From c66bafaa188b22bcfbce75056541cc2cafda8a64 Mon Sep 17 00:00:00 2001
From: Eric Paris <eparis@redhat.com>
Date: Wed, 1 Jul 2015 13:19:06 -0400
Subject: [PATCH] Generate a kubeconfig for kubectl which can be taken off the
 masterA

/etc/kubernetes/kuectl.kubeconfig
---
 .../roles/kubernetes/tasks/gen_tokens.yml      |  2 +-
 .../ansible/roles/kubernetes/tasks/secrets.yml |  6 +++++-
 contrib/ansible/roles/master/tasks/main.yml    |  5 +++++
 .../master/templates/kubectl.kubeconfig.j2     | 18 ++++++++++++++++++
 4 files changed, 29 insertions(+), 2 deletions(-)
 create mode 100644 contrib/ansible/roles/master/templates/kubectl.kubeconfig.j2

diff --git a/contrib/ansible/roles/kubernetes/tasks/gen_tokens.yml b/contrib/ansible/roles/kubernetes/tasks/gen_tokens.yml
index ad11be10a27..ce0c1d267bc 100644
--- a/contrib/ansible/roles/kubernetes/tasks/gen_tokens.yml
+++ b/contrib/ansible/roles/kubernetes/tasks/gen_tokens.yml
@@ -10,7 +10,7 @@
   environment:
     TOKEN_DIR: "{{ kube_token_dir }}"
   with_nested:
-    - [ "system:controller_manager", "system:scheduler" ]
+    - [ "system:controller_manager", "system:scheduler", "system:kubectl" ]
     - "{{ groups['masters'] }}"
   register: gentoken
   changed_when: "'Added' in gentoken.stdout"
diff --git a/contrib/ansible/roles/kubernetes/tasks/secrets.yml b/contrib/ansible/roles/kubernetes/tasks/secrets.yml
index 3778bf89490..ae9ffe73d37 100644
--- a/contrib/ansible/roles/kubernetes/tasks/secrets.yml
+++ b/contrib/ansible/roles/kubernetes/tasks/secrets.yml
@@ -35,8 +35,12 @@
   run_once: true
   delegate_to: "{{ groups['masters'][0] }}"
 
+- name: Register the CA certificate as a fact so it can be used later
+  set_fact:
+    kube_ca_cert: "{{ ca_cert.content|b64decode }}"
+
 - name: Place CA certificate everywhere
-  copy: content="{{ ca_cert.content|b64decode }}" dest="{{ kube_cert_dir }}/ca.crt"
+  copy: content="{{ kube_ca_cert }}" dest="{{ kube_cert_dir }}/ca.crt"
   notify:
     - restart daemons
 
diff --git a/contrib/ansible/roles/master/tasks/main.yml b/contrib/ansible/roles/master/tasks/main.yml
index 8a676cb124d..3b98db71235 100644
--- a/contrib/ansible/roles/master/tasks/main.yml
+++ b/contrib/ansible/roles/master/tasks/main.yml
@@ -27,6 +27,7 @@
   with_items:
     - "system:controller_manager"
     - "system:scheduler"
+    - "system:kubectl"
   register: tokens
   delegate_to: "{{ groups['masters'][0] }}"
 
@@ -34,6 +35,7 @@
   set_fact:
     controller_manager_token: "{{ tokens.results[0].content|b64decode }}"
     scheduler_token: "{{ tokens.results[1].content|b64decode }}"
+    kubectl_token: "{{ tokens.results[2].content|b64decode }}"
 
 - name: write the config file for the controller-manager
   template: src=controller-manager.j2 dest={{ kube_config_dir }}/controller-manager
@@ -61,6 +63,9 @@
 - name: Enable scheduler
   service: name=kube-scheduler enabled=yes state=started
 
+- name: write the kubecfg (auth) file for kubectl
+  template: src=kubectl.kubeconfig.j2 dest={{ kube_config_dir }}/kubectl.kubeconfig
+
 - include: firewalld.yml
   when: has_firewalld
 
diff --git a/contrib/ansible/roles/master/templates/kubectl.kubeconfig.j2 b/contrib/ansible/roles/master/templates/kubectl.kubeconfig.j2
new file mode 100644
index 00000000000..9225280ded3
--- /dev/null
+++ b/contrib/ansible/roles/master/templates/kubectl.kubeconfig.j2
@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: Config
+current-context: kubectl-to-{{ cluster_name }}
+preferences: {}
+clusters:
+- cluster:
+    certificate-authority-data: {{ kube_ca_cert|b64encode }}
+    server: https://{{ groups['masters'][0] }}:443
+  name: {{ cluster_name }}
+contexts:
+- context:
+    cluster: {{ cluster_name }}
+    user: kubectl
+  name: kubectl-to-{{ cluster_name }}
+users:
+- name: kubectl
+  user:
+    token: {{ kubectl_token }}