generate secrets on deployment machine

test travis with sudo=true instead of required

roles/kubernetes/secrets/tasks/gen_certs.yml

@@ -0,0 +1,51 @@
+---
+- name: certs | write openssl config
+  sudo: False
+  local_action: template src="openssl.conf.j2" dest="{{ role_path }}/files/openssl.conf"
+  run_once: yes
+
+- name: certs | run cert generation script
+  sudo: False
+  local_action: shell
+    {{ role_path }}/scripts/make-ssl.sh
+    -f {{ role_path }}/files/openssl.conf
+    -d {{ role_path }}/files/certs/
+  run_once: yes
+
+- name: certs | Copy certs on nodes
+  copy:
+    src: "certs/{{ item }}"
+    dest: "{{ kube_cert_dir }}"
+  with_items:
+    - ca.pem
+    - node.pem
+    - node-key.pem
+  when: inventory_hostname in "{{ groups['k8s-cluster'] }}"
+
+- name: certs | Copy certs on master
+  copy:
+    src: "certs/{{ item }}"
+    dest: "{{ kube_cert_dir }}"
+  with_items:
+    - ca-key.pem
+    - admin.pem
+    - admin-key.pem
+    - apiserver-key.pem
+    - apiserver.pem
+  when: inventory_hostname in "{{ groups['kube-master'] }}"
+
+- name: certs | check certificate permissions
+  file:
+    path={{ kube_cert_dir }}
+    group={{ kube_cert_group }}
+    owner=kube
+    recurse=yes
+
+- shell: ls {{ kube_cert_dir}}/*key.pem
+  register: keyfiles
+
+- name: certs | set permissions on keys
+  file:
+    path: "{{ item }}"
+    mode: 0600
+  with_items: keyfiles.stdout_lines

roles/kubernetes/secrets/tasks/gen_tokens.yml

@@ -0,0 +1,30 @@
+---
+- name: tokens | generate tokens for master components
+  sudo: False
+  local_action: command "{{ role_path }}/scripts/kube-gen-token.sh" "{{ item[0] }}-{{ item[1] }}"
+  environment:
+    TOKEN_DIR: "{{ role_path }}/files/tokens"
+  with_nested:
+    - [ "system:kubectl" ]
+    - "{{ groups['kube-master'] }}"
+  register: gentoken_master
+  changed_when: "'Added' in gentoken_master.stdout"
+  notify: set secret_changed
+
+- name: tokens | generate tokens for node components
+  sudo: False
+  local_action: command "{{ role_path }}/scripts/kube-gen-token.sh" "{{ item[0] }}-{{ item[1] }}"
+  environment:
+    TOKEN_DIR: "{{ role_path }}/files/tokens"
+  with_nested:
+    - [ 'system:kubelet' ]
+    - "{{ groups['kube-node'] }}"
+  register: gentoken_node
+  changed_when: "'Added' in gentoken_node.stdout"
+  notify: set secret_changed
+
+- name: tokens | Copy tokens on master
+  copy:
+    src: "tokens"
+    dest: "/etc/kubernetes"
+  when: inventory_hostname in "{{ groups['kube-master'] }}"

roles/kubernetes/secrets/tasks/main.yml

@@ -0,0 +1,41 @@
+---
+- name: Make sure the certificate directory exits
+  file:
+    path={{ kube_cert_dir }}
+    state=directory
+    mode=o-rwx
+    group={{ kube_cert_group }}
+
+- name: Make sure the tokens directory exits
+  file:
+    path={{ kube_token_dir }}
+    state=directory
+    mode=o-rwx
+    group={{ kube_cert_group }}
+
+- name: Make sure the users directory exits
+  file:
+    path={{ kube_users_dir }}
+    state=directory
+    mode=o-rwx
+    group={{ kube_cert_group }}
+
+- name: Populate users for basic auth in API
+  lineinfile:
+    dest: "{{ kube_users_dir }}/known_users.csv"
+    create: yes
+    line: '{{ item.value.pass }},{{ item.key }},{{ item.value.role }}'
+    backup: yes
+  with_dict: "{{ kube_users }}"
+  when: inventory_hostname in "{{ groups['kube-master'] }}"
+  notify: set secret_changed
+
+- name: Check if a certificate already exists
+  stat:
+    path: "{{ kube_cert_dir }}/ca.pem"
+  register: kubecert
+
+- include: gen_certs.yml
+  when: not kubecert.stat.exists
+
+- include: gen_tokens.yml