generate secrets on deployment machine

test travis with sudo=true instead of required
2026-02-03 02:28:15 -03:30 · 2016-02-11 23:08:16 +01:00
parent 3fef552978
commit 91fca69aa0
19 changed files with 157 additions and 185 deletions
--- a/roles/kubernetes/node/files/make-ssl.sh
+++ b/roles/kubernetes/node/files/make-ssl.sh
@@ -1,107 +0,0 @@
-#!/bin/bash
-
-# Author: skahlouc@skahlouc-laptop
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-set -o errexit
-set -o pipefail
-
-usage()
-{
-    cat << EOF
-Create self signed certificates
-
-Usage : $(basename $0) -f <config> [-c <cloud_provider>] [-d <ssldir>] [-g <ssl_group>]
-      -h | --help         : Show this message
-      -f | --config       : Openssl configuration file
-      -c | --cloud        : Cloud provider (GCE, AWS or AZURE)
-      -d | --ssldir       : Directory where the certificates will be installed
-      -g | --sslgrp       : Group of the certificates
-               
-               ex : 
-               $(basename $0) -f openssl.conf -c GCE -d /srv/ssl -g kube
-EOF
-}
-
-# Options parsing
-while (($#)); do
-    case "$1" in
-        -h | --help)   usage;   exit 0;;
-        -f | --config) CONFIG=${2}; shift 2;;
-        -c | --cloud) CLOUD=${2}; shift 2;;
-        -d | --ssldir) SSLDIR="${2}"; shift 2;; 
-        -g | --group) SSLGRP="${2}"; shift 2;;
-        *)
-            usage
-            echo "ERROR : Unknown option"
-            exit 3
-        ;;
-    esac
-done
-
-if [ -z ${CONFIG} ]; then
-    echo "ERROR: the openssl configuration file is missing. option -f"
-    exit 1
-fi
-if [ -z ${SSLDIR} ]; then
-    SSLDIR="/etc/kubernetes/certs"
-fi
-if [ -z ${SSLGRP} ]; then
-    SSLGRP="kube-cert"
-fi
-
-#echo "config=$CONFIG, cloud=$CLOUD, certdir=$SSLDIR, certgroup=$SSLGRP"
-
-SUPPORTED_CLOUDS="GCE AWS AZURE"
-
-# TODO: Add support for discovery on other providers?
-if [ "${CLOUD}" == "GCE" ]; then
-  CLOUD_IP=$(curl -s -H Metadata-Flavor:Google http://metadata.google.internal./computeMetadata/v1/instance/network-interfaces/0/access-configs/0/external-ip)
-fi
-
-if [ "${CLOUD}" == "AWS" ]; then
-  CLOUD_IP=$(curl -s http://169.254.169.254/latest/meta-data/public-ipv4)
-fi
-
-if [ "${CLOUD}" == "AZURE" ]; then
-  CLOUD_IP=$(uname -n | awk -F. '{ print $2 }').cloudapp.net
-fi
-
-tmpdir=$(mktemp -d --tmpdir kubernetes_cacert.XXXXXX)
-trap 'rm -rf "${tmpdir}"' EXIT
-cd "${tmpdir}"
-
-mkdir -p "${SSLDIR}"
-
-# Root CA
-openssl genrsa -out ca-key.pem 2048 > /dev/null 2>&1
-openssl req -x509 -new -nodes -key ca-key.pem -days 10000 -out ca.pem -subj "/CN=kube-ca" > /dev/null 2>&1
-
-# Apiserver
-openssl genrsa -out apiserver-key.pem 2048 > /dev/null 2>&1
-openssl req -new -key apiserver-key.pem -out apiserver.csr -subj "/CN=kube-apiserver" -config ${CONFIG} > /dev/null 2>&1
-openssl x509 -req -in apiserver.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out apiserver.pem -days 365 -extensions v3_req -extfile ${CONFIG} > /dev/null 2>&1
-
-# Nodes and Admin
-for i in node admin; do
-    openssl genrsa -out ${i}-key.pem 2048 > /dev/null 2>&1
-    openssl req -new -key ${i}-key.pem -out ${i}.csr -subj "/CN=kube-${i}" > /dev/null 2>&1
-    openssl x509 -req -in ${i}.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out ${i}.pem -days 365 > /dev/null 2>&1
-done
-
-# Install certs
-mv *.pem ${SSLDIR}/
-chgrp ${SSLGRP} ${SSLDIR}/*
-chmod 600 ${SSLDIR}/*-key.pem
-chown root:root ${SSLDIR}/*-key.pem
--- a/roles/kubernetes/node/meta/main.yml
+++ b/roles/kubernetes/node/meta/main.yml
@@ -0,0 +1,3 @@
+---
+dependencies:
+ - role: kubernetes/secrets
--- a/roles/kubernetes/node/tasks/gen_certs.yml
+++ b/roles/kubernetes/node/tasks/gen_certs.yml
@@ -1,28 +0,0 @@
---
- name: certs | install cert generation script
-  copy:
-    src=make-ssl.sh
-    dest={{ kube_script_dir }}
-    mode=0500
-  changed_when: false
-
- name: certs | write openssl config
-  template:
-    src: "openssl.conf.j2"
-    dest: "{{ kube_config_dir }}/.openssl.conf"
-
- name: certs | run cert generation script
-  shell: >
-    {{ kube_script_dir }}/make-ssl.sh
-    -f {{ kube_config_dir }}/.openssl.conf
-    -g {{ kube_cert_group }}
-    -d {{ kube_cert_dir }}
-  args:
-    creates: "{{ kube_cert_dir }}/apiserver.pem"
-
- name: certs | check certificate permissions
-  file:
-    path={{ kube_cert_dir }}
-    group={{ kube_cert_group }}
-    owner=kube
-    recurse=yes
--- a/roles/kubernetes/node/tasks/main.yml
+++ b/roles/kubernetes/node/tasks/main.yml
@@ -1,4 +1,6 @@
 ---
+- include: install.yml
+
 - name: Write Calico cni config
  template:
    src: "cni-calico.conf.j2"
@@ -6,10 +8,6 @@
    owner: kube
  when: kube_network_plugin == "calico"

- include: secrets.yml
-
- include: install.yml
-
 - name: Write kubelet config file
  template: src=kubelet.j2 dest={{ kube_config_dir }}/kubelet.env backup=yes
  notify:
--- a/roles/kubernetes/node/tasks/secrets.yml
+++ b/roles/kubernetes/node/tasks/secrets.yml
@@ -1,50 +0,0 @@
---
- name: Secrets | certs | make sure the certificate directory exits
-  file:
-    path={{ kube_cert_dir }}
-    state=directory
-    mode=o-rwx
-    group={{ kube_cert_group }}
-
- name: Secrets | tokens | make sure the tokens directory exits
-  file:
-    path={{ kube_token_dir }}
-    state=directory
-    mode=o-rwx
-    group={{ kube_cert_group }}
-
- include: gen_certs.yml
-  when: inventory_hostname == groups['kube-master'][0]
-
-# Sync certs between nodes
- name: Secrets | create user
-  user:
-    name: '{{ansible_user_id}}'
-    generate_ssh_key: yes
-  delegate_to: "{{ groups['kube-master'][0] }}"
-  run_once: yes
-
- name: Secrets | 'get ssh keypair'
-  slurp: path=~/.ssh/id_rsa.pub
-  register: public_key
-  delegate_to: "{{ groups['kube-master'][0] }}"
-
- name: Secrets | 'setup keypair on nodes'
-  authorized_key:
-    user: '{{ansible_user_id}}'
-    key: "{{public_key.content|b64decode }}"
-
- name: Secrets | synchronize certificates for nodes
-  synchronize:
-    src: "{{ item }}"
-    dest: "{{ kube_cert_dir }}"
-    recursive: yes
-    delete: yes
-    rsync_opts: [ '--one-file-system']
-    set_remote_user: false
-  with_items:
-    - "{{ kube_cert_dir}}/ca.pem"
-    - "{{ kube_cert_dir}}/node.pem"
-    - "{{ kube_cert_dir}}/node-key.pem"
-  delegate_to: "{{ groups['kube-master'][0] }}"
-  when: inventory_hostname not in "{{ groups['kube-master'] }}"
--- a/roles/kubernetes/node/templates/openssl.conf.j2
+++ b/roles/kubernetes/node/templates/openssl.conf.j2
@@ -1,21 +0,0 @@
-[req]
-req_extensions = v3_req
-distinguished_name = req_distinguished_name
-[req_distinguished_name]
-[ v3_req ]
-basicConstraints = CA:FALSE
-keyUsage = nonRepudiation, digitalSignature, keyEncipherment
-subjectAltName = @alt_names
-[alt_names]
-DNS.1 = kubernetes
-DNS.2 = kubernetes.default
-DNS.3 = kubernetes.default.svc.{{ dns_domain }}
-{% if loadbalancer_apiserver is defined  and apiserver_loadbalancer_domain_name is defined %}
-DNS.4 = {{ apiserver_loadbalancer_domain_name }}
-{% endif %}
-{% for host in groups['kube-master'] %}
-IP.{{ 2 * loop.index - 1 }} = {{ hostvars[host]['access_ip'] | default(hostvars[host]['ansible_default_ipv4']['address']) }}
-IP.{{ 2 * loop.index }} = {{ hostvars[host]['ip'] | default(hostvars[host]['ansible_default_ipv4']['address']) }}
-{% endfor %}
-{% set idx =  groups['kube-master'] | length | int * 2 + 1 %}
-IP.{{ idx | string }} = {{ kube_apiserver_ip }}