Browse Source

Merge pull request #140 from kubespray/secret_from_localhost

generate secrets on deployment machine
pull/142/head
Antoine Legrand 8 years ago
parent
commit
7fef64dacd
19 changed files with 157 additions and 185 deletions
  1. 27
      .travis.yml
  2. 2
      README.md
  3. 31
      roles/kubernetes/master/tasks/gen_kube_tokens.yml
  4. 34
      roles/kubernetes/master/tasks/main.yml
  5. 3
      roles/kubernetes/node/meta/main.yml
  6. 28
      roles/kubernetes/node/tasks/gen_certs.yml
  7. 6
      roles/kubernetes/node/tasks/main.yml
  8. 50
      roles/kubernetes/node/tasks/secrets.yml
  9. 1
      roles/kubernetes/preinstall/defaults/main.yml
  10. 0
      roles/kubernetes/secrets/files/certs/.gitkeep
  11. 0
      roles/kubernetes/secrets/files/tokens/.gitkeep
  12. 4
      roles/kubernetes/secrets/handlers/main.yml
  13. 0
      roles/kubernetes/secrets/scripts/kube-gen-token.sh
  14. 33
      roles/kubernetes/secrets/scripts/make-ssl.sh
  15. 51
      roles/kubernetes/secrets/tasks/gen_certs.yml
  16. 30
      roles/kubernetes/secrets/tasks/gen_tokens.yml
  17. 41
      roles/kubernetes/secrets/tasks/main.yml
  18. 0
      roles/kubernetes/secrets/templates/openssl.conf.j2
  19. 1
      roles/network_plugin/calico/handlers/main.yml

27
.travis.yml

@ -63,19 +63,19 @@ env:
CLOUD_IMAGE=ubuntu-1404-trusty
CLOUD_REGION=europe-west1-c
# # Ubuntu 15.10
# - >-
# KUBE_NETWORK_PLUGIN=flannel
# CLOUD_IMAGE=ubuntu-1510-wily
# CLOUD_REGION=us-central1-a
# - >-
# KUBE_NETWORK_PLUGIN=calico
# CLOUD_IMAGE=ubuntu-1510-wily
# CLOUD_REGION=us-central1-a
# - >-
# KUBE_NETWORK_PLUGIN=weave
# CLOUD_IMAGE=ubuntu-1510-wily
# CLOUD_REGION=us-central1-a
# Ubuntu 15.10
- >-
KUBE_NETWORK_PLUGIN=flannel
CLOUD_IMAGE=ubuntu-1510-wily
CLOUD_REGION=us-central1-a
- >-
KUBE_NETWORK_PLUGIN=calico
CLOUD_IMAGE=ubuntu-1510-wily
CLOUD_REGION=us-central1-a
- >-
KUBE_NETWORK_PLUGIN=weave
CLOUD_IMAGE=ubuntu-1510-wily
CLOUD_REGION=us-central1-a
matrix:
@ -83,6 +83,7 @@ matrix:
- env: KUBE_NETWORK_PLUGIN=flannel CLOUD_IMAGE=centos-7-sudo CLOUD_REGION=us-central1-c
- env: KUBE_NETWORK_PLUGIN=flannel CLOUD_IMAGE=rhel-7-sudo CLOUD_REGION=us-east1-d
- env: KUBE_NETWORK_PLUGIN=weave CLOUD_IMAGE=ubuntu-1404-trusty CLOUD_REGION=europe-west1-c
- env: KUBE_NETWORK_PLUGIN=calico CLOUD_IMAGE=ubuntu-1404-trusty CLOUD_REGION=europe-west1-c
before_install:
# Install Ansible.

2
README.md

@ -23,7 +23,7 @@ in order to avoid any issue during deployment you should disable your firewall
* Base knowledge on Ansible. Please refer to [Ansible documentation](http://www.ansible.com/how-ansible-works)
### Components
* [kubernetes](https://github.com/kubernetes/kubernetes/releases) v1.1.4
* [kubernetes](https://github.com/kubernetes/kubernetes/releases) v1.1.7
* [etcd](https://github.com/coreos/etcd/releases) v2.2.4
* [calicoctl](https://github.com/projectcalico/calico-docker/releases) v0.16.0
* [flanneld](https://github.com/coreos/flannel/releases) v0.5.5

31
roles/kubernetes/master/tasks/gen_kube_tokens.yml

@ -1,31 +0,0 @@
---
- name: tokens | copy the token gen script
copy:
src=kube-gen-token.sh
dest={{ kube_script_dir }}
mode=u+x
when: inventory_hostname == groups['kube-master'][0]
- name: tokens | generate tokens for master components
command: "{{ kube_script_dir }}/kube-gen-token.sh {{ item[0] }}-{{ item[1] }}"
environment:
TOKEN_DIR: "{{ kube_token_dir }}"
with_nested:
- [ "system:kubectl" ]
- "{{ groups['kube-master'] }}"
register: gentoken_master
changed_when: "'Added' in gentoken_master.stdout"
when: inventory_hostname == groups['kube-master'][0]
notify: restart kube-apiserver
- name: tokens | generate tokens for node components
command: "{{ kube_script_dir }}/kube-gen-token.sh {{ item[0] }}-{{ item[1] }}"
environment:
TOKEN_DIR: "{{ kube_token_dir }}"
with_nested:
- [ 'system:kubelet' ]
- "{{ groups['kube-node'] }}"
register: gentoken_node
changed_when: "'Added' in gentoken_node.stdout"
when: inventory_hostname == groups['kube-master'][0]
notify: restart kube-apiserver

34
roles/kubernetes/master/tasks/main.yml

@ -1,7 +1,4 @@
---
- include: gen_kube_tokens.yml
tags: tokens
- name: Copy kubectl bash completion
copy:
src: kubectl_bash_completion.sh
@ -16,31 +13,6 @@
command: rsync -piu "{{ local_release_dir }}/kubernetes/bin/kubectl" "{{ bin_dir }}/kubectl"
changed_when: false
- name: populate users for basic auth in API
lineinfile:
dest: "{{ kube_users_dir }}/known_users.csv"
create: yes
line: '{{ item.value.pass }},{{ item.key }},{{ item.value.role }}'
backup: yes
with_dict: "{{ kube_users }}"
notify: restart kube-apiserver
# Sync masters
- name: synchronize auth directories for masters
synchronize:
src: "{{ item }}"
dest: "{{ kube_config_dir }}"
recursive: yes
delete: yes
rsync_opts: [ '--one-file-system']
set_remote_user: false
with_items:
- "{{ kube_token_dir }}"
- "{{ kube_cert_dir }}"
- "{{ kube_users_dir }}"
delegate_to: "{{ groups['kube-master'][0] }}"
when: inventory_hostname != "{{ groups['kube-master'][0] }}"
- name: install | Write kube-apiserver systemd init file
template:
src: "kube-apiserver.service.j2"
@ -119,3 +91,9 @@
name: kubelet
state: restarted
changed_when: false
- name: restart kube-apiserver
service:
name: kube-apiserver
state: restarted
when: secret_changed | default(false)

3
roles/kubernetes/node/meta/main.yml

@ -0,0 +1,3 @@
---
dependencies:
- role: kubernetes/secrets

28
roles/kubernetes/node/tasks/gen_certs.yml

@ -1,28 +0,0 @@
---
- name: certs | install cert generation script
copy:
src=make-ssl.sh
dest={{ kube_script_dir }}
mode=0500
changed_when: false
- name: certs | write openssl config
template:
src: "openssl.conf.j2"
dest: "{{ kube_config_dir }}/.openssl.conf"
- name: certs | run cert generation script
shell: >
{{ kube_script_dir }}/make-ssl.sh
-f {{ kube_config_dir }}/.openssl.conf
-g {{ kube_cert_group }}
-d {{ kube_cert_dir }}
args:
creates: "{{ kube_cert_dir }}/apiserver.pem"
- name: certs | check certificate permissions
file:
path={{ kube_cert_dir }}
group={{ kube_cert_group }}
owner=kube
recurse=yes

6
roles/kubernetes/node/tasks/main.yml

@ -1,4 +1,6 @@
---
- include: install.yml
- name: Write Calico cni config
template:
src: "cni-calico.conf.j2"
@ -6,10 +8,6 @@
owner: kube
when: kube_network_plugin == "calico"
- include: secrets.yml
- include: install.yml
- name: Write kubelet config file
template: src=kubelet.j2 dest={{ kube_config_dir }}/kubelet.env backup=yes
notify:

50
roles/kubernetes/node/tasks/secrets.yml

@ -1,50 +0,0 @@
---
- name: Secrets | certs | make sure the certificate directory exits
file:
path={{ kube_cert_dir }}
state=directory
mode=o-rwx
group={{ kube_cert_group }}
- name: Secrets | tokens | make sure the tokens directory exits
file:
path={{ kube_token_dir }}
state=directory
mode=o-rwx
group={{ kube_cert_group }}
- include: gen_certs.yml
when: inventory_hostname == groups['kube-master'][0]
# Sync certs between nodes
- name: Secrets | create user
user:
name: '{{ansible_user_id}}'
generate_ssh_key: yes
delegate_to: "{{ groups['kube-master'][0] }}"
run_once: yes
- name: Secrets | 'get ssh keypair'
slurp: path=~/.ssh/id_rsa.pub
register: public_key
delegate_to: "{{ groups['kube-master'][0] }}"
- name: Secrets | 'setup keypair on nodes'
authorized_key:
user: '{{ansible_user_id}}'
key: "{{public_key.content|b64decode }}"
- name: Secrets | synchronize certificates for nodes
synchronize:
src: "{{ item }}"
dest: "{{ kube_cert_dir }}"
recursive: yes
delete: yes
rsync_opts: [ '--one-file-system']
set_remote_user: false
with_items:
- "{{ kube_cert_dir}}/ca.pem"
- "{{ kube_cert_dir}}/node.pem"
- "{{ kube_cert_dir}}/node-key.pem"
delegate_to: "{{ groups['kube-master'][0] }}"
when: inventory_hostname not in "{{ groups['kube-master'] }}"

1
roles/kubernetes/preinstall/defaults/main.yml

@ -6,6 +6,7 @@ common_required_pkgs:
- openssl
- curl
- rsync
- bash-completion
pypy_version: 2.4.0
python_pypy_url: "https://bitbucket.org/pypy/pypy/downloads/pypy-{{ pypy_version }}.tar.bz2"

0
roles/kubernetes/secrets/files/certs/.gitkeep

0
roles/kubernetes/secrets/files/tokens/.gitkeep

4
roles/kubernetes/secrets/handlers/main.yml

@ -0,0 +1,4 @@
---
- name: set secret_changed
set_fact:
secret_changed: true

roles/kubernetes/master/files/kube-gen-token.sh → roles/kubernetes/secrets/scripts/kube-gen-token.sh

roles/kubernetes/node/files/make-ssl.sh → roles/kubernetes/secrets/scripts/make-ssl.sh

@ -1,6 +1,6 @@
#!/bin/bash
# Author: skahlouc@skahlouc-laptop
# Author: Smana smainklh@gmail.com
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@ -22,15 +22,13 @@ usage()
cat << EOF
Create self signed certificates
Usage : $(basename $0) -f <config> [-c <cloud_provider>] [-d <ssldir>] [-g <ssl_group>]
Usage : $(basename $0) -f <config> [-d <ssldir>]
-h | --help : Show this message
-f | --config : Openssl configuration file
-c | --cloud : Cloud provider (GCE, AWS or AZURE)
-d | --ssldir : Directory where the certificates will be installed
-g | --sslgrp : Group of the certificates
ex :
$(basename $0) -f openssl.conf -c GCE -d /srv/ssl -g kube
$(basename $0) -f openssl.conf -d /srv/ssl
EOF
}
@ -39,9 +37,7 @@ while (($#)); do
case "$1" in
-h | --help) usage; exit 0;;
-f | --config) CONFIG=${2}; shift 2;;
-c | --cloud) CLOUD=${2}; shift 2;;
-d | --ssldir) SSLDIR="${2}"; shift 2;;
-g | --group) SSLGRP="${2}"; shift 2;;
*)
usage
echo "ERROR : Unknown option"
@ -57,26 +53,6 @@ fi
if [ -z ${SSLDIR} ]; then
SSLDIR="/etc/kubernetes/certs"
fi
if [ -z ${SSLGRP} ]; then
SSLGRP="kube-cert"
fi
#echo "config=$CONFIG, cloud=$CLOUD, certdir=$SSLDIR, certgroup=$SSLGRP"
SUPPORTED_CLOUDS="GCE AWS AZURE"
# TODO: Add support for discovery on other providers?
if [ "${CLOUD}" == "GCE" ]; then
CLOUD_IP=$(curl -s -H Metadata-Flavor:Google http://metadata.google.internal./computeMetadata/v1/instance/network-interfaces/0/access-configs/0/external-ip)
fi
if [ "${CLOUD}" == "AWS" ]; then
CLOUD_IP=$(curl -s http://169.254.169.254/latest/meta-data/public-ipv4)
fi
if [ "${CLOUD}" == "AZURE" ]; then
CLOUD_IP=$(uname -n | awk -F. '{ print $2 }').cloudapp.net
fi
tmpdir=$(mktemp -d --tmpdir kubernetes_cacert.XXXXXX)
trap 'rm -rf "${tmpdir}"' EXIT
@ -102,6 +78,3 @@ done
# Install certs
mv *.pem ${SSLDIR}/
chgrp ${SSLGRP} ${SSLDIR}/*
chmod 600 ${SSLDIR}/*-key.pem
chown root:root ${SSLDIR}/*-key.pem

51
roles/kubernetes/secrets/tasks/gen_certs.yml

@ -0,0 +1,51 @@
---
- name: certs | write openssl config
sudo: False
local_action: template src="openssl.conf.j2" dest="{{ role_path }}/files/openssl.conf"
run_once: yes
- name: certs | run cert generation script
sudo: False
local_action: shell
{{ role_path }}/scripts/make-ssl.sh
-f {{ role_path }}/files/openssl.conf
-d {{ role_path }}/files/certs/
run_once: yes
- name: certs | Copy certs on nodes
copy:
src: "certs/{{ item }}"
dest: "{{ kube_cert_dir }}"
with_items:
- ca.pem
- node.pem
- node-key.pem
when: inventory_hostname in "{{ groups['k8s-cluster'] }}"
- name: certs | Copy certs on master
copy:
src: "certs/{{ item }}"
dest: "{{ kube_cert_dir }}"
with_items:
- ca-key.pem
- admin.pem
- admin-key.pem
- apiserver-key.pem
- apiserver.pem
when: inventory_hostname in "{{ groups['kube-master'] }}"
- name: certs | check certificate permissions
file:
path={{ kube_cert_dir }}
group={{ kube_cert_group }}
owner=kube
recurse=yes
- shell: ls {{ kube_cert_dir}}/*key.pem
register: keyfiles
- name: certs | set permissions on keys
file:
path: "{{ item }}"
mode: 0600
with_items: keyfiles.stdout_lines

30
roles/kubernetes/secrets/tasks/gen_tokens.yml

@ -0,0 +1,30 @@
---
- name: tokens | generate tokens for master components
sudo: False
local_action: command "{{ role_path }}/scripts/kube-gen-token.sh" "{{ item[0] }}-{{ item[1] }}"
environment:
TOKEN_DIR: "{{ role_path }}/files/tokens"
with_nested:
- [ "system:kubectl" ]
- "{{ groups['kube-master'] }}"
register: gentoken_master
changed_when: "'Added' in gentoken_master.stdout"
notify: set secret_changed
- name: tokens | generate tokens for node components
sudo: False
local_action: command "{{ role_path }}/scripts/kube-gen-token.sh" "{{ item[0] }}-{{ item[1] }}"
environment:
TOKEN_DIR: "{{ role_path }}/files/tokens"
with_nested:
- [ 'system:kubelet' ]
- "{{ groups['kube-node'] }}"
register: gentoken_node
changed_when: "'Added' in gentoken_node.stdout"
notify: set secret_changed
- name: tokens | Copy tokens on master
copy:
src: "tokens"
dest: "/etc/kubernetes"
when: inventory_hostname in "{{ groups['kube-master'] }}"

41
roles/kubernetes/secrets/tasks/main.yml

@ -0,0 +1,41 @@
---
- name: Make sure the certificate directory exits
file:
path={{ kube_cert_dir }}
state=directory
mode=o-rwx
group={{ kube_cert_group }}
- name: Make sure the tokens directory exits
file:
path={{ kube_token_dir }}
state=directory
mode=o-rwx
group={{ kube_cert_group }}
- name: Make sure the users directory exits
file:
path={{ kube_users_dir }}
state=directory
mode=o-rwx
group={{ kube_cert_group }}
- name: Populate users for basic auth in API
lineinfile:
dest: "{{ kube_users_dir }}/known_users.csv"
create: yes
line: '{{ item.value.pass }},{{ item.key }},{{ item.value.role }}'
backup: yes
with_dict: "{{ kube_users }}"
when: inventory_hostname in "{{ groups['kube-master'] }}"
notify: set secret_changed
- name: Check if a certificate already exists
stat:
path: "{{ kube_cert_dir }}/ca.pem"
register: kubecert
- include: gen_certs.yml
when: not kubecert.stat.exists
- include: gen_tokens.yml

roles/kubernetes/node/templates/openssl.conf.j2 → roles/kubernetes/secrets/templates/openssl.conf.j2

1
roles/network_plugin/calico/handlers/main.yml

@ -13,3 +13,4 @@
service:
name: calico-node
state: restarted
sleep: 10
Loading…
Cancel
Save