generate secrets on deployment machine

test travis with sudo=true instead of required
9 years ago · 91fca69aa0
19 changed files with 157 additions and 185 deletions
--- a/.travis.yml
+++ b/.travis.yml
@ -63,19 +63,19 @@ env:
      CLOUD_IMAGE=ubuntu-1404-trusty
      CLOUD_REGION=europe-west1-c
    # # Ubuntu 15.10
    # - >-
    #   KUBE_NETWORK_PLUGIN=flannel
    #   CLOUD_IMAGE=ubuntu-1510-wily
    #   CLOUD_REGION=us-central1-a
    # - >-
    #   KUBE_NETWORK_PLUGIN=calico
    #   CLOUD_IMAGE=ubuntu-1510-wily
    #   CLOUD_REGION=us-central1-a
    # - >-
    #   KUBE_NETWORK_PLUGIN=weave
    #   CLOUD_IMAGE=ubuntu-1510-wily
    #   CLOUD_REGION=us-central1-a
    # Ubuntu 15.10
    - >-
      KUBE_NETWORK_PLUGIN=flannel
      CLOUD_IMAGE=ubuntu-1510-wily
      CLOUD_REGION=us-central1-a
    - >-
      KUBE_NETWORK_PLUGIN=calico
      CLOUD_IMAGE=ubuntu-1510-wily
      CLOUD_REGION=us-central1-a
    - >-
      KUBE_NETWORK_PLUGIN=weave
      CLOUD_IMAGE=ubuntu-1510-wily
      CLOUD_REGION=us-central1-a
 matrix:
@ -83,6 +83,7 @@ matrix:
    - env: KUBE_NETWORK_PLUGIN=flannel CLOUD_IMAGE=centos-7-sudo CLOUD_REGION=us-central1-c
    - env: KUBE_NETWORK_PLUGIN=flannel CLOUD_IMAGE=rhel-7-sudo CLOUD_REGION=us-east1-d
    - env: KUBE_NETWORK_PLUGIN=weave CLOUD_IMAGE=ubuntu-1404-trusty CLOUD_REGION=europe-west1-c
    - env: KUBE_NETWORK_PLUGIN=calico CLOUD_IMAGE=ubuntu-1404-trusty CLOUD_REGION=europe-west1-c
 before_install:
  # Install Ansible.
--- a/README.md
+++ b/README.md
@ -23,7 +23,7 @@ in order to avoid any issue during deployment you should disable your firewall
 * Base knowledge on Ansible. Please refer to [Ansible documentation](http://www.ansible.com/how-ansible-works)
 ### Components
 * [kubernetes](https://github.com/kubernetes/kubernetes/releases) v1.1.4
 * [kubernetes](https://github.com/kubernetes/kubernetes/releases) v1.1.7
 * [etcd](https://github.com/coreos/etcd/releases) v2.2.4
 * [calicoctl](https://github.com/projectcalico/calico-docker/releases) v0.16.0
 * [flanneld](https://github.com/coreos/flannel/releases) v0.5.5
--- a/roles/kubernetes/master/tasks/gen_kube_tokens.yml
+++ b/roles/kubernetes/master/tasks/gen_kube_tokens.yml
@ -1,31 +0,0 @@
 ---
 - name: tokens | copy the token gen script
  copy:
    src=kube-gen-token.sh
    dest={{ kube_script_dir }}
    mode=u+x
  when: inventory_hostname == groups['kube-master'][0]
 - name: tokens | generate tokens for master components
  command: "{{ kube_script_dir }}/kube-gen-token.sh {{ item[0] }}-{{ item[1] }}"
  environment:
    TOKEN_DIR: "{{ kube_token_dir }}"
  with_nested:
    - [ "system:kubectl" ]
    - "{{ groups['kube-master'] }}"
  register: gentoken_master
  changed_when: "'Added' in gentoken_master.stdout"
  when: inventory_hostname == groups['kube-master'][0]
  notify: restart kube-apiserver
 - name: tokens | generate tokens for node components
  command: "{{ kube_script_dir }}/kube-gen-token.sh {{ item[0] }}-{{ item[1] }}"
  environment:
    TOKEN_DIR: "{{ kube_token_dir }}"
  with_nested:
    - [ 'system:kubelet' ]
    - "{{ groups['kube-node'] }}"
  register: gentoken_node
  changed_when: "'Added' in gentoken_node.stdout"
  when: inventory_hostname == groups['kube-master'][0]
  notify: restart kube-apiserver
--- a/roles/kubernetes/master/tasks/main.yml
+++ b/roles/kubernetes/master/tasks/main.yml
@ -1,7 +1,4 @@
 ---
 - include: gen_kube_tokens.yml
  tags: tokens
 - name: Copy kubectl bash completion
  copy:
    src: kubectl_bash_completion.sh
@ -16,31 +13,6 @@
  command: rsync -piu "{{ local_release_dir }}/kubernetes/bin/kubectl" "{{ bin_dir }}/kubectl"
  changed_when: false
 - name: populate users for basic auth in API
  lineinfile:
    dest: "{{ kube_users_dir }}/known_users.csv"
    create: yes
    line: '{{ item.value.pass }},{{ item.key }},{{ item.value.role }}'
    backup: yes
  with_dict: "{{ kube_users }}"
  notify: restart kube-apiserver
 # Sync masters
 - name: synchronize auth directories for masters
  synchronize:
    src: "{{ item }}"
    dest: "{{ kube_config_dir }}"
    recursive: yes
    delete: yes
    rsync_opts: [ '--one-file-system']
    set_remote_user: false
  with_items:
    - "{{ kube_token_dir }}"
    - "{{ kube_cert_dir }}"
    - "{{ kube_users_dir }}"
  delegate_to: "{{ groups['kube-master'][0] }}"
  when: inventory_hostname != "{{ groups['kube-master'][0] }}"
 - name: install | Write kube-apiserver systemd init file
  template:
    src: "kube-apiserver.service.j2"
@ -119,3 +91,9 @@
    name: kubelet
    state: restarted
  changed_when: false
 - name: restart kube-apiserver
  service:
    name: kube-apiserver
    state: restarted
  when: secret_changed | default(false)
--- a/roles/kubernetes/node/meta/main.yml
+++ b/roles/kubernetes/node/meta/main.yml
@ -0,0 +1,3 @@
 ---
 dependencies:
 - role: kubernetes/secrets
--- a/roles/kubernetes/node/tasks/gen_certs.yml
+++ b/roles/kubernetes/node/tasks/gen_certs.yml
@ -1,28 +0,0 @@
 ---
 - name: certs | install cert generation script
  copy:
    src=make-ssl.sh
    dest={{ kube_script_dir }}
    mode=0500
  changed_when: false
 - name: certs | write openssl config
  template:
    src: "openssl.conf.j2"
    dest: "{{ kube_config_dir }}/.openssl.conf"
 - name: certs | run cert generation script
  shell: >
    {{ kube_script_dir }}/make-ssl.sh
    -f {{ kube_config_dir }}/.openssl.conf
    -g {{ kube_cert_group }}
    -d {{ kube_cert_dir }}
  args:
    creates: "{{ kube_cert_dir }}/apiserver.pem"
 - name: certs | check certificate permissions
  file:
    path={{ kube_cert_dir }}
    group={{ kube_cert_group }}
    owner=kube
    recurse=yes
--- a/roles/kubernetes/node/tasks/main.yml
+++ b/roles/kubernetes/node/tasks/main.yml
@ -1,4 +1,6 @@
 ---
 - include: install.yml
 - name: Write Calico cni config
  template:
    src: "cni-calico.conf.j2"
@ -6,10 +8,6 @@
    owner: kube
  when: kube_network_plugin == "calico"
 - include: secrets.yml
 - include: install.yml
 - name: Write kubelet config file
  template: src=kubelet.j2 dest={{ kube_config_dir }}/kubelet.env backup=yes
  notify:
--- a/roles/kubernetes/node/tasks/secrets.yml
+++ b/roles/kubernetes/node/tasks/secrets.yml
@ -1,50 +0,0 @@
 ---
 - name: Secrets | certs | make sure the certificate directory exits
  file:
    path={{ kube_cert_dir }}
    state=directory
    mode=o-rwx
    group={{ kube_cert_group }}
 - name: Secrets | tokens | make sure the tokens directory exits
  file:
    path={{ kube_token_dir }}
    state=directory
    mode=o-rwx
    group={{ kube_cert_group }}
 - include: gen_certs.yml
  when: inventory_hostname == groups['kube-master'][0]
 # Sync certs between nodes
 - name: Secrets | create user
  user:
    name: '{{ansible_user_id}}'
    generate_ssh_key: yes
  delegate_to: "{{ groups['kube-master'][0] }}"
  run_once: yes
 - name: Secrets | 'get ssh keypair'
  slurp: path=~/.ssh/id_rsa.pub
  register: public_key
  delegate_to: "{{ groups['kube-master'][0] }}"
 - name: Secrets | 'setup keypair on nodes'
  authorized_key:
    user: '{{ansible_user_id}}'
    key: "{{public_key.content|b64decode }}"
 - name: Secrets | synchronize certificates for nodes
  synchronize:
    src: "{{ item }}"
    dest: "{{ kube_cert_dir }}"
    recursive: yes
    delete: yes
    rsync_opts: [ '--one-file-system']
    set_remote_user: false
  with_items:
    - "{{ kube_cert_dir}}/ca.pem"
    - "{{ kube_cert_dir}}/node.pem"
    - "{{ kube_cert_dir}}/node-key.pem"
  delegate_to: "{{ groups['kube-master'][0] }}"
  when: inventory_hostname not in "{{ groups['kube-master'] }}"
--- a/roles/kubernetes/preinstall/defaults/main.yml
+++ b/roles/kubernetes/preinstall/defaults/main.yml
@ -6,6 +6,7 @@ common_required_pkgs:
  - openssl
  - curl
  - rsync
  - bash-completion
 pypy_version: 2.4.0
 python_pypy_url: "https://bitbucket.org/pypy/pypy/downloads/pypy-{{ pypy_version }}.tar.bz2"
--- a/roles/kubernetes/secrets/files/certs/.gitkeep
+++ b/roles/kubernetes/secrets/files/certs/.gitkeep
--- a/roles/kubernetes/secrets/files/tokens/.gitkeep
+++ b/roles/kubernetes/secrets/files/tokens/.gitkeep
--- a/roles/kubernetes/secrets/handlers/main.yml
+++ b/roles/kubernetes/secrets/handlers/main.yml
@ -0,0 +1,4 @@
 ---
 - name: set secret_changed
  set_fact:
    secret_changed: true
--- a/roles/kubernetes/secrets/scripts/kube-gen-token.sh
+++ b/roles/kubernetes/secrets/scripts/kube-gen-token.sh
--- a/roles/kubernetes/secrets/scripts/make-ssl.sh
+++ b/roles/kubernetes/secrets/scripts/make-ssl.sh
@ -1,6 +1,6 @@
 #!/bin/bash
 # Author: skahlouc@skahlouc-laptop
 # Author: Smana smainklh@gmail.com
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@ -22,15 +22,13 @@ usage()
    cat << EOF
 Create self signed certificates
 Usage : $(basename $0) -f <config> [-c <cloud_provider>] [-d <ssldir>] [-g <ssl_group>]
 Usage : $(basename $0) -f <config> [-d <ssldir>]
      -h | --help         : Show this message
      -f | --config       : Openssl configuration file
      -c | --cloud        : Cloud provider (GCE, AWS or AZURE)
      -d | --ssldir       : Directory where the certificates will be installed
      -g | --sslgrp       : Group of the certificates
               ex : 
               $(basename $0) -f openssl.conf -c GCE -d /srv/ssl -g kube
               $(basename $0) -f openssl.conf -d /srv/ssl
 EOF
 }
@ -39,9 +37,7 @@ while (($#)); do
    case "$1" in
        -h | --help)   usage;   exit 0;;
        -f | --config) CONFIG=${2}; shift 2;;
        -c | --cloud) CLOUD=${2}; shift 2;;
        -d | --ssldir) SSLDIR="${2}"; shift 2;; 
        -g | --group) SSLGRP="${2}"; shift 2;;
        *)
            usage
            echo "ERROR : Unknown option"
@ -57,26 +53,6 @@ fi
 if [ -z ${SSLDIR} ]; then
    SSLDIR="/etc/kubernetes/certs"
 fi
 if [ -z ${SSLGRP} ]; then
    SSLGRP="kube-cert"
 fi
 #echo "config=$CONFIG, cloud=$CLOUD, certdir=$SSLDIR, certgroup=$SSLGRP"
 SUPPORTED_CLOUDS="GCE AWS AZURE"
 # TODO: Add support for discovery on other providers?
 if [ "${CLOUD}" == "GCE" ]; then
  CLOUD_IP=$(curl -s -H Metadata-Flavor:Google http://metadata.google.internal./computeMetadata/v1/instance/network-interfaces/0/access-configs/0/external-ip)
 fi
 if [ "${CLOUD}" == "AWS" ]; then
  CLOUD_IP=$(curl -s http://169.254.169.254/latest/meta-data/public-ipv4)
 fi
 if [ "${CLOUD}" == "AZURE" ]; then
  CLOUD_IP=$(uname -n | awk -F. '{ print $2 }').cloudapp.net
 fi
 tmpdir=$(mktemp -d --tmpdir kubernetes_cacert.XXXXXX)
 trap 'rm -rf "${tmpdir}"' EXIT
@ -102,6 +78,3 @@ done
 # Install certs
 mv *.pem ${SSLDIR}/
 chgrp ${SSLGRP} ${SSLDIR}/*
 chmod 600 ${SSLDIR}/*-key.pem
 chown root:root ${SSLDIR}/*-key.pem
--- a/roles/kubernetes/secrets/tasks/gen_certs.yml
+++ b/roles/kubernetes/secrets/tasks/gen_certs.yml
@ -0,0 +1,51 @@
 ---
 - name: certs | write openssl config
  sudo: False
  local_action: template src="openssl.conf.j2" dest="{{ role_path }}/files/openssl.conf"
  run_once: yes
 - name: certs | run cert generation script
  sudo: False
  local_action: shell
    {{ role_path }}/scripts/make-ssl.sh
    -f {{ role_path }}/files/openssl.conf
    -d {{ role_path }}/files/certs/
  run_once: yes
 - name: certs | Copy certs on nodes
  copy:
    src: "certs/{{ item }}"
    dest: "{{ kube_cert_dir }}"
  with_items:
    - ca.pem
    - node.pem
    - node-key.pem
  when: inventory_hostname in "{{ groups['k8s-cluster'] }}"
 - name: certs | Copy certs on master
  copy:
    src: "certs/{{ item }}"
    dest: "{{ kube_cert_dir }}"
  with_items:
    - ca-key.pem
    - admin.pem
    - admin-key.pem
    - apiserver-key.pem
    - apiserver.pem
  when: inventory_hostname in "{{ groups['kube-master'] }}"
 - name: certs | check certificate permissions
  file:
    path={{ kube_cert_dir }}
    group={{ kube_cert_group }}
    owner=kube
    recurse=yes
 - shell: ls {{ kube_cert_dir}}/*key.pem
  register: keyfiles
 - name: certs | set permissions on keys
  file:
    path: "{{ item }}"
    mode: 0600
  with_items: keyfiles.stdout_lines
--- a/roles/kubernetes/secrets/tasks/gen_tokens.yml
+++ b/roles/kubernetes/secrets/tasks/gen_tokens.yml
@ -0,0 +1,30 @@
 ---
 - name: tokens | generate tokens for master components
  sudo: False
  local_action: command "{{ role_path }}/scripts/kube-gen-token.sh" "{{ item[0] }}-{{ item[1] }}"
  environment:
    TOKEN_DIR: "{{ role_path }}/files/tokens"
  with_nested:
    - [ "system:kubectl" ]
    - "{{ groups['kube-master'] }}"
  register: gentoken_master
  changed_when: "'Added' in gentoken_master.stdout"
  notify: set secret_changed
 - name: tokens | generate tokens for node components
  sudo: False
  local_action: command "{{ role_path }}/scripts/kube-gen-token.sh" "{{ item[0] }}-{{ item[1] }}"
  environment:
    TOKEN_DIR: "{{ role_path }}/files/tokens"
  with_nested:
    - [ 'system:kubelet' ]
    - "{{ groups['kube-node'] }}"
  register: gentoken_node
  changed_when: "'Added' in gentoken_node.stdout"
  notify: set secret_changed
 - name: tokens | Copy tokens on master
  copy:
    src: "tokens"
    dest: "/etc/kubernetes"
  when: inventory_hostname in "{{ groups['kube-master'] }}"
--- a/roles/kubernetes/secrets/tasks/main.yml
+++ b/roles/kubernetes/secrets/tasks/main.yml
@ -0,0 +1,41 @@
 ---
 - name: Make sure the certificate directory exits
  file:
    path={{ kube_cert_dir }}
    state=directory
    mode=o-rwx
    group={{ kube_cert_group }}
 - name: Make sure the tokens directory exits
  file:
    path={{ kube_token_dir }}
    state=directory
    mode=o-rwx
    group={{ kube_cert_group }}
 - name: Make sure the users directory exits
  file:
    path={{ kube_users_dir }}
    state=directory
    mode=o-rwx
    group={{ kube_cert_group }}
 - name: Populate users for basic auth in API
  lineinfile:
    dest: "{{ kube_users_dir }}/known_users.csv"
    create: yes
    line: '{{ item.value.pass }},{{ item.key }},{{ item.value.role }}'
    backup: yes
  with_dict: "{{ kube_users }}"
  when: inventory_hostname in "{{ groups['kube-master'] }}"
  notify: set secret_changed
 - name: Check if a certificate already exists
  stat:
    path: "{{ kube_cert_dir }}/ca.pem"
  register: kubecert
 - include: gen_certs.yml
  when: not kubecert.stat.exists
 - include: gen_tokens.yml
--- a/roles/kubernetes/secrets/templates/openssl.conf.j2
+++ b/roles/kubernetes/secrets/templates/openssl.conf.j2
--- a/roles/network_plugin/calico/handlers/main.yml
+++ b/roles/network_plugin/calico/handlers/main.yml
@ -13,3 +13,4 @@
  service:
    name: calico-node
    state: restarted
    sleep: 10