Docker ca

roles/docker/defaults/main.yml

@@ -0,0 +1,14 @@
+---
+# defaults file for docker
+docker_tmp_dir: /var/lib/docker/tmp
+docker_dns_config: ''
+docker_storage_config: --storage-driver=overlay
+docker_endpoints: "-H=tcp://0.0.0.0:2376 -H=unix:///var/run/docker.sock"
+docker_bridge_ip: ''
+docker_proxy_exceptions: ''
+docker_registry: ''
+private_docker_registry: false
+docker_tls: "--tlsverify --tlscacert=/etc/docker/ca.pem --tlscert=/etc/docker/server.pem --tlskey=/etc/docker/server-key.pem"
+docker_customisations: "{{ docker_endpoints }} {{ docker_tls }} {{ docker_bridge_ip }} {{ docker_storage_config }} {{ docker_dns_config }} {{ docker_registry }}"
+
+

roles/docker/handlers/main.yml

@@ -0,0 +1,7 @@
+---
+# handlers file for docker
+- name: restart docker
+  become: yes
+  service:
+   name: docker
+   state: restarted

roles/docker/meta/main.yml

@@ -0,0 +1,15 @@
+---
+galaxy_info:
+  author: Graham Taylor
+  description:
+  company: Capgemini
+  license: license (MIT)
+  min_ansible_version: 1.2
+  platforms:
+  - name: CoreOS
+  categories:
+  - cloud
+  - system
+dependencies:
+  - role: handlers
+

roles/docker/tasks/main.yml

@@ -0,0 +1,39 @@
+---
+# tasks file for docker
+- name: ensure docker config dir exists
+  become: yes
+  file:
+    path: /root/.docker
+    state: directory
+  tags:
+    - docker
+
+- name: setup private docker registry credentials
+  become: yes
+  when: private_docker_registry|bool
+  template:
+    src: config.json.j2
+    dest: /root/.docker/config.json
+  tags:
+    - docker
+
+- name: deploy docker service
+  become: yes
+  become_user: root
+  template:
+    src: docker.service.j2
+    dest: /etc/systemd/system/docker.service
+  notify:
+    - reload systemd
+    - restart docker
+  tags:
+    - docker
+
+- name: ensure docker is running (and enable it at boot)
+  become: yes
+  service:
+    name: docker
+    state: started
+    enabled: yes
+  tags:
+    - docker

roles/docker/templates/config.json.j2

@@ -0,0 +1,8 @@
+{
+    "auths": {
+        "{{ docker_registry_url }}": {
+            "auth": "{{ docker_registry_auth }}",
+            "email": "{{ docker_registry_email }}"
+        }
+    }
+}

roles/docker/templates/docker.service.j2

@@ -0,0 +1,21 @@
+[Unit]
+Description=Docker Application Container Engine
+Documentation=http://docs.docker.com
+After=docker.socket early-docker.target network.target
+Requires=docker.socket early-docker.target
+
+[Service]
+EnvironmentFile=-/run/flannel_docker_opts.env
+{% if http_proxy is defined and http_proxy != '' %}
+Environment="HTTP_PROXY={{ http_proxy }}"
+Environment="NO_PROXY={{ docker_proxy_exceptions }}"
+{% endif %}
+Environment="DOCKER_TMPDIR={{ docker_tmp_dir }}"
+
+MountFlags=slave
+LimitNOFILE=1048576
+LimitNPROC=1048576
+ExecStart=/usr/lib/coreos/dockerd daemon {{ docker_customisations }} --host=fd:// $DOCKER_OPTS $DOCKER_OPT_BIP $DOCKER_OPT_MTU $DOCKER_OPT_IPMASQ
+
+[Install]
+WantedBy=multi-user.target

site.yml

@@ -20,6 +20,10 @@
 
 - include: playbooks/coreos-bootstrap.yml
 
+- hosts: all
+  roles:
+    - docker
+
 - hosts: masters
   roles:
     - kube-master

terraform/digitalocean/main.tf

@@ -6,6 +6,7 @@ variable "workers" { default = "1" }
 variable "master_instance_type" { default = "512mb" }
 variable "worker_instance_type" { default = "512mb" }
 variable "etcd_discovery_url_file" { default = "etcd_discovery_url.txt" }
+
 /*
   we need to use at least beta because we need rkt version 0.15.0+ to run the
   kubelet wrapper script.
@@ -82,6 +83,30 @@ module "admin_cert" {
   ca_private_key_pem = "${module.ca.ca_private_key_pem}"
 }
 
+module "docker_daemon_certs" {
+  source                = "github.com/Capgemini/tf_tls//docker/daemon"
+  ca_cert_pem           = "${module.ca.ca_cert_pem}"
+  ca_private_key_pem    = "${module.ca.ca_private_key_pem}"
+  ip_addresses_list     = "${concat(digitalocean_droplet.master.*.ipv4_address, digitalocean_droplet.worker.*.ipv4_address)}"
+  docker_daemon_count   = "${var.masters + var.workers}"
+  private_key           = "${tls_private_key.ssh.private_key_pem}"
+  validity_period_hours = 8760
+  early_renewal_hours   = 720
+  user                  = "core"
+}
+
+module "docker_client_certs" {
+  source                = "github.com/Capgemini/tf_tls//docker/client"
+  ca_cert_pem           = "${module.ca.ca_cert_pem}"
+  ca_private_key_pem    = "${module.ca.ca_private_key_pem}"
+  ip_addresses_list     = "${concat(digitalocean_droplet.master.*.ipv4_address, digitalocean_droplet.worker.*.ipv4_address)}"
+  docker_client_count   = "${var.masters + var.workers}"
+  private_key           = "${tls_private_key.ssh.private_key_pem}"
+  validity_period_hours = 8760
+  early_renewal_hours   = 720
+  user                  = "core"
+}
+
 resource "template_file" "master_cloud_init" {
   template   = "master-cloud-config.yml.tpl"
   depends_on = ["template_file.etcd_discovery_url"]