From f91f75840e4e2c2dab12f3303ddf696da4fb3e29 Mon Sep 17 00:00:00 2001
From: Alexander Brand <alexbrand09@gmail.com>
Date: Mon, 19 Nov 2018 12:27:17 -0500
Subject: [PATCH 1/4] Add secure-etcd role

Created a secure-etcd role which uses kubeadm to generate all TLS assets
required to bootstrap a secure etcd cluster.

Signed-off-by: Alexander Brand <alexbrand09@gmail.com>
---
 ansible/roles/secure-etcd/defaults/main.yml   |   5 +
 ansible/roles/secure-etcd/handlers/main.yml   |   6 +
 ansible/roles/secure-etcd/tasks/main.yml      | 150 ++++++++++++++++++
 .../templates/etc/kubernetes/etcd.conf        |  10 ++
 .../templates/etc/systemd/system/etcd.service |  34 ++++
 ansible/roles/secure-etcd/vars/main.yml       |   5 +
 6 files changed, 210 insertions(+)
 create mode 100644 ansible/roles/secure-etcd/defaults/main.yml
 create mode 100644 ansible/roles/secure-etcd/handlers/main.yml
 create mode 100644 ansible/roles/secure-etcd/tasks/main.yml
 create mode 100644 ansible/roles/secure-etcd/templates/etc/kubernetes/etcd.conf
 create mode 100644 ansible/roles/secure-etcd/templates/etc/systemd/system/etcd.service
 create mode 100644 ansible/roles/secure-etcd/vars/main.yml

diff --git a/ansible/roles/secure-etcd/defaults/main.yml b/ansible/roles/secure-etcd/defaults/main.yml
new file mode 100644
index 0000000..9f939ad
--- /dev/null
+++ b/ansible/roles/secure-etcd/defaults/main.yml
@@ -0,0 +1,5 @@
+---
+etcd_cluster_token: 444fddcc-beae-45bc-9da6-d941d446b595
+etcd_interface: enp0s8
+etcd_version: v3.2.10
+kubeadm_version: "v1.12.2"
\ No newline at end of file
diff --git a/ansible/roles/secure-etcd/handlers/main.yml b/ansible/roles/secure-etcd/handlers/main.yml
new file mode 100644
index 0000000..b580c90
--- /dev/null
+++ b/ansible/roles/secure-etcd/handlers/main.yml
@@ -0,0 +1,6 @@
+---
+- name: restart etcd
+  systemd:
+    name: etcd
+    daemon_reload: True
+    state: restarted
diff --git a/ansible/roles/secure-etcd/tasks/main.yml b/ansible/roles/secure-etcd/tasks/main.yml
new file mode 100644
index 0000000..203a9ef
--- /dev/null
+++ b/ansible/roles/secure-etcd/tasks/main.yml
@@ -0,0 +1,150 @@
+---
+### Create TLS assets using kubeadm
+- name: download standalone kubeadm for cert generation
+  get_url:
+    url: "{{ kubeadm_release_url }}"
+    dest: /usr/local/bin/kubeadm
+    mode: 0744
+    force: no
+
+- name: determine whether kubeadm needs to create etcd ca
+  stat:
+    path: "/etc/kubernetes/pki/etcd/{{ item }}"
+  with_items:
+    - ca.crt
+    - ca.key
+  register: etcd_ca
+
+- name: determine whether kubeadm needs to create etcd peer and server certs
+  stat:
+    path: "/etc/kubernetes/pki/etcd/{{ item }}"
+  with_items:
+    - peer.crt
+    - peer.key
+    - server.crt
+    - server.key
+  register: etcd_local_tls_assets
+
+- name: determine whether kubeadm needs to create the apiserver etcd client certs
+  stat:
+    path: "/etc/kubernetes/pki/{{ item }}"
+  with_items:
+    - apiserver-etcd-client.crt
+    - apiserver-etcd-client.key
+  register: apiserver_etcd_certs
+  delegate_to: "{{ groups['etcd'][0] }}"
+
+- name: create /etc/kubernetes directory
+  file:
+    dest: /etc/kubernetes
+    state: directory
+    owner: root
+    group: root
+
+- name: laydown etcd.conf to be used for cert generation
+  template:
+    src: etc/kubernetes/etcd.conf
+    dest: /etc/kubernetes/etcd.conf
+  with_items: "{{ etcd_ca.results }}"
+  when: item.stat.exists == False
+
+- name: generate etcd ca certs with kubeadm
+  command: "/usr/local/bin/kubeadm alpha phase certs etcd-ca"
+  delegate_to: "{{ groups['etcd'][0] }}"
+  run_once: True
+  with_items: "{{ etcd_ca.results }}"
+  when: item.stat.exists == False
+
+- name: generate apiserver client certs with kubeadm
+  command: "/usr/local/bin/kubeadm alpha phase certs apiserver-etcd-client"
+  delegate_to: "{{ groups['etcd'][0] }}"
+  run_once: True
+  with_items: "{{ apiserver_etcd_certs.results }}"
+  when: item.stat.exists == False
+
+- name: slurp the etcd ca certs
+  slurp:
+    src: /etc/kubernetes/pki/etcd/{{ item }}
+  with_items:
+    - ca.crt
+    - ca.key
+  register: etcd_ca_pki
+  delegate_to: "{{ groups['etcd'][0] }}"
+  run_once: True
+
+- name: create kubernetes pki directory
+  file:
+    dest: /etc/kubernetes/pki/etcd
+    state: directory
+    owner: root
+    group: root
+
+- name: add etcd ca cert to the rest of the etcd nodes
+  no_log: True
+  copy:
+    dest: "{{ item.source }}"
+    content: "{{ item.content | b64decode }}"
+    owner: root
+    group: root
+    mode: 0700
+  with_items: "{{ etcd_ca_pki.results }}"
+  when: inventory_hostname != groups['etcd']|first
+
+- name: generate etcd peer certs with kubeadm
+  command: "/usr/local/bin/kubeadm alpha phase certs etcd-peer --config=/etc/kubernetes/etcd.conf"
+  with_items: "{{ etcd_local_tls_assets.results }}"
+  when: item.stat.exists == False
+
+- name: generate etcd server certs with kubeadm
+  command: "/usr/local/bin/kubeadm alpha phase certs etcd-server --config=/etc/kubernetes/etcd.conf"
+  with_items: "{{ etcd_local_tls_assets.results }}"
+  when: item.stat.exists == False
+
+### Download and start etcd
+- name: download and extract etcd binaries
+  unarchive:
+    remote_src: True
+    src: "{{ etcd_release_url }}"
+    dest: /tmp
+    creates: /usr/local/bin/etcd
+  register: etcd_downloaded
+
+- name: move binaries into path
+  copy:
+    remote_src: True
+    src: "/tmp/etcd-{{ etcd_version }}-linux-amd64/{{ item }}"
+    dest: "/usr/local/bin/{{ item }}"
+  with_items:
+    - etcd
+    - etcdctl
+  when: etcd_downloaded is changed
+
+- name: set permissions on etcd binaries
+  file:
+    dest: "/usr/local/bin/{{ item }}"
+    mode: 0755
+    state: file
+  with_items:
+    - etcd
+    - etcdctl
+
+- name: create data directory
+  file:
+    dest: /var/lib/etcd
+    state: directory
+
+- name: etcd systemd template
+  template:
+    src: etc/systemd/system/etcd.service
+    dest: /etc/systemd/system/etcd.service
+  tags:
+    - etcd2
+  notify:
+    - restart etcd
+
+- name: enable and start the service
+  systemd:
+    name: etcd
+    daemon_reload: True
+    state: started
+    enabled: True
diff --git a/ansible/roles/secure-etcd/templates/etc/kubernetes/etcd.conf b/ansible/roles/secure-etcd/templates/etc/kubernetes/etcd.conf
new file mode 100644
index 0000000..483db61
--- /dev/null
+++ b/ansible/roles/secure-etcd/templates/etc/kubernetes/etcd.conf
@@ -0,0 +1,10 @@
+apiVersion: "kubeadm.k8s.io/v1alpha3"
+kind: ClusterConfiguration
+etcd:
+    local:
+        serverCertSANs:
+        - "{{ hostvars[inventory_hostname]['ansible_fqdn'] }}"
+        - "{{ hostvars[inventory_hostname]['ansible_' + etcd_interface]['ipv4']['address'] }}"
+        peerCertSANs:
+        - "{{ hostvars[inventory_hostname]['ansible_fqdn'] }}"
+        - "{{ hostvars[inventory_hostname]['ansible_' + etcd_interface]['ipv4']['address'] }}"
diff --git a/ansible/roles/secure-etcd/templates/etc/systemd/system/etcd.service b/ansible/roles/secure-etcd/templates/etc/systemd/system/etcd.service
new file mode 100644
index 0000000..e8f37cf
--- /dev/null
+++ b/ansible/roles/secure-etcd/templates/etc/systemd/system/etcd.service
@@ -0,0 +1,34 @@
+[Unit]
+Description=etcd
+Documentation=https://github.com/coreos/etcd
+Conflicts=etcd.service
+Conflicts=etcd2.service
+
+[Service]
+Type=notify
+Restart=always
+RestartSec=5s
+LimitNOFILE=40000
+TimeoutStartSec=0
+
+ExecStart=/usr/local/bin/etcd \
+    --name={{ inventory_hostname }} \
+    --data-dir=/var/lib/etcd \
+    --listen-client-urls=https://{{hostvars[inventory_hostname]['ansible_' + etcd_interface]['ipv4']['address']}}:2379 \
+    --advertise-client-urls=https://{{hostvars[inventory_hostname]['ansible_' + etcd_interface]['ipv4']['address']}}:2379 \
+    --listen-peer-urls=https://{{hostvars[inventory_hostname]['ansible_' + etcd_interface]['ipv4']['address']}}:2380 \
+    --initial-advertise-peer-urls=https://{{hostvars[inventory_hostname]['ansible_' + etcd_interface]['ipv4']['address']}}:2380 \
+    --initial-cluster={{ etcd_cluster_endpoints }} \
+    --initial-cluster-token={{ etcd_cluster_token }} \
+    --initial-cluster-state=new \
+    --peer-trusted-ca-file=/etc/kubernetes/pki/etcd/ca.crt \
+    --peer-cert-file=/etc/kubernetes/pki/etcd/peer.crt \
+    --peer-key-file=/etc/kubernetes/pki/etcd/peer.key \
+    --peer-client-cert-auth=true \
+    --trusted-ca-file=/etc/kubernetes/pki/etcd/ca.crt \
+    --cert-file=/etc/kubernetes/pki/etcd/server.crt \
+    --key-file=/etc/kubernetes/pki/etcd/server.key \
+    --client-cert-auth=true
+
+[Install]
+WantedBy=multi-user.target
diff --git a/ansible/roles/secure-etcd/vars/main.yml b/ansible/roles/secure-etcd/vars/main.yml
new file mode 100644
index 0000000..d188e04
--- /dev/null
+++ b/ansible/roles/secure-etcd/vars/main.yml
@@ -0,0 +1,5 @@
+---
+etcd_release_url: "https://github.com/coreos/etcd/releases/download/{{ etcd_version }}/etcd-{{ etcd_version }}-linux-amd64.tar.gz"
+etcd_client_endpoints: "{{ groups['etcd']|map('extract', hostvars, ['ansible_' + etcd_interface, 'ipv4', 'address'])|map('regex_replace', '^(.*)$', 'https://\\1:2379')|list|sort }}"
+etcd_cluster_endpoints: "{% for host in groups['etcd']|sort %}{{hostvars[host]['inventory_hostname']}}=https://{{hostvars[host]['ansible_' + etcd_interface]['ipv4']['address']}}:2380{% if not loop.last %},{% endif %}{% endfor %}"
+kubeadm_release_url: "https://storage.googleapis.com/kubernetes-release/release/{{ kubeadm_version }}/bin/linux/amd64/kubeadm"

From 1cfbd61c115bb853d3c675653c7bc0699bed3ef1 Mon Sep 17 00:00:00 2001
From: Alexander Brand <alexbrand09@gmail.com>
Date: Tue, 20 Nov 2018 11:01:23 -0500
Subject: [PATCH 2/4] Replace existing etcd role with secure-etcd role

Signed-off-by: Alexander Brand <alexbrand09@gmail.com>
---
 ansible/roles/etcd/defaults/main.yml          |   1 +
 ansible/roles/etcd/tasks/main.yml             | 102 ++++++++++++
 .../templates/etc/kubernetes/etcd.conf        |   0
 .../templates/etc/systemd/system/etcd.service |  18 ++-
 ansible/roles/etcd/vars/main.yml              |   5 +-
 ansible/roles/secure-etcd/defaults/main.yml   |   5 -
 ansible/roles/secure-etcd/handlers/main.yml   |   6 -
 ansible/roles/secure-etcd/tasks/main.yml      | 150 ------------------
 .../templates/etc/systemd/system/etcd.service |  34 ----
 ansible/roles/secure-etcd/vars/main.yml       |   5 -
 10 files changed, 119 insertions(+), 207 deletions(-)
 rename ansible/roles/{secure-etcd => etcd}/templates/etc/kubernetes/etcd.conf (100%)
 delete mode 100644 ansible/roles/secure-etcd/defaults/main.yml
 delete mode 100644 ansible/roles/secure-etcd/handlers/main.yml
 delete mode 100644 ansible/roles/secure-etcd/tasks/main.yml
 delete mode 100644 ansible/roles/secure-etcd/templates/etc/systemd/system/etcd.service
 delete mode 100644 ansible/roles/secure-etcd/vars/main.yml

diff --git a/ansible/roles/etcd/defaults/main.yml b/ansible/roles/etcd/defaults/main.yml
index 44ee72e..14a5190 100644
--- a/ansible/roles/etcd/defaults/main.yml
+++ b/ansible/roles/etcd/defaults/main.yml
@@ -2,3 +2,4 @@
 etcd_cluster_token: 444fddcc-beae-45bc-9da6-d941d446b595
 etcd_interface: eth0
 etcd_version: v3.2.10
+kubeadm_version: "v1.12.2"
\ No newline at end of file
diff --git a/ansible/roles/etcd/tasks/main.yml b/ansible/roles/etcd/tasks/main.yml
index f5e2769..203a9ef 100644
--- a/ansible/roles/etcd/tasks/main.yml
+++ b/ansible/roles/etcd/tasks/main.yml
@@ -1,4 +1,106 @@
 ---
+### Create TLS assets using kubeadm
+- name: download standalone kubeadm for cert generation
+  get_url:
+    url: "{{ kubeadm_release_url }}"
+    dest: /usr/local/bin/kubeadm
+    mode: 0744
+    force: no
+
+- name: determine whether kubeadm needs to create etcd ca
+  stat:
+    path: "/etc/kubernetes/pki/etcd/{{ item }}"
+  with_items:
+    - ca.crt
+    - ca.key
+  register: etcd_ca
+
+- name: determine whether kubeadm needs to create etcd peer and server certs
+  stat:
+    path: "/etc/kubernetes/pki/etcd/{{ item }}"
+  with_items:
+    - peer.crt
+    - peer.key
+    - server.crt
+    - server.key
+  register: etcd_local_tls_assets
+
+- name: determine whether kubeadm needs to create the apiserver etcd client certs
+  stat:
+    path: "/etc/kubernetes/pki/{{ item }}"
+  with_items:
+    - apiserver-etcd-client.crt
+    - apiserver-etcd-client.key
+  register: apiserver_etcd_certs
+  delegate_to: "{{ groups['etcd'][0] }}"
+
+- name: create /etc/kubernetes directory
+  file:
+    dest: /etc/kubernetes
+    state: directory
+    owner: root
+    group: root
+
+- name: laydown etcd.conf to be used for cert generation
+  template:
+    src: etc/kubernetes/etcd.conf
+    dest: /etc/kubernetes/etcd.conf
+  with_items: "{{ etcd_ca.results }}"
+  when: item.stat.exists == False
+
+- name: generate etcd ca certs with kubeadm
+  command: "/usr/local/bin/kubeadm alpha phase certs etcd-ca"
+  delegate_to: "{{ groups['etcd'][0] }}"
+  run_once: True
+  with_items: "{{ etcd_ca.results }}"
+  when: item.stat.exists == False
+
+- name: generate apiserver client certs with kubeadm
+  command: "/usr/local/bin/kubeadm alpha phase certs apiserver-etcd-client"
+  delegate_to: "{{ groups['etcd'][0] }}"
+  run_once: True
+  with_items: "{{ apiserver_etcd_certs.results }}"
+  when: item.stat.exists == False
+
+- name: slurp the etcd ca certs
+  slurp:
+    src: /etc/kubernetes/pki/etcd/{{ item }}
+  with_items:
+    - ca.crt
+    - ca.key
+  register: etcd_ca_pki
+  delegate_to: "{{ groups['etcd'][0] }}"
+  run_once: True
+
+- name: create kubernetes pki directory
+  file:
+    dest: /etc/kubernetes/pki/etcd
+    state: directory
+    owner: root
+    group: root
+
+- name: add etcd ca cert to the rest of the etcd nodes
+  no_log: True
+  copy:
+    dest: "{{ item.source }}"
+    content: "{{ item.content | b64decode }}"
+    owner: root
+    group: root
+    mode: 0700
+  with_items: "{{ etcd_ca_pki.results }}"
+  when: inventory_hostname != groups['etcd']|first
+
+- name: generate etcd peer certs with kubeadm
+  command: "/usr/local/bin/kubeadm alpha phase certs etcd-peer --config=/etc/kubernetes/etcd.conf"
+  with_items: "{{ etcd_local_tls_assets.results }}"
+  when: item.stat.exists == False
+
+- name: generate etcd server certs with kubeadm
+  command: "/usr/local/bin/kubeadm alpha phase certs etcd-server --config=/etc/kubernetes/etcd.conf"
+  with_items: "{{ etcd_local_tls_assets.results }}"
+  when: item.stat.exists == False
+
+### Download and start etcd
 - name: download and extract etcd binaries
   unarchive:
     remote_src: True
diff --git a/ansible/roles/secure-etcd/templates/etc/kubernetes/etcd.conf b/ansible/roles/etcd/templates/etc/kubernetes/etcd.conf
similarity index 100%
rename from ansible/roles/secure-etcd/templates/etc/kubernetes/etcd.conf
rename to ansible/roles/etcd/templates/etc/kubernetes/etcd.conf
diff --git a/ansible/roles/etcd/templates/etc/systemd/system/etcd.service b/ansible/roles/etcd/templates/etc/systemd/system/etcd.service
index f5f5813..e8f37cf 100644
--- a/ansible/roles/etcd/templates/etc/systemd/system/etcd.service
+++ b/ansible/roles/etcd/templates/etc/systemd/system/etcd.service
@@ -14,13 +14,21 @@ TimeoutStartSec=0
 ExecStart=/usr/local/bin/etcd \
     --name={{ inventory_hostname }} \
     --data-dir=/var/lib/etcd \
-    --listen-client-urls=http://{{hostvars[inventory_hostname]['ansible_' + etcd_interface]['ipv4']['address']}}:2379 \
-    --advertise-client-urls=http://{{hostvars[inventory_hostname]['ansible_' + etcd_interface]['ipv4']['address']}}:2379 \
-    --listen-peer-urls=http://{{hostvars[inventory_hostname]['ansible_' + etcd_interface]['ipv4']['address']}}:2380 \
-    --initial-advertise-peer-urls=http://{{hostvars[inventory_hostname]['ansible_' + etcd_interface]['ipv4']['address']}}:2380 \
+    --listen-client-urls=https://{{hostvars[inventory_hostname]['ansible_' + etcd_interface]['ipv4']['address']}}:2379 \
+    --advertise-client-urls=https://{{hostvars[inventory_hostname]['ansible_' + etcd_interface]['ipv4']['address']}}:2379 \
+    --listen-peer-urls=https://{{hostvars[inventory_hostname]['ansible_' + etcd_interface]['ipv4']['address']}}:2380 \
+    --initial-advertise-peer-urls=https://{{hostvars[inventory_hostname]['ansible_' + etcd_interface]['ipv4']['address']}}:2380 \
     --initial-cluster={{ etcd_cluster_endpoints }} \
     --initial-cluster-token={{ etcd_cluster_token }} \
-    --initial-cluster-state=new
+    --initial-cluster-state=new \
+    --peer-trusted-ca-file=/etc/kubernetes/pki/etcd/ca.crt \
+    --peer-cert-file=/etc/kubernetes/pki/etcd/peer.crt \
+    --peer-key-file=/etc/kubernetes/pki/etcd/peer.key \
+    --peer-client-cert-auth=true \
+    --trusted-ca-file=/etc/kubernetes/pki/etcd/ca.crt \
+    --cert-file=/etc/kubernetes/pki/etcd/server.crt \
+    --key-file=/etc/kubernetes/pki/etcd/server.key \
+    --client-cert-auth=true
 
 [Install]
 WantedBy=multi-user.target
diff --git a/ansible/roles/etcd/vars/main.yml b/ansible/roles/etcd/vars/main.yml
index 7d4ee51..d188e04 100644
--- a/ansible/roles/etcd/vars/main.yml
+++ b/ansible/roles/etcd/vars/main.yml
@@ -1,4 +1,5 @@
 ---
 etcd_release_url: "https://github.com/coreos/etcd/releases/download/{{ etcd_version }}/etcd-{{ etcd_version }}-linux-amd64.tar.gz"
-etcd_client_endpoints: "{{ groups['etcd']|map('extract', hostvars, ['ansible_' + etcd_interface, 'ipv4', 'address'])|map('regex_replace', '^(.*)$', 'http://\\1:2379')|list|sort }}"
-etcd_cluster_endpoints: "{% for host in groups['etcd']|sort %}{{hostvars[host]['inventory_hostname']}}=http://{{hostvars[host]['ansible_' + etcd_interface]['ipv4']['address']}}:2380{% if not loop.last %},{% endif %}{% endfor %}"
+etcd_client_endpoints: "{{ groups['etcd']|map('extract', hostvars, ['ansible_' + etcd_interface, 'ipv4', 'address'])|map('regex_replace', '^(.*)$', 'https://\\1:2379')|list|sort }}"
+etcd_cluster_endpoints: "{% for host in groups['etcd']|sort %}{{hostvars[host]['inventory_hostname']}}=https://{{hostvars[host]['ansible_' + etcd_interface]['ipv4']['address']}}:2380{% if not loop.last %},{% endif %}{% endfor %}"
+kubeadm_release_url: "https://storage.googleapis.com/kubernetes-release/release/{{ kubeadm_version }}/bin/linux/amd64/kubeadm"
diff --git a/ansible/roles/secure-etcd/defaults/main.yml b/ansible/roles/secure-etcd/defaults/main.yml
deleted file mode 100644
index 9f939ad..0000000
--- a/ansible/roles/secure-etcd/defaults/main.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-etcd_cluster_token: 444fddcc-beae-45bc-9da6-d941d446b595
-etcd_interface: enp0s8
-etcd_version: v3.2.10
-kubeadm_version: "v1.12.2"
\ No newline at end of file
diff --git a/ansible/roles/secure-etcd/handlers/main.yml b/ansible/roles/secure-etcd/handlers/main.yml
deleted file mode 100644
index b580c90..0000000
--- a/ansible/roles/secure-etcd/handlers/main.yml
+++ /dev/null
@@ -1,6 +0,0 @@
----
-- name: restart etcd
-  systemd:
-    name: etcd
-    daemon_reload: True
-    state: restarted
diff --git a/ansible/roles/secure-etcd/tasks/main.yml b/ansible/roles/secure-etcd/tasks/main.yml
deleted file mode 100644
index 203a9ef..0000000
--- a/ansible/roles/secure-etcd/tasks/main.yml
+++ /dev/null
@@ -1,150 +0,0 @@
----
-### Create TLS assets using kubeadm
-- name: download standalone kubeadm for cert generation
-  get_url:
-    url: "{{ kubeadm_release_url }}"
-    dest: /usr/local/bin/kubeadm
-    mode: 0744
-    force: no
-
-- name: determine whether kubeadm needs to create etcd ca
-  stat:
-    path: "/etc/kubernetes/pki/etcd/{{ item }}"
-  with_items:
-    - ca.crt
-    - ca.key
-  register: etcd_ca
-
-- name: determine whether kubeadm needs to create etcd peer and server certs
-  stat:
-    path: "/etc/kubernetes/pki/etcd/{{ item }}"
-  with_items:
-    - peer.crt
-    - peer.key
-    - server.crt
-    - server.key
-  register: etcd_local_tls_assets
-
-- name: determine whether kubeadm needs to create the apiserver etcd client certs
-  stat:
-    path: "/etc/kubernetes/pki/{{ item }}"
-  with_items:
-    - apiserver-etcd-client.crt
-    - apiserver-etcd-client.key
-  register: apiserver_etcd_certs
-  delegate_to: "{{ groups['etcd'][0] }}"
-
-- name: create /etc/kubernetes directory
-  file:
-    dest: /etc/kubernetes
-    state: directory
-    owner: root
-    group: root
-
-- name: laydown etcd.conf to be used for cert generation
-  template:
-    src: etc/kubernetes/etcd.conf
-    dest: /etc/kubernetes/etcd.conf
-  with_items: "{{ etcd_ca.results }}"
-  when: item.stat.exists == False
-
-- name: generate etcd ca certs with kubeadm
-  command: "/usr/local/bin/kubeadm alpha phase certs etcd-ca"
-  delegate_to: "{{ groups['etcd'][0] }}"
-  run_once: True
-  with_items: "{{ etcd_ca.results }}"
-  when: item.stat.exists == False
-
-- name: generate apiserver client certs with kubeadm
-  command: "/usr/local/bin/kubeadm alpha phase certs apiserver-etcd-client"
-  delegate_to: "{{ groups['etcd'][0] }}"
-  run_once: True
-  with_items: "{{ apiserver_etcd_certs.results }}"
-  when: item.stat.exists == False
-
-- name: slurp the etcd ca certs
-  slurp:
-    src: /etc/kubernetes/pki/etcd/{{ item }}
-  with_items:
-    - ca.crt
-    - ca.key
-  register: etcd_ca_pki
-  delegate_to: "{{ groups['etcd'][0] }}"
-  run_once: True
-
-- name: create kubernetes pki directory
-  file:
-    dest: /etc/kubernetes/pki/etcd
-    state: directory
-    owner: root
-    group: root
-
-- name: add etcd ca cert to the rest of the etcd nodes
-  no_log: True
-  copy:
-    dest: "{{ item.source }}"
-    content: "{{ item.content | b64decode }}"
-    owner: root
-    group: root
-    mode: 0700
-  with_items: "{{ etcd_ca_pki.results }}"
-  when: inventory_hostname != groups['etcd']|first
-
-- name: generate etcd peer certs with kubeadm
-  command: "/usr/local/bin/kubeadm alpha phase certs etcd-peer --config=/etc/kubernetes/etcd.conf"
-  with_items: "{{ etcd_local_tls_assets.results }}"
-  when: item.stat.exists == False
-
-- name: generate etcd server certs with kubeadm
-  command: "/usr/local/bin/kubeadm alpha phase certs etcd-server --config=/etc/kubernetes/etcd.conf"
-  with_items: "{{ etcd_local_tls_assets.results }}"
-  when: item.stat.exists == False
-
-### Download and start etcd
-- name: download and extract etcd binaries
-  unarchive:
-    remote_src: True
-    src: "{{ etcd_release_url }}"
-    dest: /tmp
-    creates: /usr/local/bin/etcd
-  register: etcd_downloaded
-
-- name: move binaries into path
-  copy:
-    remote_src: True
-    src: "/tmp/etcd-{{ etcd_version }}-linux-amd64/{{ item }}"
-    dest: "/usr/local/bin/{{ item }}"
-  with_items:
-    - etcd
-    - etcdctl
-  when: etcd_downloaded is changed
-
-- name: set permissions on etcd binaries
-  file:
-    dest: "/usr/local/bin/{{ item }}"
-    mode: 0755
-    state: file
-  with_items:
-    - etcd
-    - etcdctl
-
-- name: create data directory
-  file:
-    dest: /var/lib/etcd
-    state: directory
-
-- name: etcd systemd template
-  template:
-    src: etc/systemd/system/etcd.service
-    dest: /etc/systemd/system/etcd.service
-  tags:
-    - etcd2
-  notify:
-    - restart etcd
-
-- name: enable and start the service
-  systemd:
-    name: etcd
-    daemon_reload: True
-    state: started
-    enabled: True
diff --git a/ansible/roles/secure-etcd/templates/etc/systemd/system/etcd.service b/ansible/roles/secure-etcd/templates/etc/systemd/system/etcd.service
deleted file mode 100644
index e8f37cf..0000000
--- a/ansible/roles/secure-etcd/templates/etc/systemd/system/etcd.service
+++ /dev/null
@@ -1,34 +0,0 @@
-[Unit]
-Description=etcd
-Documentation=https://github.com/coreos/etcd
-Conflicts=etcd.service
-Conflicts=etcd2.service
-
-[Service]
-Type=notify
-Restart=always
-RestartSec=5s
-LimitNOFILE=40000
-TimeoutStartSec=0
-
-ExecStart=/usr/local/bin/etcd \
-    --name={{ inventory_hostname }} \
-    --data-dir=/var/lib/etcd \
-    --listen-client-urls=https://{{hostvars[inventory_hostname]['ansible_' + etcd_interface]['ipv4']['address']}}:2379 \
-    --advertise-client-urls=https://{{hostvars[inventory_hostname]['ansible_' + etcd_interface]['ipv4']['address']}}:2379 \
-    --listen-peer-urls=https://{{hostvars[inventory_hostname]['ansible_' + etcd_interface]['ipv4']['address']}}:2380 \
-    --initial-advertise-peer-urls=https://{{hostvars[inventory_hostname]['ansible_' + etcd_interface]['ipv4']['address']}}:2380 \
-    --initial-cluster={{ etcd_cluster_endpoints }} \
-    --initial-cluster-token={{ etcd_cluster_token }} \
-    --initial-cluster-state=new \
-    --peer-trusted-ca-file=/etc/kubernetes/pki/etcd/ca.crt \
-    --peer-cert-file=/etc/kubernetes/pki/etcd/peer.crt \
-    --peer-key-file=/etc/kubernetes/pki/etcd/peer.key \
-    --peer-client-cert-auth=true \
-    --trusted-ca-file=/etc/kubernetes/pki/etcd/ca.crt \
-    --cert-file=/etc/kubernetes/pki/etcd/server.crt \
-    --key-file=/etc/kubernetes/pki/etcd/server.key \
-    --client-cert-auth=true
-
-[Install]
-WantedBy=multi-user.target
diff --git a/ansible/roles/secure-etcd/vars/main.yml b/ansible/roles/secure-etcd/vars/main.yml
deleted file mode 100644
index d188e04..0000000
--- a/ansible/roles/secure-etcd/vars/main.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-etcd_release_url: "https://github.com/coreos/etcd/releases/download/{{ etcd_version }}/etcd-{{ etcd_version }}-linux-amd64.tar.gz"
-etcd_client_endpoints: "{{ groups['etcd']|map('extract', hostvars, ['ansible_' + etcd_interface, 'ipv4', 'address'])|map('regex_replace', '^(.*)$', 'https://\\1:2379')|list|sort }}"
-etcd_cluster_endpoints: "{% for host in groups['etcd']|sort %}{{hostvars[host]['inventory_hostname']}}=https://{{hostvars[host]['ansible_' + etcd_interface]['ipv4']['address']}}:2380{% if not loop.last %},{% endif %}{% endfor %}"
-kubeadm_release_url: "https://storage.googleapis.com/kubernetes-release/release/{{ kubeadm_version }}/bin/linux/amd64/kubeadm"

From e6f3727ffc79de0ff8af5a0a9db060f7663ccf49 Mon Sep 17 00:00:00 2001
From: Alexander Brand <alexbrand09@gmail.com>
Date: Mon, 19 Nov 2018 15:17:37 -0500
Subject: [PATCH 3/4] Update master role to talk to etcd over HTTPS

Signed-off-by: Alexander Brand <alexbrand09@gmail.com>
---
 .../roles/kubernetes-master/defaults/main.yml |  3 +++
 .../roles/kubernetes-master/tasks/main.yml    | 27 +++++++++++++++++++
 2 files changed, 30 insertions(+)

diff --git a/ansible/roles/kubernetes-master/defaults/main.yml b/ansible/roles/kubernetes-master/defaults/main.yml
index d178a07..a192850 100644
--- a/ansible/roles/kubernetes-master/defaults/main.yml
+++ b/ansible/roles/kubernetes-master/defaults/main.yml
@@ -8,3 +8,6 @@ kubernetes_master_kubeadm_config:
   apiServerCertSANs: "{{ kubernetes_common_api_ip | kube_lookup_hostname(kubernetes_common_api_fqdn, True) }}"
   etcd:
     endpoints: "{{ etcd_client_endpoints }}"
+    caFile: "/etc/kubernetes/pki/etcd/ca.crt"
+    certFile: "/etc/kubernetes/pki/apiserver-etcd-client.crt"
+    keyFile: "/etc/kubernetes/pki/apiserver-etcd-client.key"
diff --git a/ansible/roles/kubernetes-master/tasks/main.yml b/ansible/roles/kubernetes-master/tasks/main.yml
index e6c8914..4742f8a 100644
--- a/ansible/roles/kubernetes-master/tasks/main.yml
+++ b/ansible/roles/kubernetes-master/tasks/main.yml
@@ -4,6 +4,33 @@
     path: /etc/kubernetes/manifests/kube-apiserver.yaml
   register: kubeadm_apiserver_manifest
 
+- name: create kubernetes pki directory
+  file:
+    dest: /etc/kubernetes/pki/etcd
+    state: directory
+    owner: root
+    group: root
+
+- name: slurp the etcd pki assets destined for the masters
+  slurp: src=/etc/kubernetes/pki/{{ item }}
+  with_items:
+    - apiserver-etcd-client.crt
+    - apiserver-etcd-client.key
+    - etcd/ca.crt
+  register: etcd_ca_pki
+  delegate_to: "{{ groups['etcd']|first }}"
+  run_once: true
+
+- name: add etcd pki assets
+  no_log: True
+  copy:
+    dest: "{{ item.source }}"
+    content: "{{ item.content | b64decode }}"
+    owner: root
+    group: root
+    mode: 0700
+  with_items: "{{ etcd_ca_pki.results }}"
+
 - name: drop kubeadm template
   template:
     src: etc/kubernetes/kubeadm.conf

From 77a4459c2060b5f41788cf75b785f6ec0e72550a Mon Sep 17 00:00:00 2001
From: Alexander Brand <alexbrand09@gmail.com>
Date: Tue, 26 Feb 2019 16:23:10 -0500
Subject: [PATCH 4/4] etcd/tasks: use first filter instead of zero index

Signed-off-by: Alexander Brand <alexbrand09@gmail.com>
---
 ansible/roles/etcd/tasks/main.yml | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/ansible/roles/etcd/tasks/main.yml b/ansible/roles/etcd/tasks/main.yml
index 203a9ef..a04f719 100644
--- a/ansible/roles/etcd/tasks/main.yml
+++ b/ansible/roles/etcd/tasks/main.yml
@@ -32,7 +32,7 @@
     - apiserver-etcd-client.crt
     - apiserver-etcd-client.key
   register: apiserver_etcd_certs
-  delegate_to: "{{ groups['etcd'][0] }}"
+  delegate_to: "{{ groups['etcd']|first }}"
 
 - name: create /etc/kubernetes directory
   file:
@@ -50,14 +50,14 @@
 
 - name: generate etcd ca certs with kubeadm
   command: "/usr/local/bin/kubeadm alpha phase certs etcd-ca"
-  delegate_to: "{{ groups['etcd'][0] }}"
+  delegate_to: "{{ groups['etcd']|first }}"
   run_once: True
   with_items: "{{ etcd_ca.results }}"
   when: item.stat.exists == False
 
 - name: generate apiserver client certs with kubeadm
   command: "/usr/local/bin/kubeadm alpha phase certs apiserver-etcd-client"
-  delegate_to: "{{ groups['etcd'][0] }}"
+  delegate_to: "{{ groups['etcd']|first }}"
   run_once: True
   with_items: "{{ apiserver_etcd_certs.results }}"
   when: item.stat.exists == False
@@ -69,7 +69,7 @@
     - ca.crt
     - ca.key
   register: etcd_ca_pki
-  delegate_to: "{{ groups['etcd'][0] }}"
+  delegate_to: "{{ groups['etcd']|first }}"
   run_once: True
 
 - name: create kubernetes pki directory