Update

roles/secrets/.travis.yml

@@ -0,0 +1,29 @@
+---
+language: python
+python: "2.7"
+
+# Use the new container infrastructure
+sudo: false
+
+# Install ansible
+addons:
+  apt:
+    packages:
+    - python-pip
+
+install:
+  # Install ansible
+  - pip install ansible
+
+  # Check ansible version
+  - ansible --version
+
+  # Create ansible.cfg with correct roles_path
+  - printf '[defaults]\nroles_path=../' >ansible.cfg
+
+script:
+  # Basic role syntax check
+  - ansible-playbook tests/test.yml -i tests/inventory --syntax-check
+
+notifications:
+  webhooks: https://galaxy.ansible.com/api/v1/notifications/

roles/secrets/README.md

@@ -0,0 +1,25 @@
+Secrets
+=========
+
+Builds the encryption config to be used with the kubeadm cluster.
+
+Requirements
+------------
+
+The directory you place the encryption config file in needs to be one that the kube-api server container will mount to. This can be viewed in the volumes section of /etc/kubernetes/manfiests/kube-api
+
+Role Variables
+--------------
+
+A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
+
+
+License
+-------
+
+BSD
+
+Author Information
+------------------
+
+An optional section for the role authors to include contact information, or a website (HTML is not allowed).

roles/secrets/defaults/main.yml

@@ -0,0 +1,2 @@
+---
+# defaults file for secrets

roles/secrets/handlers/main.yml

@@ -0,0 +1,2 @@
+---
+# handlers file for secrets

roles/secrets/meta/main.yml

@@ -0,0 +1,53 @@
+galaxy_info:
+  author: your name
+  description: your role description
+  company: your company (optional)
+
+  # If the issue tracker for your role is not on github, uncomment the
+  # next line and provide a value
+  # issue_tracker_url: http://example.com/issue/tracker
+
+  # Choose a valid license ID from https://spdx.org - some suggested licenses:
+  # - BSD-3-Clause (default)
+  # - MIT
+  # - GPL-2.0-or-later
+  # - GPL-3.0-only
+  # - Apache-2.0
+  # - CC-BY-4.0
+  license: license (GPL-2.0-or-later, MIT, etc)
+
+  min_ansible_version: 2.9
+
+  # If this a Container Enabled role, provide the minimum Ansible Container version.
+  # min_ansible_container_version:
+
+  #
+  # Provide a list of supported platforms, and for each platform a list of versions.
+  # If you don't wish to enumerate all versions for a particular platform, use 'all'.
+  # To view available platforms and versions (or releases), visit:
+  # https://galaxy.ansible.com/api/v1/platforms/
+  #
+  # platforms:
+  # - name: Fedora
+  #   versions:
+  #   - all
+  #   - 25
+  # - name: SomePlatform
+  #   versions:
+  #   - all
+  #   - 1.0
+  #   - 7
+  #   - 99.99
+
+  galaxy_tags: []
+    # List tags for your role here, one per line. A tag is a keyword that describes
+    # and categorizes the role. Users find roles by searching for tags. Be sure to
+    # remove the '[]' above, if you add tags to this list.
+    #
+    # NOTE: A tag is limited to a single word comprised of alphanumeric characters.
+    #       Maximum 20 tags per role.
+
+dependencies: []
+  # List your role dependencies here, one per line. Be sure to remove the '[]' above,
+  # if you add dependencies to this list.
+  

roles/secrets/tasks/main.yml

@@ -0,0 +1,62 @@
+---
+# tasks file for secrets
+
+# Role for creating k8s cluster encryption key and config
+
+# Documentation: https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/
+
+# Generate a 32 byte random key and base64 encode it
+- name: Generate a 32 byte random key and base64 encode it
+  shell: head -c 32 /dev/urandom | base64
+  register: secret
+  when: inventory_hostname == groups['masters'][0] 
+  tags:
+    - encryption_config
+
+# Takes the secret generated above and place it into a .j2 template
+# to create the encryption config
+- name: Place encryption config template onto master
+  template:
+    src: encryption-config.yaml.j2
+    dest: /etc/pki/encryption-config.yaml
+  when: inventory_hostname == groups['masters'][0]
+  tags:
+    - encryption_config
+
+# Resgister the encryption config file for fetching
+- name: Register encryption config for fetching from master01
+  find:
+    paths: /etc/pki
+    recurse: no
+    patterns: "encryption-config.yaml"
+  register: files_to_copy
+  tags:
+    - encryption_config
+  when: inventory_hostname == groups['masters'][0]
+
+##########################################
+##     WARNING: ADD THIS ROLES /FILES   ##
+##     DIRECTORY TO YOUR .GITIGNORE     ##
+##            OR EVERYONE WILL          ##
+#      HAVE YOUR encryption-config      ##
+##########################################
+
+# Bring encryption config to the ansible controller
+- name: Fetch Encryption Config
+  fetch:
+    src: "{{ item.path }}"
+    dest: roles/secrets/files/
+    flat: yes
+  with_items: "{{ files_to_copy.files }}"
+  tags:
+    - encryption_config
+  when: inventory_hostname == groups['masters'][0]
+
+# This task is reserved for when you have 2 or more control nodes
+#- name: Distribute encryption config to other control nodes ( masters )
+#  copy:
+#    src: "encryption-config.yaml"
+#    dest: "/etc/pki"
+#  when: inventory_hostname == groups['management'][0]
+#  tags:
+#    - encryption_config

roles/secrets/templates/encryption-config.yaml.j2

@@ -0,0 +1,11 @@
+apiVersion: apiserver.config.k8s.io/v1
+kind: EncryptionConfiguration
+resources:
+  - resources:
+    - secrets
+    providers:
+    - aescbc:
+        keys:
+        - name: key1
+          secret: {{ secret.stdout }}
+    - identity: {}

roles/secrets/tests/inventory

@@ -0,0 +1,2 @@
+localhost
+

roles/secrets/tests/test.yml

@@ -0,0 +1,5 @@
+---
+- hosts: localhost
+  remote_user: root
+  roles:
+    - secrets

roles/secrets/vars/main.yml

@@ -0,0 +1,2 @@
+---
+# vars file for secrets