generate secrets on deployment machine

test travis with sudo=true instead of required

roles/kubernetes/secrets/handlers/main.yml

@@ -0,0 +1,4 @@
+---
+- name: set secret_changed
+  set_fact:
+    secret_changed: true

roles/kubernetes/secrets/scripts/kube-gen-token.sh

@@ -0,0 +1,34 @@
+#!/bin/bash
+
+# Copyright 2015 The Kubernetes Authors All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+token_dir=${TOKEN_DIR:-/var/srv/kubernetes}
+token_file="${token_dir}/known_tokens.csv"
+
+create_accounts=($@)
+
+if [ ! -e "${token_file}" ]; then
+  touch "${token_file}"
+fi
+
+for account in "${create_accounts[@]}"; do
+  if grep ",${account}," "${token_file}" ; then
+    continue
+  fi
+  token=$(dd if=/dev/urandom bs=128 count=1 2>/dev/null | base64 | tr -d "=+/" | dd bs=32 count=1 2>/dev/null)
+  echo "${token},${account},${account}" >> "${token_file}"
+  echo "${token}" > "${token_dir}/${account}.token"
+  echo "Added ${account}"
+done

roles/kubernetes/secrets/scripts/make-ssl.sh

@@ -0,0 +1,80 @@
+#!/bin/bash
+
+# Author: Smana smainklh@gmail.com
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -o errexit
+set -o pipefail
+
+usage()
+{
+    cat << EOF
+Create self signed certificates
+
+Usage : $(basename $0) -f <config> [-d <ssldir>]
+      -h | --help         : Show this message
+      -f | --config       : Openssl configuration file
+      -d | --ssldir       : Directory where the certificates will be installed
+               
+               ex : 
+               $(basename $0) -f openssl.conf -d /srv/ssl
+EOF
+}
+
+# Options parsing
+while (($#)); do
+    case "$1" in
+        -h | --help)   usage;   exit 0;;
+        -f | --config) CONFIG=${2}; shift 2;;
+        -d | --ssldir) SSLDIR="${2}"; shift 2;; 
+        *)
+            usage
+            echo "ERROR : Unknown option"
+            exit 3
+        ;;
+    esac
+done
+
+if [ -z ${CONFIG} ]; then
+    echo "ERROR: the openssl configuration file is missing. option -f"
+    exit 1
+fi
+if [ -z ${SSLDIR} ]; then
+    SSLDIR="/etc/kubernetes/certs"
+fi
+
+tmpdir=$(mktemp -d --tmpdir kubernetes_cacert.XXXXXX)
+trap 'rm -rf "${tmpdir}"' EXIT
+cd "${tmpdir}"
+
+mkdir -p "${SSLDIR}"
+
+# Root CA
+openssl genrsa -out ca-key.pem 2048 > /dev/null 2>&1
+openssl req -x509 -new -nodes -key ca-key.pem -days 10000 -out ca.pem -subj "/CN=kube-ca" > /dev/null 2>&1
+
+# Apiserver
+openssl genrsa -out apiserver-key.pem 2048 > /dev/null 2>&1
+openssl req -new -key apiserver-key.pem -out apiserver.csr -subj "/CN=kube-apiserver" -config ${CONFIG} > /dev/null 2>&1
+openssl x509 -req -in apiserver.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out apiserver.pem -days 365 -extensions v3_req -extfile ${CONFIG} > /dev/null 2>&1
+
+# Nodes and Admin
+for i in node admin; do
+    openssl genrsa -out ${i}-key.pem 2048 > /dev/null 2>&1
+    openssl req -new -key ${i}-key.pem -out ${i}.csr -subj "/CN=kube-${i}" > /dev/null 2>&1
+    openssl x509 -req -in ${i}.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out ${i}.pem -days 365 > /dev/null 2>&1
+done
+
+# Install certs
+mv *.pem ${SSLDIR}/

roles/kubernetes/secrets/tasks/gen_certs.yml

@@ -0,0 +1,51 @@
+---
+- name: certs | write openssl config
+  sudo: False
+  local_action: template src="openssl.conf.j2" dest="{{ role_path }}/files/openssl.conf"
+  run_once: yes
+
+- name: certs | run cert generation script
+  sudo: False
+  local_action: shell
+    {{ role_path }}/scripts/make-ssl.sh
+    -f {{ role_path }}/files/openssl.conf
+    -d {{ role_path }}/files/certs/
+  run_once: yes
+
+- name: certs | Copy certs on nodes
+  copy:
+    src: "certs/{{ item }}"
+    dest: "{{ kube_cert_dir }}"
+  with_items:
+    - ca.pem
+    - node.pem
+    - node-key.pem
+  when: inventory_hostname in "{{ groups['k8s-cluster'] }}"
+
+- name: certs | Copy certs on master
+  copy:
+    src: "certs/{{ item }}"
+    dest: "{{ kube_cert_dir }}"
+  with_items:
+    - ca-key.pem
+    - admin.pem
+    - admin-key.pem
+    - apiserver-key.pem
+    - apiserver.pem
+  when: inventory_hostname in "{{ groups['kube-master'] }}"
+
+- name: certs | check certificate permissions
+  file:
+    path={{ kube_cert_dir }}
+    group={{ kube_cert_group }}
+    owner=kube
+    recurse=yes
+
+- shell: ls {{ kube_cert_dir}}/*key.pem
+  register: keyfiles
+
+- name: certs | set permissions on keys
+  file:
+    path: "{{ item }}"
+    mode: 0600
+  with_items: keyfiles.stdout_lines

roles/kubernetes/secrets/tasks/gen_tokens.yml

@@ -0,0 +1,30 @@
+---
+- name: tokens | generate tokens for master components
+  sudo: False
+  local_action: command "{{ role_path }}/scripts/kube-gen-token.sh" "{{ item[0] }}-{{ item[1] }}"
+  environment:
+    TOKEN_DIR: "{{ role_path }}/files/tokens"
+  with_nested:
+    - [ "system:kubectl" ]
+    - "{{ groups['kube-master'] }}"
+  register: gentoken_master
+  changed_when: "'Added' in gentoken_master.stdout"
+  notify: set secret_changed
+
+- name: tokens | generate tokens for node components
+  sudo: False
+  local_action: command "{{ role_path }}/scripts/kube-gen-token.sh" "{{ item[0] }}-{{ item[1] }}"
+  environment:
+    TOKEN_DIR: "{{ role_path }}/files/tokens"
+  with_nested:
+    - [ 'system:kubelet' ]
+    - "{{ groups['kube-node'] }}"
+  register: gentoken_node
+  changed_when: "'Added' in gentoken_node.stdout"
+  notify: set secret_changed
+
+- name: tokens | Copy tokens on master
+  copy:
+    src: "tokens"
+    dest: "/etc/kubernetes"
+  when: inventory_hostname in "{{ groups['kube-master'] }}"

roles/kubernetes/secrets/tasks/main.yml

@@ -0,0 +1,41 @@
+---
+- name: Make sure the certificate directory exits
+  file:
+    path={{ kube_cert_dir }}
+    state=directory
+    mode=o-rwx
+    group={{ kube_cert_group }}
+
+- name: Make sure the tokens directory exits
+  file:
+    path={{ kube_token_dir }}
+    state=directory
+    mode=o-rwx
+    group={{ kube_cert_group }}
+
+- name: Make sure the users directory exits
+  file:
+    path={{ kube_users_dir }}
+    state=directory
+    mode=o-rwx
+    group={{ kube_cert_group }}
+
+- name: Populate users for basic auth in API
+  lineinfile:
+    dest: "{{ kube_users_dir }}/known_users.csv"
+    create: yes
+    line: '{{ item.value.pass }},{{ item.key }},{{ item.value.role }}'
+    backup: yes
+  with_dict: "{{ kube_users }}"
+  when: inventory_hostname in "{{ groups['kube-master'] }}"
+  notify: set secret_changed
+
+- name: Check if a certificate already exists
+  stat:
+    path: "{{ kube_cert_dir }}/ca.pem"
+  register: kubecert
+
+- include: gen_certs.yml
+  when: not kubecert.stat.exists
+
+- include: gen_tokens.yml

roles/kubernetes/secrets/templates/openssl.conf.j2

@@ -0,0 +1,21 @@
+[req]
+req_extensions = v3_req
+distinguished_name = req_distinguished_name
+[req_distinguished_name]
+[ v3_req ]
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+subjectAltName = @alt_names
+[alt_names]
+DNS.1 = kubernetes
+DNS.2 = kubernetes.default
+DNS.3 = kubernetes.default.svc.{{ dns_domain }}
+{% if loadbalancer_apiserver is defined  and apiserver_loadbalancer_domain_name is defined %}
+DNS.4 = {{ apiserver_loadbalancer_domain_name }}
+{% endif %}
+{% for host in groups['kube-master'] %}
+IP.{{ 2 * loop.index - 1 }} = {{ hostvars[host]['access_ip'] | default(hostvars[host]['ansible_default_ipv4']['address']) }}
+IP.{{ 2 * loop.index }} = {{ hostvars[host]['ip'] | default(hostvars[host]['ansible_default_ipv4']['address']) }}
+{% endfor %}
+{% set idx =  groups['kube-master'] | length | int * 2 + 1 %}
+IP.{{ idx | string }} = {{ kube_apiserver_ip }}