From 4f627baf7109d46a1edf8c68dddec74d17d4a3b7 Mon Sep 17 00:00:00 2001
From: Smana <smainklh@gmail.com>
Date: Fri, 6 May 2016 19:17:59 +0200
Subject: [PATCH] generate secrets on first master

---
 roles/coreos-bootstrap/tasks/main.yml         |  2 +-
 .../{scripts => files}/kube-gen-token.sh      |  0
 .../secrets/{scripts => files}/make-ssl.sh    |  0
 .../kubernetes/secrets/files/tokens/.gitkeep  |  0
 .../kubernetes/secrets/tasks/check-tokens.yml | 36 ++++++++++++++
 roles/kubernetes/secrets/tasks/gen_certs.yml  | 30 ++++++------
 roles/kubernetes/secrets/tasks/gen_tokens.yml | 48 +++++++++++++++----
 roles/kubernetes/secrets/tasks/main.yml       |  1 +
 8 files changed, 90 insertions(+), 27 deletions(-)
 rename roles/kubernetes/secrets/{scripts => files}/kube-gen-token.sh (100%)
 rename roles/kubernetes/secrets/{scripts => files}/make-ssl.sh (100%)
 delete mode 100644 roles/kubernetes/secrets/files/tokens/.gitkeep
 create mode 100644 roles/kubernetes/secrets/tasks/check-tokens.yml

diff --git a/roles/coreos-bootstrap/tasks/main.yml b/roles/coreos-bootstrap/tasks/main.yml
index bd81a2632..4d9e11ea6 100644
--- a/roles/coreos-bootstrap/tasks/main.yml
+++ b/roles/coreos-bootstrap/tasks/main.yml
@@ -37,7 +37,7 @@
 - name: Install required python modules
   pip:
     name: "{{ item }}"
-  with_items: pip_python_modules
+  with_items: "{{pip_python_modules}}"
 
 - name: Check configured hostname
   shell: hostname
diff --git a/roles/kubernetes/secrets/scripts/kube-gen-token.sh b/roles/kubernetes/secrets/files/kube-gen-token.sh
similarity index 100%
rename from roles/kubernetes/secrets/scripts/kube-gen-token.sh
rename to roles/kubernetes/secrets/files/kube-gen-token.sh
diff --git a/roles/kubernetes/secrets/scripts/make-ssl.sh b/roles/kubernetes/secrets/files/make-ssl.sh
similarity index 100%
rename from roles/kubernetes/secrets/scripts/make-ssl.sh
rename to roles/kubernetes/secrets/files/make-ssl.sh
diff --git a/roles/kubernetes/secrets/files/tokens/.gitkeep b/roles/kubernetes/secrets/files/tokens/.gitkeep
deleted file mode 100644
index e69de29bb..000000000
diff --git a/roles/kubernetes/secrets/tasks/check-tokens.yml b/roles/kubernetes/secrets/tasks/check-tokens.yml
new file mode 100644
index 000000000..cfb579ad7
--- /dev/null
+++ b/roles/kubernetes/secrets/tasks/check-tokens.yml
@@ -0,0 +1,36 @@
+---
+- name: "Check tokens | check if the tokens have already been generated on first master"
+  stat:
+    path: "{{ kube_token_dir }}/known_tokens.csv"
+  delegate_to: "{{groups['kube-master'][0]}}"
+  register: known_tokens_master
+  run_once: true
+
+- name: "Check_tokens | Set default value for 'sync_tokens' and 'gen_tokens' to false"
+  set_fact:
+    sync_tokens: false
+    gen_tokens: false
+
+- name: "Check_tokens | Set 'sync_tokens' and 'gen_tokens' to true"
+  set_fact:
+    gen_tokens: true
+  when: not known_tokens_master.stat.exists
+  run_once: true
+
+- name: "Check tokens | check if a cert already exists"
+  stat:
+    path: "{{ kube_cert_dir }}/ca.pem"
+  register: known_tokens
+
+- name: "Check_tokens | Set 'sync_tokens' to true"
+  set_fact:
+    sync_tokens: true
+  when: >-
+      {%- set tokens = {'sync': False} -%}
+      {%- for server in groups['kube-master']
+         if (not hostvars[server].known_tokens.stat.exists) or
+         (hostvars[server].known_tokens.stat.checksum != known_tokens_master.stat.checksum|default('')) -%}
+         {%- set _ = tokens.update({'sync': True}) -%}
+      {%- endfor -%}
+      {{ tokens.sync }}
+  run_once: true
diff --git a/roles/kubernetes/secrets/tasks/gen_certs.yml b/roles/kubernetes/secrets/tasks/gen_certs.yml
index 138ec8688..280aa2182 100644
--- a/roles/kubernetes/secrets/tasks/gen_certs.yml
+++ b/roles/kubernetes/secrets/tasks/gen_certs.yml
@@ -1,31 +1,29 @@
 ---
 - name: certs | write openssl config
-  become: False
-  local_action: template src="openssl.conf.j2" dest="{{ role_path }}/files/openssl.conf"
+  template:
+    src: "openssl.conf.j2"
+    dest: "{{ kube_config_dir }}/openssl.conf"
   run_once: yes
-  when: gen_certs|default(false)
+  when: inventory_hostname == groups['kube-master'][0] and gen_certs|default(false)
+
+- name: certs | copy certs generation script
+  copy:
+    src: "make-ssl.sh"
+    dest: "{{ kube_script_dir }}/make-ssl.sh"
+    mode: 0700
+  run_once: yes
+  when: inventory_hostname == groups['kube-master'][0] and gen_certs|default(false)
 
 - name: certs | run cert generation script
-  become: False
-  local_action: shell
-    {{ role_path }}/scripts/make-ssl.sh
-    -f {{ role_path }}/files/openssl.conf
-    -d {{ role_path }}/files/certs/
+  command: "{{ kube_script_dir }}/make-ssl.sh -f {{ kube_config_dir }}/openssl.conf -d {{ kube_cert_dir }}"
   run_once: yes
-  when: gen_certs|default(false)
+  when: inventory_hostname == groups['kube-master'][0] and gen_certs|default(false)
   notify: set secret_changed
 
 - set_fact:
     master_certs: ['ca-key.pem', 'admin.pem', 'admin-key.pem', 'apiserver-key.pem', 'apiserver.pem']
     node_certs: ['ca.pem', 'node.pem', 'node-key.pem']
 
-- name: certs | Copy certs on first master
-  copy:
-    src: "certs/{{ item }}"
-    dest: "{{ kube_cert_dir }}"
-  with_items: '{{ master_certs + node_certs }}'
-  when: inventory_hostname == "{{ groups['kube-master'][0] }}" and gen_certs|default(false)
-
 - name: certs | Get the certs from first master
   slurp:
     src: "{{ kube_cert_dir }}/{{ item }}"
diff --git a/roles/kubernetes/secrets/tasks/gen_tokens.yml b/roles/kubernetes/secrets/tasks/gen_tokens.yml
index afe4b12af..87c5e038d 100644
--- a/roles/kubernetes/secrets/tasks/gen_tokens.yml
+++ b/roles/kubernetes/secrets/tasks/gen_tokens.yml
@@ -1,30 +1,58 @@
 ---
+- name: tokens | copy tokens generation script
+  copy:
+    src: "kube-gen-token.sh"
+    dest: "{{ kube_script_dir }}/kube-gen-token.sh"
+    mode: 0700
+  run_once: yes
+  when: inventory_hostname == groups['kube-master'][0] and gen_tokens|default(false)
+
 - name: tokens | generate tokens for master components
-  become: False
-  local_action: command "{{ role_path }}/scripts/kube-gen-token.sh" "{{ item[0] }}-{{ item[1] }}"
+  command: "{{ kube_script_dir }}/kube-gen-token.sh {{ item[0] }}-{{ item[1] }}"
   environment:
-    TOKEN_DIR: "{{ role_path }}/files/tokens"
+    TOKEN_DIR: "{{ kube_token_dir }}"
   with_nested:
     - [ "system:kubectl" ]
     - "{{ groups['kube-master'] }}"
   register: gentoken_master
   changed_when: "'Added' in gentoken_master.stdout"
   notify: set secret_changed
+  run_once: yes
+  when: inventory_hostname == groups['kube-master'][0] and gen_tokens|default(false)
 
 - name: tokens | generate tokens for node components
-  become: False
-  local_action: command "{{ role_path }}/scripts/kube-gen-token.sh" "{{ item[0] }}-{{ item[1] }}"
+  command: "{{ kube_script_dir }}/kube-gen-token.sh {{ item[0] }}-{{ item[1] }}"
   environment:
-    TOKEN_DIR: "{{ role_path }}/files/tokens"
+    TOKEN_DIR: "{{ kube_token_dir }}"
   with_nested:
     - [ 'system:kubelet' ]
     - "{{ groups['kube-node'] }}"
   register: gentoken_node
   changed_when: "'Added' in gentoken_node.stdout"
   notify: set secret_changed
+  run_once: yes
+  when: inventory_hostname == groups['kube-master'][0] and gen_tokens|default(false)
+
+- name: tokens | Get list of tokens from first master
+  shell: "(find {{ kube_token_dir }} -maxdepth 1 -type f)"
+  register: tokens_list
+  changed_when: false
+  when: inventory_hostname == groups['kube-master'][0] and sync_tokens|default(false)
+
+- name: tokens | Get the tokens from first master
+  slurp:
+    src: "{{ item }}"
+  delegate_to: "{{groups['kube-master'][0]}}"
+  register: slurp_tokens
+  with_items: '{{tokens_list.stdout_lines}}'
+  when: sync_tokens|default(false)
+  run_once: true
+  notify: set secret_changed
 
-- name: tokens | Copy tokens on master
+- name: tokens | Copy tokens on masters
   copy:
-    src: "tokens"
-    dest: "/etc/kubernetes"
-  when: inventory_hostname in "{{ groups['kube-master'] }}"
+    content: "{{ item.content|b64decode }}"
+    dest: "{{ item.source }}"
+  with_items: '{{slurp_tokens.results}}'
+  when: inventory_hostname in groups['kube-master'] and sync_certs|default(false) and
+        inventory_hostname != groups['kube-master'][0]
diff --git a/roles/kubernetes/secrets/tasks/main.yml b/roles/kubernetes/secrets/tasks/main.yml
index 027e95a82..6837f4853 100644
--- a/roles/kubernetes/secrets/tasks/main.yml
+++ b/roles/kubernetes/secrets/tasks/main.yml
@@ -1,5 +1,6 @@
 ---
 - include: check-certs.yml
+- include: check-tokens.yml
 
 - name: Make sure the certificate directory exits
   file:
-- 
GitLab