: 0600
+  with_items: keyfiles.stdout_lines

roles/kubernetes/secrets/tasks/gen_tokens.yml

@@ -0,0 +1,30 @@
+---
+- name: tokens | generate tokens for master components
+  sudo: False
+  local_action: command "{{ role_path }}/scripts/kube-gen-token.sh" "{{ item[0] }}-{{ item[1] }}"
+  environment:
+    TOKEN_DIR: "{{ role_path }}/files/tokens"
+  with_nested:
+    - [ "system:kubectl" ]
+    - "{{ groups['kube-master'] }}"
+  register: gentoken_master
+  changed_when: "'Added' in gentoken_master.stdout"
+  notify: set secret_changed
+
+- name: tokens | generate tokens for node components
+  sudo: False
+  local_action: command "{{ role_path }}/scripts/kube-gen-token.sh" "{{ item[0] }}-{{ item[1] }}"
+  environment:
+    TOKEN_DIR: "{{ role_path }}/files/tokens"
+  with_nested:
+    - [ 'system:kubelet' ]
+    - "{{ groups['kube-node'] }}"
+  register: gentoken_node
+  changed_when: "'Added' in gentoken_node.stdout"
+  notify: set secret_changed
+
+- name: tokens | Copy tokens on master
+  copy:
+    src: "tokens"
+    dest: "/etc/kubernetes"
+  when: inventory_hostname in "{{ groups['kube-master'] }}"

roles/kubernetes/secrets/tasks/main.yml

@@ -0,0 +1,41 @@
+---
+- name: Make sure the certificate directory exits
+  file:
+    path={{ kube_cert_dir }}
+    state=directory
+    mode=o-rwx
+    group={{ kube_cert_group }}
+
+- name: Make sure the tokens directory exits
+  file:
+    path={{ kube_token_dir }}
+    state=directory
+    mode=o-rwx
+    group={{ kube_cert_group }}
+
+- name: Make sure the users directory exits
+  file:
+    path={{ kube_users_dir }}
+    state=directory
+    mode=o-rwx
+    group={{ kube_cert_group }}
+
+- name: Populate users for basic auth in API
+  lineinfile:
+    dest: "{{ kube_users_dir }}/known_users.csv"
+    create: yes
+    line: '{{ item.value.pass }},{{ item.key }},{{ item.value.role }}'
+    backup: yes
+  with_dict: "{{ kube_users }}"
+  when: inventory_hostname in "{{ groups['kube-master'] }}"
+  notify: set secret_changed
+
+- name: Check if a certificate already exists
+  stat:
+    path: "{{ kube_cert_dir }}/ca.pem"
+  register: kubecert
+
+- include: gen_certs.yml
+  when: not kubecert.stat.exists
+
+- include: gen_tokens.yml

roles/network_plugin/calico/handlers/main.yml

@@ -13,3 +13,4 @@
   service:
     name: calico-node
     state: restarted
+    sleep: 10