use slurp to fetch ssl cert and key, bugfix

tennix · Jan 23, 2017 · fec1877 · fec1877
1 parent 0a05733
commit fec1877
Show file tree

Hide file tree

Showing 6 changed files with 36 additions and 35 deletions.
diff --git a/roles/etcd/defaults/main.yml b/roles/etcd/defaults/main.yml
@@ -27,7 +27,7 @@ etcd_initial_cluster_token: etcd-k8-cluster
 # Useful on systems when default interface is not connected to other machines,
 # for example as in Vagrant+VirtualBox configuration.
 # Note that this variable can't be set in per-host manner with current implementation.
-etcd_interface: "eth1"
+etcd_interface: "{{ ansible_default_ipv4.interface }}"
 
 etcd_machine_address: "{{ hostvars[inventory_hostname]['ansible_' + etcd_interface].ipv4.address }}"
 etcd_initial_advertise_peer_urls: "{{ etcd_peer_url_scheme }}:https://{{ etcd_machine_address }}:{{ etcd_peer_port }}"

diff --git a/roles/master/tasks/main.yml b/roles/master/tasks/main.yml
@@ -13,7 +13,7 @@
  - /etc/etcd
 
 - name: Make sure /etc/kubernetes/certs directory exist
- file: path=/etc/kubernetes/certs state=directory group=k8s mode=0750
+ file: path=/etc/kubernetes/certs state=directory owner=root group=root mode=0700
 
 - name: Install hyperkube
  file:
@@ -44,7 +44,7 @@
 
 - name: Set fact of IP
  set_fact:
- node_ip: "{% if public_iface %}{{ hostvars[inventory_hostname]['ansible_'+public_iface]['ipv4']['address'] }}{% else %}{{ ansible_default_ipv4 }}{% endif %}"
+ node_ip: "{% if public_iface is defined %}{{ hostvars[inventory_hostname]['ansible_'+public_iface]['ipv4']['address'] }}{% else %}{{ ansible_default_ipv4['address'] }}{% endif %}"
 
 - name: Install certificates generator scripts
  template:

diff --git a/roles/node/tasks/load-image.yml b/roles/node/tasks/load-image.yml
@@ -17,7 +17,7 @@
  when: kube_network_policy
 
 - name: Load kubernetes dashboard images
- command: "docker load -i /opt/docker-images/kubernetes-dashboard-amd64-v{{ kubernetes_dashboard_version }}.tar"
+ command: "docker load -i /opt/docker-images/kubernetes-dashboard-amd64_v{{ kubernetes_dashboard_version }}.tar"
  when: kube_ui
 
 - name: Load logging images

diff --git a/roles/node/tasks/main.yml b/roles/node/tasks/main.yml
@@ -8,7 +8,7 @@
  - /etc/cni/net.d
 
 - name: Make sure /etc/kubernetes/certs directory exist
- file: path=/etc/kubernetes/certs state=directory mode=0750 group=k8s
+ file: path=/etc/kubernetes/certs state=directory owner=root group=root mode=0700
 
 - name: Install hyperkube
  file:
@@ -29,34 +29,41 @@
 
 - name: Set fact of IP
  set_fact:
- node_ip: "{% if public_iface %}{{ hostvars[inventory_hostname]['ansible_'+public_iface]['ipv4']['address'] }}{% else %}{{ ansible_default_ipv4 }}{% endif %}"
+ node_ip: "{% if public_iface is defined %}{{ hostvars[inventory_hostname]['ansible_'+public_iface]['ipv4']['address'] }}{% else %}{{ ansible_default_ipv4 }}{% endif %}"
 
 - name: Generate kube-node certificates
  command: "/opt/bin/cert-generator.sh {{ node_ip }} {{ ansible_hostname }}"
  delegate_to: "{{ groups['masters'][0] }}"
 
-- name: Copy certificates # Note: This requires rsync installed and ssh with ssh key
- synchronize:
- src="/etc/kubernetes/certs/{{ item }}"
- dest="/etc/kubernetes/certs/{{ item }}"
- mode=push
- rsync_path="sudo rsync"
- with_items:
- - ca.crt
- - "{{ node_ip }}.crt"
- - "{{ node_ip }}.key"
+- name: Fetch CA certificate from master
+ slurp: src="/etc/kubernetes/certs/ca.crt"
+ register: ca_cert
  delegate_to: "{{ groups['masters'][0] }}"
 
-- name: Symlink certificates
- file:
- src="/etc/kubernetes/certs/{{ node_ip }}.{{ item }}"
- dest="/etc/kubernetes/certs/kubelet.{{ item }}"
- state=link
- force=yes
- mode=0600
- with_items:
- - key
- - crt
+- name: Copy CA certificate to node
+ copy:
+ content="{{ ca_cert['content'] | b64decode }}"
+ dest="/etc/kubernetes/certs/ca.crt"
+
+- name: Fetch kubelet key from master
+ slurp: src="/etc/kubernetes/certs/{{ node_ip }}.key"
+ register: kubelet_key
+ delegate_to: "{{ groups['masters'][0] }}"
+
+- name: Copy kubelet key to node
+ copy:
+ content="{{ kubelet_key['content'] | b64decode }}"
+ dest="/etc/kubernetes/certs/kubelet.key"
+
+- name: Fetch kubelet certificate from master
+ slurp: src="/etc/kubernetes/certs/kubelet.crt"
+ register: kubelet_cert
+ delegate_to: "{{ groups['masters'][0] }}"
+
+- name: Copy kubelet certificate to node
+ copy:
+ content="{{ kubelet_cert['content'] | b64decode }}"
+ dest="/etc/kubernetes/certs/kubelet.crt"
 
 - include: load-image.yml
  when: not net_install

diff --git a/roles/node/templates/kubelet.kubeconfig.j2 b/roles/node/templates/kubelet.kubeconfig.j2
@@ -1,17 +1,17 @@
 apiVersion: v1
 kind: Config
-current-context: kubelet-{{ hostvars[inventory_hostname]['ansible_'+public_iface]['ipv4']['address'] }}@{{ cluster_name }}
+current-context: kubelet-{{ ansible_default_ipv4['address'] }}@{{ cluster_name }}
 clusters:
 - cluster:
  certificate-authority: /etc/kubernetes/certs/ca.crt
- server: https://{{ kube_master_ip }}:443
+ server: https://{{ groups['masters'][0] }}:443
  name: {{ cluster_name }}
 preferences: {}
 contexts:
 - context:
  cluster: {{ cluster_name }}
  user: kubelet
- name: kubelet-{{ hostvars[inventory_hostname]['ansible_'+public_iface]['ipv4']['address'] }}@{{ cluster_name }}
+ name: kubelet-{{ ansible_default_ipv4['address'] }}@{{ cluster_name }}
 users:
 - name: kubelet
  user:

diff --git a/roles/remote/tasks/main.yml b/roles/remote/tasks/main.yml
@@ -1,10 +1,4 @@
 ---
-- name: Create k8s group
- group: name=k8s state=present
-
-- name: Add current user to k8s group
- user: name={{ ansible_user_id }} group=k8s state=present
-
 - name: Set IPv4 forwarding
  sysctl:
  name=net.ipv4.ip_forward