diff --git a/.travis.yml b/.travis.yml
index a8ef79a9dd3692da3f04d018f204b571978c8dee..b06e14921d6bbe5fb1466734d52de377d2a91017 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -63,19 +63,19 @@ env:
CLOUD_IMAGE=ubuntu-1404-trusty
CLOUD_REGION=europe-west1-c
- # # Ubuntu 15.10
- # - >-
- # KUBE_NETWORK_PLUGIN=flannel
- # CLOUD_IMAGE=ubuntu-1510-wily
- # CLOUD_REGION=us-central1-a
- # - >-
- # KUBE_NETWORK_PLUGIN=calico
- # CLOUD_IMAGE=ubuntu-1510-wily
- # CLOUD_REGION=us-central1-a
- # - >-
- # KUBE_NETWORK_PLUGIN=weave
- # CLOUD_IMAGE=ubuntu-1510-wily
- # CLOUD_REGION=us-central1-a
+ # Ubuntu 15.10
+ - >-
+ KUBE_NETWORK_PLUGIN=flannel
+ CLOUD_IMAGE=ubuntu-1510-wily
+ CLOUD_REGION=us-central1-a
+ - >-
+ KUBE_NETWORK_PLUGIN=calico
+ CLOUD_IMAGE=ubuntu-1510-wily
+ CLOUD_REGION=us-central1-a
+ - >-
+ KUBE_NETWORK_PLUGIN=weave
+ CLOUD_IMAGE=ubuntu-1510-wily
+ CLOUD_REGION=us-central1-a
matrix:
@@ -83,6 +83,7 @@ matrix:
- env: KUBE_NETWORK_PLUGIN=flannel CLOUD_IMAGE=centos-7-sudo CLOUD_REGION=us-central1-c
- env: KUBE_NETWORK_PLUGIN=flannel CLOUD_IMAGE=rhel-7-sudo CLOUD_REGION=us-east1-d
- env: KUBE_NETWORK_PLUGIN=weave CLOUD_IMAGE=ubuntu-1404-trusty CLOUD_REGION=europe-west1-c
+ - env: KUBE_NETWORK_PLUGIN=calico CLOUD_IMAGE=ubuntu-1404-trusty CLOUD_REGION=europe-west1-c
before_install:
# Install Ansible.
diff --git a/README.md b/README.md
index 795ba9a13ac8df29a621f4039aacd1f7b50a7388..38a07805cbb257f2d0419eccae1021f11af745df 100644
--- a/README.md
+++ b/README.md
@@ -23,7 +23,7 @@ in order to avoid any issue during deployment you should disable your firewall
* Base knowledge on Ansible. Please refer to [Ansible documentation](http://www.ansible.com/how-ansible-works)
### Components
-* [kubernetes](https://github.com/kubernetes/kubernetes/releases) v1.1.4
+* [kubernetes](https://github.com/kubernetes/kubernetes/releases) v1.1.7
* [etcd](https://github.com/coreos/etcd/releases) v2.2.4
* [calicoctl](https://github.com/projectcalico/calico-docker/releases) v0.16.0
* [flanneld](https://github.com/coreos/flannel/releases) v0.5.5
diff --git a/roles/kubernetes/master/tasks/gen_kube_tokens.yml b/roles/kubernetes/master/tasks/gen_kube_tokens.yml
deleted file mode 100644
index 62b26e2fe071b839a824a70f4a7fe891b5c78ca3..0000000000000000000000000000000000000000
--- a/roles/kubernetes/master/tasks/gen_kube_tokens.yml
+++ /dev/null
@@ -1,31 +0,0 @@
----
-- name: tokens | copy the token gen script
- copy:
- src=kube-gen-token.sh
- dest={{ kube_script_dir }}
- mode=u+x
- when: inventory_hostname == groups['kube-master'][0]
-
-- name: tokens | generate tokens for master components
- command: "{{ kube_script_dir }}/kube-gen-token.sh {{ item[0] }}-{{ item[1] }}"
- environment:
- TOKEN_DIR: "{{ kube_token_dir }}"
- with_nested:
- - [ "system:kubectl" ]
- - "{{ groups['kube-master'] }}"
- register: gentoken_master
- changed_when: "'Added' in gentoken_master.stdout"
- when: inventory_hostname == groups['kube-master'][0]
- notify: restart kube-apiserver
-
-- name: tokens | generate tokens for node components
- command: "{{ kube_script_dir }}/kube-gen-token.sh {{ item[0] }}-{{ item[1] }}"
- environment:
- TOKEN_DIR: "{{ kube_token_dir }}"
- with_nested:
- - [ 'system:kubelet' ]
- - "{{ groups['kube-node'] }}"
- register: gentoken_node
- changed_when: "'Added' in gentoken_node.stdout"
- when: inventory_hostname == groups['kube-master'][0]
- notify: restart kube-apiserver
diff --git a/roles/kubernetes/master/tasks/main.yml b/roles/kubernetes/master/tasks/main.yml
index 5eb0de96f323b06af453383bda3f8badaa668344..70dd0232573880317b6f0f70f57a40d69f50ba4b 100644
--- a/roles/kubernetes/master/tasks/main.yml
+++ b/roles/kubernetes/master/tasks/main.yml
@@ -1,7 +1,4 @@
---
-- include: gen_kube_tokens.yml
- tags: tokens
-
- name: Copy kubectl bash completion
copy:
src: kubectl_bash_completion.sh
@@ -16,31 +13,6 @@
command: rsync -piu "{{ local_release_dir }}/kubernetes/bin/kubectl" "{{ bin_dir }}/kubectl"
changed_when: false
-- name: populate users for basic auth in API
- lineinfile:
- dest: "{{ kube_users_dir }}/known_users.csv"
- create: yes
- line: '{{ item.value.pass }},{{ item.key }},{{ item.value.role }}'
- backup: yes
- with_dict: "{{ kube_users }}"
- notify: restart kube-apiserver
-
-# Sync masters
-- name: synchronize auth directories for masters
- synchronize:
- src: "{{ item }}"
- dest: "{{ kube_config_dir }}"
- recursive: yes
- delete: yes
- rsync_opts: [ '--one-file-system']
- set_remote_user: false
- with_items:
- - "{{ kube_token_dir }}"
- - "{{ kube_cert_dir }}"
- - "{{ kube_users_dir }}"
- delegate_to: "{{ groups['kube-master'][0] }}"
- when: inventory_hostname != "{{ groups['kube-master'][0] }}"
-
- name: install | Write kube-apiserver systemd init file
template:
src: "kube-apiserver.service.j2"
@@ -119,3 +91,9 @@
name: kubelet
state: restarted
changed_when: false
+
+- name: restart kube-apiserver
+ service:
+ name: kube-apiserver
+ state: restarted
+ when: secret_changed | default(false)
diff --git a/roles/kubernetes/node/meta/main.yml b/roles/kubernetes/node/meta/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..811a29787abf374c8791a2088518eaafaf16f95a
--- /dev/null
+++ b/roles/kubernetes/node/meta/main.yml
@@ -0,0 +1,3 @@
+---
+dependencies:
+ - role: kubernetes/secrets
diff --git a/roles/kubernetes/node/tasks/gen_certs.yml b/roles/kubernetes/node/tasks/gen_certs.yml
deleted file mode 100644
index a4f70ce54273cc8e2cfc7e771d2e45b1a53305d0..0000000000000000000000000000000000000000
--- a/roles/kubernetes/node/tasks/gen_certs.yml
+++ /dev/null
@@ -1,28 +0,0 @@
----
-- name: certs | install cert generation script
- copy:
- src=make-ssl.sh
- dest={{ kube_script_dir }}
- mode=0500
- changed_when: false
-
-- name: certs | write openssl config
- template:
- src: "openssl.conf.j2"
- dest: "{{ kube_config_dir }}/.openssl.conf"
-
-- name: certs | run cert generation script
- shell: >
- {{ kube_script_dir }}/make-ssl.sh
- -f {{ kube_config_dir }}/.openssl.conf
- -g {{ kube_cert_group }}
- -d {{ kube_cert_dir }}
- args:
- creates: "{{ kube_cert_dir }}/apiserver.pem"
-
-- name: certs | check certificate permissions
- file:
- path={{ kube_cert_dir }}
- group={{ kube_cert_group }}
- owner=kube
- recurse=yes
diff --git a/roles/kubernetes/node/tasks/main.yml b/roles/kubernetes/node/tasks/main.yml
index 3af211902d6c65b49611592ab6ab3fb33fc7e263..803c9251b6a749b6f3b5a365e3e10258cf26b6ff 100644
--- a/roles/kubernetes/node/tasks/main.yml
+++ b/roles/kubernetes/node/tasks/main.yml
@@ -1,4 +1,6 @@
---
+- include: install.yml
+
- name: Write Calico cni config
template:
src: "cni-calico.conf.j2"
@@ -6,10 +8,6 @@
owner: kube
when: kube_network_plugin == "calico"
-- include: secrets.yml
-
-- include: install.yml
-
- name: Write kubelet config file
template: src=kubelet.j2 dest={{ kube_config_dir }}/kubelet.env backup=yes
notify:
diff --git a/roles/kubernetes/node/tasks/secrets.yml b/roles/kubernetes/node/tasks/secrets.yml
deleted file mode 100644
index 49b7f154f4fdea180824d56682a4451b633602a7..0000000000000000000000000000000000000000
--- a/roles/kubernetes/node/tasks/secrets.yml
+++ /dev/null
@@ -1,50 +0,0 @@
----
-- name: Secrets | certs | make sure the certificate directory exits
- file:
- path={{ kube_cert_dir }}
- state=directory
- mode=o-rwx
- group={{ kube_cert_group }}
-
-- name: Secrets | tokens | make sure the tokens directory exits
- file:
- path={{ kube_token_dir }}
- state=directory
- mode=o-rwx
- group={{ kube_cert_group }}
-
-- include: gen_certs.yml
- when: inventory_hostname == groups['kube-master'][0]
-
-# Sync certs between nodes
-- name: Secrets | create user
- user:
- name: '{{ansible_user_id}}'
- generate_ssh_key: yes
- delegate_to: "{{ groups['kube-master'][0] }}"
- run_once: yes
-
-- name: Secrets | 'get ssh keypair'
- slurp: path=~/.ssh/id_rsa.pub
- register: public_key
- delegate_to: "{{ groups['kube-master'][0] }}"
-
-- name: Secrets | 'setup keypair on nodes'
- authorized_key:
- user: '{{ansible_user_id}}'
- key: "{{public_key.content|b64decode }}"
-
-- name: Secrets | synchronize certificates for nodes
- synchronize:
- src: "{{ item }}"
- dest: "{{ kube_cert_dir }}"
- recursive: yes
- delete: yes
- rsync_opts: [ '--one-file-system']
- set_remote_user: false
- with_items:
- - "{{ kube_cert_dir}}/ca.pem"
- - "{{ kube_cert_dir}}/node.pem"
- - "{{ kube_cert_dir}}/node-key.pem"
- delegate_to: "{{ groups['kube-master'][0] }}"
- when: inventory_hostname not in "{{ groups['kube-master'] }}"
diff --git a/roles/kubernetes/preinstall/defaults/main.yml b/roles/kubernetes/preinstall/defaults/main.yml
index be0857ce19b288d79c3a97f30793ab0c024b7159..9d748ffbece000d4d6e261da73f42cd7ae5eabb9 100644
--- a/roles/kubernetes/preinstall/defaults/main.yml
+++ b/roles/kubernetes/preinstall/defaults/main.yml
@@ -6,6 +6,7 @@ common_required_pkgs:
- openssl
- curl
- rsync
+ - bash-completion
pypy_version: 2.4.0
python_pypy_url: "https://bitbucket.org/pypy/pypy/downloads/pypy-{{ pypy_version }}.tar.bz2"
diff --git a/roles/kubernetes/secrets/files/certs/.gitkeep b/roles/kubernetes/secrets/files/certs/.gitkeep
new file mode 100644
index 0000000000000000000000000000000000000000..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
diff --git a/roles/kubernetes/secrets/files/tokens/.gitkeep b/roles/kubernetes/secrets/files/tokens/.gitkeep
new file mode 100644
index 0000000000000000000000000000000000000000..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
diff --git a/roles/kubernetes/secrets/handlers/main.yml b/roles/kubernetes/secrets/handlers/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..d5fab8e1417c602f8965c70850bce27359eb2534
--- /dev/null
+++ b/roles/kubernetes/secrets/handlers/main.yml
@@ -0,0 +1,4 @@
+---
+- name: set secret_changed
+ set_fact:
+ secret_changed: true
diff --git a/roles/kubernetes/master/files/kube-gen-token.sh b/roles/kubernetes/secrets/scripts/kube-gen-token.sh
old mode 100644
new mode 100755
similarity index 100%
rename from roles/kubernetes/master/files/kube-gen-token.sh
rename to roles/kubernetes/secrets/scripts/kube-gen-token.sh
diff --git a/roles/kubernetes/node/files/make-ssl.sh b/roles/kubernetes/secrets/scripts/make-ssl.sh
old mode 100644
new mode 100755
similarity index 67%
rename from roles/kubernetes/node/files/make-ssl.sh
rename to roles/kubernetes/secrets/scripts/make-ssl.sh
index 9ab0a49df5598d32ccc1dcc31f8d46fe382552b3..fb6ab146f5f86bc8be0a99e7833e9c1637d3e64c
--- a/roles/kubernetes/node/files/make-ssl.sh
+++ b/roles/kubernetes/secrets/scripts/make-ssl.sh
@@ -1,6 +1,6 @@
#!/bin/bash
-# Author: skahlouc@skahlouc-laptop
+# Author: Smana smainklh@gmail.com
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -22,15 +22,13 @@ usage()
cat << EOF
Create self signed certificates
-Usage : $(basename $0) -f <config> [-c <cloud_provider>] [-d <ssldir>] [-g <ssl_group>]
+Usage : $(basename $0) -f <config> [-d <ssldir>]
-h | --help : Show this message
-f | --config : Openssl configuration file
- -c | --cloud : Cloud provider (GCE, AWS or AZURE)
-d | --ssldir : Directory where the certificates will be installed
- -g | --sslgrp : Group of the certificates
ex :
- $(basename $0) -f openssl.conf -c GCE -d /srv/ssl -g kube
+ $(basename $0) -f openssl.conf -d /srv/ssl
EOF
}
@@ -39,9 +37,7 @@ while (($#)); do
case "$1" in
-h | --help) usage; exit 0;;
-f | --config) CONFIG=${2}; shift 2;;
- -c | --cloud) CLOUD=${2}; shift 2;;
-d | --ssldir) SSLDIR="${2}"; shift 2;;
- -g | --group) SSLGRP="${2}"; shift 2;;
*)
usage
echo "ERROR : Unknown option"
@@ -57,26 +53,6 @@ fi
if [ -z ${SSLDIR} ]; then
SSLDIR="/etc/kubernetes/certs"
fi
-if [ -z ${SSLGRP} ]; then
- SSLGRP="kube-cert"
-fi
-
-#echo "config=$CONFIG, cloud=$CLOUD, certdir=$SSLDIR, certgroup=$SSLGRP"
-
-SUPPORTED_CLOUDS="GCE AWS AZURE"
-
-# TODO: Add support for discovery on other providers?
-if [ "${CLOUD}" == "GCE" ]; then
- CLOUD_IP=$(curl -s -H Metadata-Flavor:Google http://metadata.google.internal./computeMetadata/v1/instance/network-interfaces/0/access-configs/0/external-ip)
-fi
-
-if [ "${CLOUD}" == "AWS" ]; then
- CLOUD_IP=$(curl -s http://169.254.169.254/latest/meta-data/public-ipv4)
-fi
-
-if [ "${CLOUD}" == "AZURE" ]; then
- CLOUD_IP=$(uname -n | awk -F. '{ print $2 }').cloudapp.net
-fi
tmpdir=$(mktemp -d --tmpdir kubernetes_cacert.XXXXXX)
trap 'rm -rf "${tmpdir}"' EXIT
@@ -102,6 +78,3 @@ done
# Install certs
mv *.pem ${SSLDIR}/
-chgrp ${SSLGRP} ${SSLDIR}/*
-chmod 600 ${SSLDIR}/*-key.pem
-chown root:root ${SSLDIR}/*-key.pem
diff --git a/roles/kubernetes/secrets/tasks/gen_certs.yml b/roles/kubernetes/secrets/tasks/gen_certs.yml
new file mode 100644
index 0000000000000000000000000000000000000000..e2b3eaefa69e845b27abbbc3755c235c9748166d
--- /dev/null
+++ b/roles/kubernetes/secrets/tasks/gen_certs.yml
@@ -0,0 +1,51 @@
+---
+- name: certs | write openssl config
+ sudo: False
+ local_action: template src="openssl.conf.j2" dest="{{ role_path }}/files/openssl.conf"
+ run_once: yes
+
+- name: certs | run cert generation script
+ sudo: False
+ local_action: shell
+ {{ role_path }}/scripts/make-ssl.sh
+ -f {{ role_path }}/files/openssl.conf
+ -d {{ role_path }}/files/certs/
+ run_once: yes
+
+- name: certs | Copy certs on nodes
+ copy:
+ src: "certs/{{ item }}"
+ dest: "{{ kube_cert_dir }}"
+ with_items:
+ - ca.pem
+ - node.pem
+ - node-key.pem
+ when: inventory_hostname in "{{ groups['k8s-cluster'] }}"
+
+- name: certs | Copy certs on master
+ copy:
+ src: "certs/{{ item }}"
+ dest: "{{ kube_cert_dir }}"
+ with_items:
+ - ca-key.pem
+ - admin.pem
+ - admin-key.pem
+ - apiserver-key.pem
+ - apiserver.pem
+ when: inventory_hostname in "{{ groups['kube-master'] }}"
+
+- name: certs | check certificate permissions
+ file:
+ path={{ kube_cert_dir }}
+ group={{ kube_cert_group }}
+ owner=kube
+ recurse=yes
+
+- shell: ls {{ kube_cert_dir}}/*key.pem
+ register: keyfiles
+
+- name: certs | set permissions on keys
+ file:
+ path: "{{ item }}"
+ mode: 0600
+ with_items: keyfiles.stdout_lines
diff --git a/roles/kubernetes/secrets/tasks/gen_tokens.yml b/roles/kubernetes/secrets/tasks/gen_tokens.yml
new file mode 100644
index 0000000000000000000000000000000000000000..ec11ad80176bcc7328349f35a7e560c3969ac42c
--- /dev/null
+++ b/roles/kubernetes/secrets/tasks/gen_tokens.yml
@@ -0,0 +1,30 @@
+---
+- name: tokens | generate tokens for master components
+ sudo: False
+ local_action: command "{{ role_path }}/scripts/kube-gen-token.sh" "{{ item[0] }}-{{ item[1] }}"
+ environment:
+ TOKEN_DIR: "{{ role_path }}/files/tokens"
+ with_nested:
+ - [ "system:kubectl" ]
+ - "{{ groups['kube-master'] }}"
+ register: gentoken_master
+ changed_when: "'Added' in gentoken_master.stdout"
+ notify: set secret_changed
+
+- name: tokens | generate tokens for node components
+ sudo: False
+ local_action: command "{{ role_path }}/scripts/kube-gen-token.sh" "{{ item[0] }}-{{ item[1] }}"
+ environment:
+ TOKEN_DIR: "{{ role_path }}/files/tokens"
+ with_nested:
+ - [ 'system:kubelet' ]
+ - "{{ groups['kube-node'] }}"
+ register: gentoken_node
+ changed_when: "'Added' in gentoken_node.stdout"
+ notify: set secret_changed
+
+- name: tokens | Copy tokens on master
+ copy:
+ src: "tokens"
+ dest: "/etc/kubernetes"
+ when: inventory_hostname in "{{ groups['kube-master'] }}"
diff --git a/roles/kubernetes/secrets/tasks/main.yml b/roles/kubernetes/secrets/tasks/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..a2f039cf020eb4d3f2fd302271c37c61fcf3dbe6
--- /dev/null
+++ b/roles/kubernetes/secrets/tasks/main.yml
@@ -0,0 +1,41 @@
+---
+- name: Make sure the certificate directory exits
+ file:
+ path={{ kube_cert_dir }}
+ state=directory
+ mode=o-rwx
+ group={{ kube_cert_group }}
+
+- name: Make sure the tokens directory exits
+ file:
+ path={{ kube_token_dir }}
+ state=directory
+ mode=o-rwx
+ group={{ kube_cert_group }}
+
+- name: Make sure the users directory exits
+ file:
+ path={{ kube_users_dir }}
+ state=directory
+ mode=o-rwx
+ group={{ kube_cert_group }}
+
+- name: Populate users for basic auth in API
+ lineinfile:
+ dest: "{{ kube_users_dir }}/known_users.csv"
+ create: yes
+ line: '{{ item.value.pass }},{{ item.key }},{{ item.value.role }}'
+ backup: yes
+ with_dict: "{{ kube_users }}"
+ when: inventory_hostname in "{{ groups['kube-master'] }}"
+ notify: set secret_changed
+
+- name: Check if a certificate already exists
+ stat:
+ path: "{{ kube_cert_dir }}/ca.pem"
+ register: kubecert
+
+- include: gen_certs.yml
+ when: not kubecert.stat.exists
+
+- include: gen_tokens.yml
diff --git a/roles/kubernetes/node/templates/openssl.conf.j2 b/roles/kubernetes/secrets/templates/openssl.conf.j2
similarity index 100%
rename from roles/kubernetes/node/templates/openssl.conf.j2
rename to roles/kubernetes/secrets/templates/openssl.conf.j2
diff --git a/roles/network_plugin/calico/handlers/main.yml b/roles/network_plugin/calico/handlers/main.yml
index 35b1ae759bebb3da938e1d48d7c842537d7aaeae..59163cc07a67d8c6795dd2764d3139b29903549c 100644
--- a/roles/network_plugin/calico/handlers/main.yml
+++ b/roles/network_plugin/calico/handlers/main.yml
@@ -13,3 +13,4 @@
service:
name: calico-node
state: restarted
+ sleep: 10
\ No newline at end of file