From 4f627baf7109d46a1edf8c68dddec74d17d4a3b7 Mon Sep 17 00:00:00 2001 From: Smana Date: Fri, 6 May 2016 19:17:59 +0200 Subject: [PATCH] generate secrets on first master --- roles/coreos-bootstrap/tasks/main.yml | 2 +- .../{scripts => files}/kube-gen-token.sh | 0 .../secrets/{scripts => files}/make-ssl.sh | 0 .../kubernetes/secrets/files/tokens/.gitkeep | 0 .../kubernetes/secrets/tasks/check-tokens.yml | 36 ++++++++++++++ roles/kubernetes/secrets/tasks/gen_certs.yml | 30 ++++++------ roles/kubernetes/secrets/tasks/gen_tokens.yml | 48 +++++++++++++++---- roles/kubernetes/secrets/tasks/main.yml | 1 + 8 files changed, 90 insertions(+), 27 deletions(-) rename roles/kubernetes/secrets/{scripts => files}/kube-gen-token.sh (100%) rename roles/kubernetes/secrets/{scripts => files}/make-ssl.sh (100%) delete mode 100644 roles/kubernetes/secrets/files/tokens/.gitkeep create mode 100644 roles/kubernetes/secrets/tasks/check-tokens.yml diff --git a/roles/coreos-bootstrap/tasks/main.yml b/roles/coreos-bootstrap/tasks/main.yml index bd81a2632..4d9e11ea6 100644 --- a/roles/coreos-bootstrap/tasks/main.yml +++ b/roles/coreos-bootstrap/tasks/main.yml @@ -37,7 +37,7 @@ - name: Install required python modules pip: name: "{{ item }}" - with_items: pip_python_modules + with_items: "{{pip_python_modules}}" - name: Check configured hostname shell: hostname diff --git a/roles/kubernetes/secrets/scripts/kube-gen-token.sh b/roles/kubernetes/secrets/files/kube-gen-token.sh similarity index 100% rename from roles/kubernetes/secrets/scripts/kube-gen-token.sh rename to roles/kubernetes/secrets/files/kube-gen-token.sh diff --git a/roles/kubernetes/secrets/scripts/make-ssl.sh b/roles/kubernetes/secrets/files/make-ssl.sh similarity index 100% rename from roles/kubernetes/secrets/scripts/make-ssl.sh rename to roles/kubernetes/secrets/files/make-ssl.sh diff --git a/roles/kubernetes/secrets/files/tokens/.gitkeep b/roles/kubernetes/secrets/files/tokens/.gitkeep deleted file mode 100644 index e69de29bb..000000000 diff --git a/roles/kubernetes/secrets/tasks/check-tokens.yml b/roles/kubernetes/secrets/tasks/check-tokens.yml new file mode 100644 index 000000000..cfb579ad7 --- /dev/null +++ b/roles/kubernetes/secrets/tasks/check-tokens.yml @@ -0,0 +1,36 @@ +--- +- name: "Check tokens | check if the tokens have already been generated on first master" + stat: + path: "{{ kube_token_dir }}/known_tokens.csv" + delegate_to: "{{groups['kube-master'][0]}}" + register: known_tokens_master + run_once: true + +- name: "Check_tokens | Set default value for 'sync_tokens' and 'gen_tokens' to false" + set_fact: + sync_tokens: false + gen_tokens: false + +- name: "Check_tokens | Set 'sync_tokens' and 'gen_tokens' to true" + set_fact: + gen_tokens: true + when: not known_tokens_master.stat.exists + run_once: true + +- name: "Check tokens | check if a cert already exists" + stat: + path: "{{ kube_cert_dir }}/ca.pem" + register: known_tokens + +- name: "Check_tokens | Set 'sync_tokens' to true" + set_fact: + sync_tokens: true + when: >- + {%- set tokens = {'sync': False} -%} + {%- for server in groups['kube-master'] + if (not hostvars[server].known_tokens.stat.exists) or + (hostvars[server].known_tokens.stat.checksum != known_tokens_master.stat.checksum|default('')) -%} + {%- set _ = tokens.update({'sync': True}) -%} + {%- endfor -%} + {{ tokens.sync }} + run_once: true diff --git a/roles/kubernetes/secrets/tasks/gen_certs.yml b/roles/kubernetes/secrets/tasks/gen_certs.yml index 138ec8688..280aa2182 100644 --- a/roles/kubernetes/secrets/tasks/gen_certs.yml +++ b/roles/kubernetes/secrets/tasks/gen_certs.yml @@ -1,31 +1,29 @@ --- - name: certs | write openssl config - become: False - local_action: template src="openssl.conf.j2" dest="{{ role_path }}/files/openssl.conf" + template: + src: "openssl.conf.j2" + dest: "{{ kube_config_dir }}/openssl.conf" run_once: yes - when: gen_certs|default(false) + when: inventory_hostname == groups['kube-master'][0] and gen_certs|default(false) + +- name: certs | copy certs generation script + copy: + src: "make-ssl.sh" + dest: "{{ kube_script_dir }}/make-ssl.sh" + mode: 0700 + run_once: yes + when: inventory_hostname == groups['kube-master'][0] and gen_certs|default(false) - name: certs | run cert generation script - become: False - local_action: shell - {{ role_path }}/scripts/make-ssl.sh - -f {{ role_path }}/files/openssl.conf - -d {{ role_path }}/files/certs/ + command: "{{ kube_script_dir }}/make-ssl.sh -f {{ kube_config_dir }}/openssl.conf -d {{ kube_cert_dir }}" run_once: yes - when: gen_certs|default(false) + when: inventory_hostname == groups['kube-master'][0] and gen_certs|default(false) notify: set secret_changed - set_fact: master_certs: ['ca-key.pem', 'admin.pem', 'admin-key.pem', 'apiserver-key.pem', 'apiserver.pem'] node_certs: ['ca.pem', 'node.pem', 'node-key.pem'] -- name: certs | Copy certs on first master - copy: - src: "certs/{{ item }}" - dest: "{{ kube_cert_dir }}" - with_items: '{{ master_certs + node_certs }}' - when: inventory_hostname == "{{ groups['kube-master'][0] }}" and gen_certs|default(false) - - name: certs | Get the certs from first master slurp: src: "{{ kube_cert_dir }}/{{ item }}" diff --git a/roles/kubernetes/secrets/tasks/gen_tokens.yml b/roles/kubernetes/secrets/tasks/gen_tokens.yml index afe4b12af..87c5e038d 100644 --- a/roles/kubernetes/secrets/tasks/gen_tokens.yml +++ b/roles/kubernetes/secrets/tasks/gen_tokens.yml @@ -1,30 +1,58 @@ --- +- name: tokens | copy tokens generation script + copy: + src: "kube-gen-token.sh" + dest: "{{ kube_script_dir }}/kube-gen-token.sh" + mode: 0700 + run_once: yes + when: inventory_hostname == groups['kube-master'][0] and gen_tokens|default(false) + - name: tokens | generate tokens for master components - become: False - local_action: command "{{ role_path }}/scripts/kube-gen-token.sh" "{{ item[0] }}-{{ item[1] }}" + command: "{{ kube_script_dir }}/kube-gen-token.sh {{ item[0] }}-{{ item[1] }}" environment: - TOKEN_DIR: "{{ role_path }}/files/tokens" + TOKEN_DIR: "{{ kube_token_dir }}" with_nested: - [ "system:kubectl" ] - "{{ groups['kube-master'] }}" register: gentoken_master changed_when: "'Added' in gentoken_master.stdout" notify: set secret_changed + run_once: yes + when: inventory_hostname == groups['kube-master'][0] and gen_tokens|default(false) - name: tokens | generate tokens for node components - become: False - local_action: command "{{ role_path }}/scripts/kube-gen-token.sh" "{{ item[0] }}-{{ item[1] }}" + command: "{{ kube_script_dir }}/kube-gen-token.sh {{ item[0] }}-{{ item[1] }}" environment: - TOKEN_DIR: "{{ role_path }}/files/tokens" + TOKEN_DIR: "{{ kube_token_dir }}" with_nested: - [ 'system:kubelet' ] - "{{ groups['kube-node'] }}" register: gentoken_node changed_when: "'Added' in gentoken_node.stdout" notify: set secret_changed + run_once: yes + when: inventory_hostname == groups['kube-master'][0] and gen_tokens|default(false) -- name: tokens | Copy tokens on master +- name: tokens | Get list of tokens from first master + shell: "(find {{ kube_token_dir }} -maxdepth 1 -type f)" + register: tokens_list + changed_when: false + when: inventory_hostname == groups['kube-master'][0] and sync_tokens|default(false) + +- name: tokens | Get the tokens from first master + slurp: + src: "{{ item }}" + delegate_to: "{{groups['kube-master'][0]}}" + register: slurp_tokens + with_items: '{{tokens_list.stdout_lines}}' + when: sync_tokens|default(false) + run_once: true + notify: set secret_changed + +- name: tokens | Copy tokens on masters copy: - src: "tokens" - dest: "/etc/kubernetes" - when: inventory_hostname in "{{ groups['kube-master'] }}" + content: "{{ item.content|b64decode }}" + dest: "{{ item.source }}" + with_items: '{{slurp_tokens.results}}' + when: inventory_hostname in groups['kube-master'] and sync_certs|default(false) and + inventory_hostname != groups['kube-master'][0] diff --git a/roles/kubernetes/secrets/tasks/main.yml b/roles/kubernetes/secrets/tasks/main.yml index 027e95a82..6837f4853 100644 --- a/roles/kubernetes/secrets/tasks/main.yml +++ b/roles/kubernetes/secrets/tasks/main.yml @@ -1,5 +1,6 @@ --- - include: check-certs.yml +- include: check-tokens.yml - name: Make sure the certificate directory exits file: