generate secrets on deployment machine

test travis with sudo=true instead of required
2026-02-14 17:50:06 -03:30 · 2016-02-11 23:08:16 +01:00
parent 3fef552978
commit 91fca69aa0
19 changed files with 157 additions and 185 deletions
--- a/roles/kubernetes/node/tasks/gen_certs.yml
+++ b/roles/kubernetes/node/tasks/gen_certs.yml
@@ -1,28 +0,0 @@
---
- name: certs | install cert generation script
-  copy:
-    src=make-ssl.sh
-    dest={{ kube_script_dir }}
-    mode=0500
-  changed_when: false
-
- name: certs | write openssl config
-  template:
-    src: "openssl.conf.j2"
-    dest: "{{ kube_config_dir }}/.openssl.conf"
-
- name: certs | run cert generation script
-  shell: >
-    {{ kube_script_dir }}/make-ssl.sh
-    -f {{ kube_config_dir }}/.openssl.conf
-    -g {{ kube_cert_group }}
-    -d {{ kube_cert_dir }}
-  args:
-    creates: "{{ kube_cert_dir }}/apiserver.pem"
-
- name: certs | check certificate permissions
-  file:
-    path={{ kube_cert_dir }}
-    group={{ kube_cert_group }}
-    owner=kube
-    recurse=yes
--- a/roles/kubernetes/node/tasks/main.yml
+++ b/roles/kubernetes/node/tasks/main.yml
@@ -1,4 +1,6 @@
 ---
+- include: install.yml
+
 - name: Write Calico cni config
  template:
    src: "cni-calico.conf.j2"
@@ -6,10 +8,6 @@
    owner: kube
  when: kube_network_plugin == "calico"

- include: secrets.yml
-
- include: install.yml
-
 - name: Write kubelet config file
  template: src=kubelet.j2 dest={{ kube_config_dir }}/kubelet.env backup=yes
  notify:
--- a/roles/kubernetes/node/tasks/secrets.yml
+++ b/roles/kubernetes/node/tasks/secrets.yml
@@ -1,50 +0,0 @@
---
- name: Secrets | certs | make sure the certificate directory exits
-  file:
-    path={{ kube_cert_dir }}
-    state=directory
-    mode=o-rwx
-    group={{ kube_cert_group }}
-
- name: Secrets | tokens | make sure the tokens directory exits
-  file:
-    path={{ kube_token_dir }}
-    state=directory
-    mode=o-rwx
-    group={{ kube_cert_group }}
-
- include: gen_certs.yml
-  when: inventory_hostname == groups['kube-master'][0]
-
-# Sync certs between nodes
- name: Secrets | create user
-  user:
-    name: '{{ansible_user_id}}'
-    generate_ssh_key: yes
-  delegate_to: "{{ groups['kube-master'][0] }}"
-  run_once: yes
-
- name: Secrets | 'get ssh keypair'
-  slurp: path=~/.ssh/id_rsa.pub
-  register: public_key
-  delegate_to: "{{ groups['kube-master'][0] }}"
-
- name: Secrets | 'setup keypair on nodes'
-  authorized_key:
-    user: '{{ansible_user_id}}'
-    key: "{{public_key.content|b64decode }}"
-
- name: Secrets | synchronize certificates for nodes
-  synchronize:
-    src: "{{ item }}"
-    dest: "{{ kube_cert_dir }}"
-    recursive: yes
-    delete: yes
-    rsync_opts: [ '--one-file-system']
-    set_remote_user: false
-  with_items:
-    - "{{ kube_cert_dir}}/ca.pem"
-    - "{{ kube_cert_dir}}/node.pem"
-    - "{{ kube_cert_dir}}/node-key.pem"
-  delegate_to: "{{ groups['kube-master'][0] }}"
-  when: inventory_hostname not in "{{ groups['kube-master'] }}"