From 91fca69aa0f7b95bbd541113a1bf7ff53a9b5989 Mon Sep 17 00:00:00 2001 From: Smana Date: Thu, 11 Feb 2016 23:08:16 +0100 Subject: [PATCH] generate secrets on deployment machine test travis with sudo=true instead of required --- .travis.yml | 27 +++++----- README.md | 2 +- .../master/tasks/gen_kube_tokens.yml | 31 ----------- roles/kubernetes/master/tasks/main.yml | 34 +++---------- roles/kubernetes/node/meta/main.yml | 3 ++ roles/kubernetes/node/tasks/gen_certs.yml | 28 ---------- roles/kubernetes/node/tasks/main.yml | 6 +-- roles/kubernetes/node/tasks/secrets.yml | 50 ------------------ roles/kubernetes/preinstall/defaults/main.yml | 1 + roles/kubernetes/secrets/files/certs/.gitkeep | 0 .../kubernetes/secrets/files/tokens/.gitkeep | 0 roles/kubernetes/secrets/handlers/main.yml | 4 ++ .../scripts}/kube-gen-token.sh | 0 .../files => secrets/scripts}/make-ssl.sh | 33 ++---------- roles/kubernetes/secrets/tasks/gen_certs.yml | 51 +++++++++++++++++++ roles/kubernetes/secrets/tasks/gen_tokens.yml | 30 +++++++++++ roles/kubernetes/secrets/tasks/main.yml | 41 +++++++++++++++ .../templates/openssl.conf.j2 | 0 roles/network_plugin/calico/handlers/main.yml | 1 + 19 files changed, 157 insertions(+), 185 deletions(-) delete mode 100644 roles/kubernetes/master/tasks/gen_kube_tokens.yml create mode 100644 roles/kubernetes/node/meta/main.yml delete mode 100644 roles/kubernetes/node/tasks/gen_certs.yml delete mode 100644 roles/kubernetes/node/tasks/secrets.yml create mode 100644 roles/kubernetes/secrets/files/certs/.gitkeep create mode 100644 roles/kubernetes/secrets/files/tokens/.gitkeep create mode 100644 roles/kubernetes/secrets/handlers/main.yml rename roles/kubernetes/{master/files => secrets/scripts}/kube-gen-token.sh (100%) mode change 100644 => 100755 rename roles/kubernetes/{node/files => secrets/scripts}/make-ssl.sh (67%) mode change 100644 => 100755 create mode 100644 roles/kubernetes/secrets/tasks/gen_certs.yml create mode 100644 roles/kubernetes/secrets/tasks/gen_tokens.yml create mode 100644 roles/kubernetes/secrets/tasks/main.yml rename roles/kubernetes/{node => secrets}/templates/openssl.conf.j2 (100%) diff --git a/.travis.yml b/.travis.yml index a8ef79a9d..b06e14921 100644 --- a/.travis.yml +++ b/.travis.yml @@ -63,19 +63,19 @@ env: CLOUD_IMAGE=ubuntu-1404-trusty CLOUD_REGION=europe-west1-c - # # Ubuntu 15.10 - # - >- - # KUBE_NETWORK_PLUGIN=flannel - # CLOUD_IMAGE=ubuntu-1510-wily - # CLOUD_REGION=us-central1-a - # - >- - # KUBE_NETWORK_PLUGIN=calico - # CLOUD_IMAGE=ubuntu-1510-wily - # CLOUD_REGION=us-central1-a - # - >- - # KUBE_NETWORK_PLUGIN=weave - # CLOUD_IMAGE=ubuntu-1510-wily - # CLOUD_REGION=us-central1-a + # Ubuntu 15.10 + - >- + KUBE_NETWORK_PLUGIN=flannel + CLOUD_IMAGE=ubuntu-1510-wily + CLOUD_REGION=us-central1-a + - >- + KUBE_NETWORK_PLUGIN=calico + CLOUD_IMAGE=ubuntu-1510-wily + CLOUD_REGION=us-central1-a + - >- + KUBE_NETWORK_PLUGIN=weave + CLOUD_IMAGE=ubuntu-1510-wily + CLOUD_REGION=us-central1-a matrix: @@ -83,6 +83,7 @@ matrix: - env: KUBE_NETWORK_PLUGIN=flannel CLOUD_IMAGE=centos-7-sudo CLOUD_REGION=us-central1-c - env: KUBE_NETWORK_PLUGIN=flannel CLOUD_IMAGE=rhel-7-sudo CLOUD_REGION=us-east1-d - env: KUBE_NETWORK_PLUGIN=weave CLOUD_IMAGE=ubuntu-1404-trusty CLOUD_REGION=europe-west1-c + - env: KUBE_NETWORK_PLUGIN=calico CLOUD_IMAGE=ubuntu-1404-trusty CLOUD_REGION=europe-west1-c before_install: # Install Ansible. diff --git a/README.md b/README.md index 795ba9a13..38a07805c 100644 --- a/README.md +++ b/README.md @@ -23,7 +23,7 @@ in order to avoid any issue during deployment you should disable your firewall * Base knowledge on Ansible. Please refer to [Ansible documentation](http://www.ansible.com/how-ansible-works) ### Components -* [kubernetes](https://github.com/kubernetes/kubernetes/releases) v1.1.4 +* [kubernetes](https://github.com/kubernetes/kubernetes/releases) v1.1.7 * [etcd](https://github.com/coreos/etcd/releases) v2.2.4 * [calicoctl](https://github.com/projectcalico/calico-docker/releases) v0.16.0 * [flanneld](https://github.com/coreos/flannel/releases) v0.5.5 diff --git a/roles/kubernetes/master/tasks/gen_kube_tokens.yml b/roles/kubernetes/master/tasks/gen_kube_tokens.yml deleted file mode 100644 index 62b26e2fe..000000000 --- a/roles/kubernetes/master/tasks/gen_kube_tokens.yml +++ /dev/null @@ -1,31 +0,0 @@ ---- -- name: tokens | copy the token gen script - copy: - src=kube-gen-token.sh - dest={{ kube_script_dir }} - mode=u+x - when: inventory_hostname == groups['kube-master'][0] - -- name: tokens | generate tokens for master components - command: "{{ kube_script_dir }}/kube-gen-token.sh {{ item[0] }}-{{ item[1] }}" - environment: - TOKEN_DIR: "{{ kube_token_dir }}" - with_nested: - - [ "system:kubectl" ] - - "{{ groups['kube-master'] }}" - register: gentoken_master - changed_when: "'Added' in gentoken_master.stdout" - when: inventory_hostname == groups['kube-master'][0] - notify: restart kube-apiserver - -- name: tokens | generate tokens for node components - command: "{{ kube_script_dir }}/kube-gen-token.sh {{ item[0] }}-{{ item[1] }}" - environment: - TOKEN_DIR: "{{ kube_token_dir }}" - with_nested: - - [ 'system:kubelet' ] - - "{{ groups['kube-node'] }}" - register: gentoken_node - changed_when: "'Added' in gentoken_node.stdout" - when: inventory_hostname == groups['kube-master'][0] - notify: restart kube-apiserver diff --git a/roles/kubernetes/master/tasks/main.yml b/roles/kubernetes/master/tasks/main.yml index 5eb0de96f..70dd02325 100644 --- a/roles/kubernetes/master/tasks/main.yml +++ b/roles/kubernetes/master/tasks/main.yml @@ -1,7 +1,4 @@ --- -- include: gen_kube_tokens.yml - tags: tokens - - name: Copy kubectl bash completion copy: src: kubectl_bash_completion.sh @@ -16,31 +13,6 @@ command: rsync -piu "{{ local_release_dir }}/kubernetes/bin/kubectl" "{{ bin_dir }}/kubectl" changed_when: false -- name: populate users for basic auth in API - lineinfile: - dest: "{{ kube_users_dir }}/known_users.csv" - create: yes - line: '{{ item.value.pass }},{{ item.key }},{{ item.value.role }}' - backup: yes - with_dict: "{{ kube_users }}" - notify: restart kube-apiserver - -# Sync masters -- name: synchronize auth directories for masters - synchronize: - src: "{{ item }}" - dest: "{{ kube_config_dir }}" - recursive: yes - delete: yes - rsync_opts: [ '--one-file-system'] - set_remote_user: false - with_items: - - "{{ kube_token_dir }}" - - "{{ kube_cert_dir }}" - - "{{ kube_users_dir }}" - delegate_to: "{{ groups['kube-master'][0] }}" - when: inventory_hostname != "{{ groups['kube-master'][0] }}" - - name: install | Write kube-apiserver systemd init file template: src: "kube-apiserver.service.j2" @@ -119,3 +91,9 @@ name: kubelet state: restarted changed_when: false + +- name: restart kube-apiserver + service: + name: kube-apiserver + state: restarted + when: secret_changed | default(false) diff --git a/roles/kubernetes/node/meta/main.yml b/roles/kubernetes/node/meta/main.yml new file mode 100644 index 000000000..811a29787 --- /dev/null +++ b/roles/kubernetes/node/meta/main.yml @@ -0,0 +1,3 @@ +--- +dependencies: + - role: kubernetes/secrets diff --git a/roles/kubernetes/node/tasks/gen_certs.yml b/roles/kubernetes/node/tasks/gen_certs.yml deleted file mode 100644 index a4f70ce54..000000000 --- a/roles/kubernetes/node/tasks/gen_certs.yml +++ /dev/null @@ -1,28 +0,0 @@ ---- -- name: certs | install cert generation script - copy: - src=make-ssl.sh - dest={{ kube_script_dir }} - mode=0500 - changed_when: false - -- name: certs | write openssl config - template: - src: "openssl.conf.j2" - dest: "{{ kube_config_dir }}/.openssl.conf" - -- name: certs | run cert generation script - shell: > - {{ kube_script_dir }}/make-ssl.sh - -f {{ kube_config_dir }}/.openssl.conf - -g {{ kube_cert_group }} - -d {{ kube_cert_dir }} - args: - creates: "{{ kube_cert_dir }}/apiserver.pem" - -- name: certs | check certificate permissions - file: - path={{ kube_cert_dir }} - group={{ kube_cert_group }} - owner=kube - recurse=yes diff --git a/roles/kubernetes/node/tasks/main.yml b/roles/kubernetes/node/tasks/main.yml index 3af211902..803c9251b 100644 --- a/roles/kubernetes/node/tasks/main.yml +++ b/roles/kubernetes/node/tasks/main.yml @@ -1,4 +1,6 @@ --- +- include: install.yml + - name: Write Calico cni config template: src: "cni-calico.conf.j2" @@ -6,10 +8,6 @@ owner: kube when: kube_network_plugin == "calico" -- include: secrets.yml - -- include: install.yml - - name: Write kubelet config file template: src=kubelet.j2 dest={{ kube_config_dir }}/kubelet.env backup=yes notify: diff --git a/roles/kubernetes/node/tasks/secrets.yml b/roles/kubernetes/node/tasks/secrets.yml deleted file mode 100644 index 49b7f154f..000000000 --- a/roles/kubernetes/node/tasks/secrets.yml +++ /dev/null @@ -1,50 +0,0 @@ ---- -- name: Secrets | certs | make sure the certificate directory exits - file: - path={{ kube_cert_dir }} - state=directory - mode=o-rwx - group={{ kube_cert_group }} - -- name: Secrets | tokens | make sure the tokens directory exits - file: - path={{ kube_token_dir }} - state=directory - mode=o-rwx - group={{ kube_cert_group }} - -- include: gen_certs.yml - when: inventory_hostname == groups['kube-master'][0] - -# Sync certs between nodes -- name: Secrets | create user - user: - name: '{{ansible_user_id}}' - generate_ssh_key: yes - delegate_to: "{{ groups['kube-master'][0] }}" - run_once: yes - -- name: Secrets | 'get ssh keypair' - slurp: path=~/.ssh/id_rsa.pub - register: public_key - delegate_to: "{{ groups['kube-master'][0] }}" - -- name: Secrets | 'setup keypair on nodes' - authorized_key: - user: '{{ansible_user_id}}' - key: "{{public_key.content|b64decode }}" - -- name: Secrets | synchronize certificates for nodes - synchronize: - src: "{{ item }}" - dest: "{{ kube_cert_dir }}" - recursive: yes - delete: yes - rsync_opts: [ '--one-file-system'] - set_remote_user: false - with_items: - - "{{ kube_cert_dir}}/ca.pem" - - "{{ kube_cert_dir}}/node.pem" - - "{{ kube_cert_dir}}/node-key.pem" - delegate_to: "{{ groups['kube-master'][0] }}" - when: inventory_hostname not in "{{ groups['kube-master'] }}" diff --git a/roles/kubernetes/preinstall/defaults/main.yml b/roles/kubernetes/preinstall/defaults/main.yml index be0857ce1..9d748ffbe 100644 --- a/roles/kubernetes/preinstall/defaults/main.yml +++ b/roles/kubernetes/preinstall/defaults/main.yml @@ -6,6 +6,7 @@ common_required_pkgs: - openssl - curl - rsync + - bash-completion pypy_version: 2.4.0 python_pypy_url: "https://bitbucket.org/pypy/pypy/downloads/pypy-{{ pypy_version }}.tar.bz2" diff --git a/roles/kubernetes/secrets/files/certs/.gitkeep b/roles/kubernetes/secrets/files/certs/.gitkeep new file mode 100644 index 000000000..e69de29bb diff --git a/roles/kubernetes/secrets/files/tokens/.gitkeep b/roles/kubernetes/secrets/files/tokens/.gitkeep new file mode 100644 index 000000000..e69de29bb diff --git a/roles/kubernetes/secrets/handlers/main.yml b/roles/kubernetes/secrets/handlers/main.yml new file mode 100644 index 000000000..d5fab8e14 --- /dev/null +++ b/roles/kubernetes/secrets/handlers/main.yml @@ -0,0 +1,4 @@ +--- +- name: set secret_changed + set_fact: + secret_changed: true diff --git a/roles/kubernetes/master/files/kube-gen-token.sh b/roles/kubernetes/secrets/scripts/kube-gen-token.sh old mode 100644 new mode 100755 similarity index 100% rename from roles/kubernetes/master/files/kube-gen-token.sh rename to roles/kubernetes/secrets/scripts/kube-gen-token.sh diff --git a/roles/kubernetes/node/files/make-ssl.sh b/roles/kubernetes/secrets/scripts/make-ssl.sh old mode 100644 new mode 100755 similarity index 67% rename from roles/kubernetes/node/files/make-ssl.sh rename to roles/kubernetes/secrets/scripts/make-ssl.sh index 9ab0a49df..fb6ab146f --- a/roles/kubernetes/node/files/make-ssl.sh +++ b/roles/kubernetes/secrets/scripts/make-ssl.sh @@ -1,6 +1,6 @@ #!/bin/bash -# Author: skahlouc@skahlouc-laptop +# Author: Smana smainklh@gmail.com # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -22,15 +22,13 @@ usage() cat << EOF Create self signed certificates -Usage : $(basename $0) -f [-c ] [-d ] [-g ] +Usage : $(basename $0) -f [-d ] -h | --help : Show this message -f | --config : Openssl configuration file - -c | --cloud : Cloud provider (GCE, AWS or AZURE) -d | --ssldir : Directory where the certificates will be installed - -g | --sslgrp : Group of the certificates ex : - $(basename $0) -f openssl.conf -c GCE -d /srv/ssl -g kube + $(basename $0) -f openssl.conf -d /srv/ssl EOF } @@ -39,9 +37,7 @@ while (($#)); do case "$1" in -h | --help) usage; exit 0;; -f | --config) CONFIG=${2}; shift 2;; - -c | --cloud) CLOUD=${2}; shift 2;; -d | --ssldir) SSLDIR="${2}"; shift 2;; - -g | --group) SSLGRP="${2}"; shift 2;; *) usage echo "ERROR : Unknown option" @@ -57,26 +53,6 @@ fi if [ -z ${SSLDIR} ]; then SSLDIR="/etc/kubernetes/certs" fi -if [ -z ${SSLGRP} ]; then - SSLGRP="kube-cert" -fi - -#echo "config=$CONFIG, cloud=$CLOUD, certdir=$SSLDIR, certgroup=$SSLGRP" - -SUPPORTED_CLOUDS="GCE AWS AZURE" - -# TODO: Add support for discovery on other providers? -if [ "${CLOUD}" == "GCE" ]; then - CLOUD_IP=$(curl -s -H Metadata-Flavor:Google http://metadata.google.internal./computeMetadata/v1/instance/network-interfaces/0/access-configs/0/external-ip) -fi - -if [ "${CLOUD}" == "AWS" ]; then - CLOUD_IP=$(curl -s http://169.254.169.254/latest/meta-data/public-ipv4) -fi - -if [ "${CLOUD}" == "AZURE" ]; then - CLOUD_IP=$(uname -n | awk -F. '{ print $2 }').cloudapp.net -fi tmpdir=$(mktemp -d --tmpdir kubernetes_cacert.XXXXXX) trap 'rm -rf "${tmpdir}"' EXIT @@ -102,6 +78,3 @@ done # Install certs mv *.pem ${SSLDIR}/ -chgrp ${SSLGRP} ${SSLDIR}/* -chmod 600 ${SSLDIR}/*-key.pem -chown root:root ${SSLDIR}/*-key.pem diff --git a/roles/kubernetes/secrets/tasks/gen_certs.yml b/roles/kubernetes/secrets/tasks/gen_certs.yml new file mode 100644 index 000000000..e2b3eaefa --- /dev/null +++ b/roles/kubernetes/secrets/tasks/gen_certs.yml @@ -0,0 +1,51 @@ +--- +- name: certs | write openssl config + sudo: False + local_action: template src="openssl.conf.j2" dest="{{ role_path }}/files/openssl.conf" + run_once: yes + +- name: certs | run cert generation script + sudo: False + local_action: shell + {{ role_path }}/scripts/make-ssl.sh + -f {{ role_path }}/files/openssl.conf + -d {{ role_path }}/files/certs/ + run_once: yes + +- name: certs | Copy certs on nodes + copy: + src: "certs/{{ item }}" + dest: "{{ kube_cert_dir }}" + with_items: + - ca.pem + - node.pem + - node-key.pem + when: inventory_hostname in "{{ groups['k8s-cluster'] }}" + +- name: certs | Copy certs on master + copy: + src: "certs/{{ item }}" + dest: "{{ kube_cert_dir }}" + with_items: + - ca-key.pem + - admin.pem + - admin-key.pem + - apiserver-key.pem + - apiserver.pem + when: inventory_hostname in "{{ groups['kube-master'] }}" + +- name: certs | check certificate permissions + file: + path={{ kube_cert_dir }} + group={{ kube_cert_group }} + owner=kube + recurse=yes + +- shell: ls {{ kube_cert_dir}}/*key.pem + register: keyfiles + +- name: certs | set permissions on keys + file: + path: "{{ item }}" + mode: 0600 + with_items: keyfiles.stdout_lines diff --git a/roles/kubernetes/secrets/tasks/gen_tokens.yml b/roles/kubernetes/secrets/tasks/gen_tokens.yml new file mode 100644 index 000000000..ec11ad801 --- /dev/null +++ b/roles/kubernetes/secrets/tasks/gen_tokens.yml @@ -0,0 +1,30 @@ +--- +- name: tokens | generate tokens for master components + sudo: False + local_action: command "{{ role_path }}/scripts/kube-gen-token.sh" "{{ item[0] }}-{{ item[1] }}" + environment: + TOKEN_DIR: "{{ role_path }}/files/tokens" + with_nested: + - [ "system:kubectl" ] + - "{{ groups['kube-master'] }}" + register: gentoken_master + changed_when: "'Added' in gentoken_master.stdout" + notify: set secret_changed + +- name: tokens | generate tokens for node components + sudo: False + local_action: command "{{ role_path }}/scripts/kube-gen-token.sh" "{{ item[0] }}-{{ item[1] }}" + environment: + TOKEN_DIR: "{{ role_path }}/files/tokens" + with_nested: + - [ 'system:kubelet' ] + - "{{ groups['kube-node'] }}" + register: gentoken_node + changed_when: "'Added' in gentoken_node.stdout" + notify: set secret_changed + +- name: tokens | Copy tokens on master + copy: + src: "tokens" + dest: "/etc/kubernetes" + when: inventory_hostname in "{{ groups['kube-master'] }}" diff --git a/roles/kubernetes/secrets/tasks/main.yml b/roles/kubernetes/secrets/tasks/main.yml new file mode 100644 index 000000000..a2f039cf0 --- /dev/null +++ b/roles/kubernetes/secrets/tasks/main.yml @@ -0,0 +1,41 @@ +--- +- name: Make sure the certificate directory exits + file: + path={{ kube_cert_dir }} + state=directory + mode=o-rwx + group={{ kube_cert_group }} + +- name: Make sure the tokens directory exits + file: + path={{ kube_token_dir }} + state=directory + mode=o-rwx + group={{ kube_cert_group }} + +- name: Make sure the users directory exits + file: + path={{ kube_users_dir }} + state=directory + mode=o-rwx + group={{ kube_cert_group }} + +- name: Populate users for basic auth in API + lineinfile: + dest: "{{ kube_users_dir }}/known_users.csv" + create: yes + line: '{{ item.value.pass }},{{ item.key }},{{ item.value.role }}' + backup: yes + with_dict: "{{ kube_users }}" + when: inventory_hostname in "{{ groups['kube-master'] }}" + notify: set secret_changed + +- name: Check if a certificate already exists + stat: + path: "{{ kube_cert_dir }}/ca.pem" + register: kubecert + +- include: gen_certs.yml + when: not kubecert.stat.exists + +- include: gen_tokens.yml diff --git a/roles/kubernetes/node/templates/openssl.conf.j2 b/roles/kubernetes/secrets/templates/openssl.conf.j2 similarity index 100% rename from roles/kubernetes/node/templates/openssl.conf.j2 rename to roles/kubernetes/secrets/templates/openssl.conf.j2 diff --git a/roles/network_plugin/calico/handlers/main.yml b/roles/network_plugin/calico/handlers/main.yml index 35b1ae759..59163cc07 100644 --- a/roles/network_plugin/calico/handlers/main.yml +++ b/roles/network_plugin/calico/handlers/main.yml @@ -13,3 +13,4 @@ service: name: calico-node state: restarted + sleep: 10 \ No newline at end of file