generate secrets on deployment machine
test travis with sudo=true instead of requiredpull/139/head
parent
451ee18c4a
commit
bce83745b4
|
@ -23,7 +23,7 @@ in order to avoid any issue during deployment you should disable your firewall
|
|||
* Base knowledge on Ansible. Please refer to [Ansible documentation](http://www.ansible.com/how-ansible-works)
|
||||
|
||||
### Components
|
||||
* [kubernetes](https://github.com/kubernetes/kubernetes/releases) v1.1.4
|
||||
* [kubernetes](https://github.com/kubernetes/kubernetes/releases) v1.1.7
|
||||
* [etcd](https://github.com/coreos/etcd/releases) v2.2.4
|
||||
* [calicoctl](https://github.com/projectcalico/calico-docker/releases) v0.16.0
|
||||
* [flanneld](https://github.com/coreos/flannel/releases) v0.5.5
|
||||
|
|
|
@ -2,7 +2,7 @@
|
|||
local_release_dir: /tmp
|
||||
|
||||
# Versions
|
||||
kube_version: v1.1.4
|
||||
kube_version: v1.1.7
|
||||
etcd_version: v2.2.4
|
||||
calico_version: v0.16.0
|
||||
calico_cni_version: v1.0.0
|
||||
|
@ -22,9 +22,9 @@ calico_cni_checksum: "cfbb95d4416cb65845a188f3bd991fff232bd5ce3463b2919d586ab779
|
|||
calico_cni_ipam_checksum: "93ebf8756b26314e1e3f612f1e824418cbb0a8df2942664422e697bcb109fbb2"
|
||||
weave_checksum: "152942c330f87ab475d87d9311b91674b90f25ea685bd4e04e0495d5fe09a957"
|
||||
etcd_checksum: "6c4e5cdeaaac1a70b8f06b5dd6b82c37ff19993c9bca81248975610e555c4b9b"
|
||||
kubectl_checksum: "873ba19926d17a3287dc8639ea1434fe3cd0cb4e61d82101ba754922cfc7a633"
|
||||
kubelet_checksum: "f2d1eae3fa6e304f6cbc9b2621e4b86fc3bcb4e74a15d35f58bf00e45c706e0a"
|
||||
kube_apiserver_checksum: "bb3814c4df65f1587a3650140437392ce3fb4b64f51d459457456691c99f1202"
|
||||
kubectl_checksum: "7239fda83f0218384ccf3374a47c0d1e243975e50fdf5d544635a397c7ad10dc"
|
||||
kubelet_checksum: "05faa3cf5f5448efafa553a3ef778c645c59d585d4013b52fe7ca8bd4cfc704e"
|
||||
kube_apiserver_checksum: "bb73a3526e51a8f4124b42f6104103deba83f87bd985000c00d382b3a0af059a"
|
||||
|
||||
downloads:
|
||||
- name: calico
|
||||
|
|
|
@ -1,31 +0,0 @@
|
|||
---
|
||||
- name: tokens | copy the token gen script
|
||||
copy:
|
||||
src=kube-gen-token.sh
|
||||
dest={{ kube_script_dir }}
|
||||
mode=u+x
|
||||
when: inventory_hostname == groups['kube-master'][0]
|
||||
|
||||
- name: tokens | generate tokens for master components
|
||||
command: "{{ kube_script_dir }}/kube-gen-token.sh {{ item[0] }}-{{ item[1] }}"
|
||||
environment:
|
||||
TOKEN_DIR: "{{ kube_token_dir }}"
|
||||
with_nested:
|
||||
- [ "system:kubectl" ]
|
||||
- "{{ groups['kube-master'] }}"
|
||||
register: gentoken_master
|
||||
changed_when: "'Added' in gentoken_master.stdout"
|
||||
when: inventory_hostname == groups['kube-master'][0]
|
||||
notify: restart kube-apiserver
|
||||
|
||||
- name: tokens | generate tokens for node components
|
||||
command: "{{ kube_script_dir }}/kube-gen-token.sh {{ item[0] }}-{{ item[1] }}"
|
||||
environment:
|
||||
TOKEN_DIR: "{{ kube_token_dir }}"
|
||||
with_nested:
|
||||
- [ 'system:kubelet' ]
|
||||
- "{{ groups['kube-node'] }}"
|
||||
register: gentoken_node
|
||||
changed_when: "'Added' in gentoken_node.stdout"
|
||||
when: inventory_hostname == groups['kube-master'][0]
|
||||
notify: restart kube-apiserver
|
|
@ -1,7 +1,4 @@
|
|||
---
|
||||
- include: gen_kube_tokens.yml
|
||||
tags: tokens
|
||||
|
||||
- name: Copy kubectl bash completion
|
||||
copy:
|
||||
src: kubectl_bash_completion.sh
|
||||
|
@ -16,31 +13,6 @@
|
|||
command: rsync -piu "{{ local_release_dir }}/kubernetes/bin/kubectl" "{{ bin_dir }}/kubectl"
|
||||
changed_when: false
|
||||
|
||||
- name: populate users for basic auth in API
|
||||
lineinfile:
|
||||
dest: "{{ kube_users_dir }}/known_users.csv"
|
||||
create: yes
|
||||
line: '{{ item.value.pass }},{{ item.key }},{{ item.value.role }}'
|
||||
backup: yes
|
||||
with_dict: "{{ kube_users }}"
|
||||
notify: restart kube-apiserver
|
||||
|
||||
# Sync masters
|
||||
- name: synchronize auth directories for masters
|
||||
synchronize:
|
||||
src: "{{ item }}"
|
||||
dest: "{{ kube_config_dir }}"
|
||||
recursive: yes
|
||||
delete: yes
|
||||
rsync_opts: [ '--one-file-system']
|
||||
set_remote_user: false
|
||||
with_items:
|
||||
- "{{ kube_token_dir }}"
|
||||
- "{{ kube_cert_dir }}"
|
||||
- "{{ kube_users_dir }}"
|
||||
delegate_to: "{{ groups['kube-master'][0] }}"
|
||||
when: inventory_hostname != "{{ groups['kube-master'][0] }}"
|
||||
|
||||
- name: install | Write kube-apiserver systemd init file
|
||||
template:
|
||||
src: "kube-apiserver.service.j2"
|
||||
|
@ -119,3 +91,9 @@
|
|||
name: kubelet
|
||||
state: restarted
|
||||
changed_when: false
|
||||
|
||||
- name: restart kube-apiserver
|
||||
service:
|
||||
name: kube-apiserver
|
||||
state: restarted
|
||||
when: secret_changed | default(false)
|
||||
|
|
|
@ -0,0 +1,3 @@
|
|||
---
|
||||
dependencies:
|
||||
- role: kubernetes/secrets
|
|
@ -1,28 +0,0 @@
|
|||
---
|
||||
- name: certs | install cert generation script
|
||||
copy:
|
||||
src=make-ssl.sh
|
||||
dest={{ kube_script_dir }}
|
||||
mode=0500
|
||||
changed_when: false
|
||||
|
||||
- name: certs | write openssl config
|
||||
template:
|
||||
src: "openssl.conf.j2"
|
||||
dest: "{{ kube_config_dir }}/.openssl.conf"
|
||||
|
||||
- name: certs | run cert generation script
|
||||
shell: >
|
||||
{{ kube_script_dir }}/make-ssl.sh
|
||||
-f {{ kube_config_dir }}/.openssl.conf
|
||||
-g {{ kube_cert_group }}
|
||||
-d {{ kube_cert_dir }}
|
||||
args:
|
||||
creates: "{{ kube_cert_dir }}/apiserver.pem"
|
||||
|
||||
- name: certs | check certificate permissions
|
||||
file:
|
||||
path={{ kube_cert_dir }}
|
||||
group={{ kube_cert_group }}
|
||||
owner=kube
|
||||
recurse=yes
|
|
@ -1,4 +1,6 @@
|
|||
---
|
||||
- include: install.yml
|
||||
|
||||
- name: Write Calico cni config
|
||||
template:
|
||||
src: "cni-calico.conf.j2"
|
||||
|
@ -6,10 +8,6 @@
|
|||
owner: kube
|
||||
when: kube_network_plugin == "calico"
|
||||
|
||||
- include: secrets.yml
|
||||
|
||||
- include: install.yml
|
||||
|
||||
- name: Write kubelet config file
|
||||
template: src=kubelet.j2 dest={{ kube_config_dir }}/kubelet.env backup=yes
|
||||
notify:
|
||||
|
|
|
@ -1,50 +0,0 @@
|
|||
---
|
||||
- name: Secrets | certs | make sure the certificate directory exits
|
||||
file:
|
||||
path={{ kube_cert_dir }}
|
||||
state=directory
|
||||
mode=o-rwx
|
||||
group={{ kube_cert_group }}
|
||||
|
||||
- name: Secrets | tokens | make sure the tokens directory exits
|
||||
file:
|
||||
path={{ kube_token_dir }}
|
||||
state=directory
|
||||
mode=o-rwx
|
||||
group={{ kube_cert_group }}
|
||||
|
||||
- include: gen_certs.yml
|
||||
when: inventory_hostname == groups['kube-master'][0]
|
||||
|
||||
# Sync certs between nodes
|
||||
- name: Secrets | create user
|
||||
user:
|
||||
name: '{{ansible_user_id}}'
|
||||
generate_ssh_key: yes
|
||||
delegate_to: "{{ groups['kube-master'][0] }}"
|
||||
run_once: yes
|
||||
|
||||
- name: Secrets | 'get ssh keypair'
|
||||
slurp: path=~/.ssh/id_rsa.pub
|
||||
register: public_key
|
||||
delegate_to: "{{ groups['kube-master'][0] }}"
|
||||
|
||||
- name: Secrets | 'setup keypair on nodes'
|
||||
authorized_key:
|
||||
user: '{{ansible_user_id}}'
|
||||
key: "{{public_key.content|b64decode }}"
|
||||
|
||||
- name: Secrets | synchronize certificates for nodes
|
||||
synchronize:
|
||||
src: "{{ item }}"
|
||||
dest: "{{ kube_cert_dir }}"
|
||||
recursive: yes
|
||||
delete: yes
|
||||
rsync_opts: [ '--one-file-system']
|
||||
set_remote_user: false
|
||||
with_items:
|
||||
- "{{ kube_cert_dir}}/ca.pem"
|
||||
- "{{ kube_cert_dir}}/node.pem"
|
||||
- "{{ kube_cert_dir}}/node-key.pem"
|
||||
delegate_to: "{{ groups['kube-master'][0] }}"
|
||||
when: inventory_hostname not in "{{ groups['kube-master'] }}"
|
|
@ -6,6 +6,7 @@ common_required_pkgs:
|
|||
- openssl
|
||||
- curl
|
||||
- rsync
|
||||
- bash-completion
|
||||
|
||||
pypy_version: 2.4.0
|
||||
python_pypy_url: "https://bitbucket.org/pypy/pypy/downloads/pypy-{{ pypy_version }}.tar.bz2"
|
||||
|
|
|
@ -0,0 +1,4 @@
|
|||
---
|
||||
- name: set secret_changed
|
||||
set_fact:
|
||||
secret_changed: true
|
|
@ -1,6 +1,6 @@
|
|||
#!/bin/bash
|
||||
|
||||
# Author: skahlouc@skahlouc-laptop
|
||||
# Author: Smana smainklh@gmail.com
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
|
@ -22,15 +22,13 @@ usage()
|
|||
cat << EOF
|
||||
Create self signed certificates
|
||||
|
||||
Usage : $(basename $0) -f <config> [-c <cloud_provider>] [-d <ssldir>] [-g <ssl_group>]
|
||||
Usage : $(basename $0) -f <config> [-d <ssldir>]
|
||||
-h | --help : Show this message
|
||||
-f | --config : Openssl configuration file
|
||||
-c | --cloud : Cloud provider (GCE, AWS or AZURE)
|
||||
-d | --ssldir : Directory where the certificates will be installed
|
||||
-g | --sslgrp : Group of the certificates
|
||||
|
||||
ex :
|
||||
$(basename $0) -f openssl.conf -c GCE -d /srv/ssl -g kube
|
||||
$(basename $0) -f openssl.conf -d /srv/ssl
|
||||
EOF
|
||||
}
|
||||
|
||||
|
@ -39,9 +37,7 @@ while (($#)); do
|
|||
case "$1" in
|
||||
-h | --help) usage; exit 0;;
|
||||
-f | --config) CONFIG=${2}; shift 2;;
|
||||
-c | --cloud) CLOUD=${2}; shift 2;;
|
||||
-d | --ssldir) SSLDIR="${2}"; shift 2;;
|
||||
-g | --group) SSLGRP="${2}"; shift 2;;
|
||||
*)
|
||||
usage
|
||||
echo "ERROR : Unknown option"
|
||||
|
@ -57,26 +53,6 @@ fi
|
|||
if [ -z ${SSLDIR} ]; then
|
||||
SSLDIR="/etc/kubernetes/certs"
|
||||
fi
|
||||
if [ -z ${SSLGRP} ]; then
|
||||
SSLGRP="kube-cert"
|
||||
fi
|
||||
|
||||
#echo "config=$CONFIG, cloud=$CLOUD, certdir=$SSLDIR, certgroup=$SSLGRP"
|
||||
|
||||
SUPPORTED_CLOUDS="GCE AWS AZURE"
|
||||
|
||||
# TODO: Add support for discovery on other providers?
|
||||
if [ "${CLOUD}" == "GCE" ]; then
|
||||
CLOUD_IP=$(curl -s -H Metadata-Flavor:Google http://metadata.google.internal./computeMetadata/v1/instance/network-interfaces/0/access-configs/0/external-ip)
|
||||
fi
|
||||
|
||||
if [ "${CLOUD}" == "AWS" ]; then
|
||||
CLOUD_IP=$(curl -s http://169.254.169.254/latest/meta-data/public-ipv4)
|
||||
fi
|
||||
|
||||
if [ "${CLOUD}" == "AZURE" ]; then
|
||||
CLOUD_IP=$(uname -n | awk -F. '{ print $2 }').cloudapp.net
|
||||
fi
|
||||
|
||||
tmpdir=$(mktemp -d --tmpdir kubernetes_cacert.XXXXXX)
|
||||
trap 'rm -rf "${tmpdir}"' EXIT
|
||||
|
@ -102,6 +78,3 @@ done
|
|||
|
||||
# Install certs
|
||||
mv *.pem ${SSLDIR}/
|
||||
chgrp ${SSLGRP} ${SSLDIR}/*
|
||||
chmod 600 ${SSLDIR}/*-key.pem
|
||||
chown root:root ${SSLDIR}/*-key.pem
|
|
@ -0,0 +1,49 @@
|
|||
---
|
||||
- name: certs | write openssl config
|
||||
local_action: template src="openssl.conf.j2" dest="{{ role_path }}/files/openssl.conf"
|
||||
run_once: yes
|
||||
|
||||
- name: certs | run cert generation script
|
||||
local_action: shell
|
||||
{{ role_path }}/scripts/make-ssl.sh
|
||||
-f {{ role_path }}/files/openssl.conf
|
||||
-d {{ role_path }}/files/certs/
|
||||
run_once: yes
|
||||
|
||||
- name: certs | Copy certs on nodes
|
||||
copy:
|
||||
src: "certs/{{ item }}"
|
||||
dest: "{{ kube_cert_dir }}"
|
||||
with_items:
|
||||
- ca.pem
|
||||
- node.pem
|
||||
- node-key.pem
|
||||
when: inventory_hostname in "{{ groups['k8s-cluster'] }}"
|
||||
|
||||
- name: certs | Copy certs on master
|
||||
copy:
|
||||
src: "certs/{{ item }}"
|
||||
dest: "{{ kube_cert_dir }}"
|
||||
with_items:
|
||||
- ca-key.pem
|
||||
- admin.pem
|
||||
- admin-key.pem
|
||||
- apiserver-key.pem
|
||||
- apiserver.pem
|
||||
when: inventory_hostname in "{{ groups['kube-master'] }}"
|
||||
|
||||
- name: certs | check certificate permissions
|
||||
file:
|
||||
path={{ kube_cert_dir }}
|
||||
group={{ kube_cert_group }}
|
||||
owner=kube
|
||||
recurse=yes
|
||||
|
||||
- shell: ls {{ kube_cert_dir}}/*key.pem
|
||||
register: keyfiles
|
||||
|
||||
- name: certs | set permissions on keys
|
||||
file:
|
||||
path: "{{ item }}"
|
||||
mode: 0600
|
||||
with_items: keyfiles.stdout_lines
|
|
@ -0,0 +1,28 @@
|
|||
---
|
||||
- name: tokens | generate tokens for master components
|
||||
local_action: command "{{ role_path }}/scripts/kube-gen-token.sh" "{{ item[0] }}-{{ item[1] }}"
|
||||
environment:
|
||||
TOKEN_DIR: "{{ role_path }}/files/tokens"
|
||||
with_nested:
|
||||
- [ "system:kubectl" ]
|
||||
- "{{ groups['kube-master'] }}"
|
||||
register: gentoken_master
|
||||
changed_when: "'Added' in gentoken_master.stdout"
|
||||
notify: set secret_changed
|
||||
|
||||
- name: tokens | generate tokens for node components
|
||||
local_action: command "{{ role_path }}/scripts/kube-gen-token.sh" "{{ item[0] }}-{{ item[1] }}"
|
||||
environment:
|
||||
TOKEN_DIR: "{{ role_path }}/files/tokens"
|
||||
with_nested:
|
||||
- [ 'system:kubelet' ]
|
||||
- "{{ groups['kube-node'] }}"
|
||||
register: gentoken_node
|
||||
changed_when: "'Added' in gentoken_node.stdout"
|
||||
notify: set secret_changed
|
||||
|
||||
- name: tokens | Copy tokens on master
|
||||
copy:
|
||||
src: "tokens"
|
||||
dest: "/etc/kubernetes"
|
||||
when: inventory_hostname in "{{ groups['kube-master'] }}"
|
|
@ -0,0 +1,41 @@
|
|||
---
|
||||
- name: Make sure the certificate directory exits
|
||||
file:
|
||||
path={{ kube_cert_dir }}
|
||||
state=directory
|
||||
mode=o-rwx
|
||||
group={{ kube_cert_group }}
|
||||
|
||||
- name: Make sure the tokens directory exits
|
||||
file:
|
||||
path={{ kube_token_dir }}
|
||||
state=directory
|
||||
mode=o-rwx
|
||||
group={{ kube_cert_group }}
|
||||
|
||||
- name: Make sure the users directory exits
|
||||
file:
|
||||
path={{ kube_users_dir }}
|
||||
state=directory
|
||||
mode=o-rwx
|
||||
group={{ kube_cert_group }}
|
||||
|
||||
- name: Populate users for basic auth in API
|
||||
lineinfile:
|
||||
dest: "{{ kube_users_dir }}/known_users.csv"
|
||||
create: yes
|
||||
line: '{{ item.value.pass }},{{ item.key }},{{ item.value.role }}'
|
||||
backup: yes
|
||||
with_dict: "{{ kube_users }}"
|
||||
when: inventory_hostname in "{{ groups['kube-master'] }}"
|
||||
notify: set secret_changed
|
||||
|
||||
- name: Check if a certificate already exists
|
||||
stat:
|
||||
path: "{{ kube_cert_dir }}/ca.pem"
|
||||
register: kubecert
|
||||
|
||||
- include: gen_certs.yml
|
||||
when: not kubecert.stat.exists
|
||||
|
||||
- include: gen_tokens.yml
|
Loading…
Reference in New Issue