First push - yes, I know I need to add a readme at some point

files/csv_templatez/token.csv

@@ -0,0 +1,5 @@
+{%- for token in auth_tokens -%} 
+  {%- for key, value in token.iteritems() -%}
+    {{ value.password }},{{ value.username }},{{ value.uid }}{{"\n"}}
+  {%- endfor -%}
+{%- endfor -%}

files/json_templatez/auth_policy.jsonl

@@ -0,0 +1,11 @@
+{%- for policy in auth_policy -%}
+  {%- for key, value in policy.iteritems() -%}
+    {%- if value.username -%}
+      {"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user": "{{ value.username }}", "namespace": "{{ value.namespace }}", "resource": "{{ value.resource }}","apiGroup": "{{ value.apigroup }}", "nonResourcePath": "{{ value.nonresourcepath }}", "readonloy": "{{ value.readonly }}"}}{{"\n"}}
+    {%- elif value.group -%}
+      {"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"group": "{{ value.group }}", "namespace": "{{ value.namespace }}", "resource": "{{ value.resource }}","apiGroup": "{{ value.apigroup }}", "nonResourcePath": "{{ value.nonresourcepath }}", "readonloy": "{{ value.readonly }}"}}{{"\n"}}
+    {%- endif -%}
+  {%- endfor -%}
+{%- endfor -%}
+
+

files/json_templatez/pki_ca_config.json

@@ -0,0 +1,13 @@
+{
+  "signing": {
+    "default": {
+      "expiry": "{{ pki_info.ca_expire }}"
+    },
+    "profiles": {
+      "{{ pki_info.cert_name }}": {
+        "usages": ["signing", "key encipherment", "server auth", "client auth"],
+        "expiry": "{{ pki_info.ca_expire }}"
+      }
+    }
+  }
+}

files/json_templatez/pki_ca_csr.json

@@ -0,0 +1,16 @@
+{
+  "CN": "{{ pki_info.cert_name }}",
+  "key": {
+    "algo": "rsa",
+    "size": {{ pki_info.key_size }}
+  },
+  "names": [
+    {
+      "C": "{{ pki_info.cert_country }}",
+      "L": "{{ pki_info.cert_city }}",
+      "O": "{{ pki_info.cert_org }}",
+      "OU": "{{ pki_info.cert_ou }}",
+      "ST": "{{ pki_info.cert_province }}"
+    }
+  ]
+}

files/json_templatez/pki_crt_csr.json

@@ -0,0 +1,24 @@
+{%- set hosts = [cluster_info.service_network_cidr|ipaddr(1)|ipaddr('address'),"127.0.0.1"] -%}
+{%- for node in host_roles -%} 
+  {%- for key, value in node.iteritems() -%} 
+    {{- hosts.append(value['ipaddress']) -}}
+    {{- hosts.append(value['fqdn']) -}}
+  {%- endfor -%}
+{%- endfor -%}
+{
+  "CN": "{{ pki_info.cert_name }}",
+  "hosts": {{ hosts | to_json }},
+  "key": {
+    "algo": "rsa",
+    "size": {{ pki_info.key_size }}
+  },
+  "names": [
+    {
+      "C": "{{ pki_info.cert_country }}",
+      "L": "{{ pki_info.cert_city }}",
+      "O": "{{ pki_info.cert_org }}",
+      "OU": "{{ pki_info.cert_ou }}",
+      "ST": "{{ pki_info.cert_province }}"
+    }
+  ]
+}

files/pod_definitionz/kubedns-svc.yaml

@@ -0,0 +1,20 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: kube-dns
+  namespace: kube-system
+  labels:
+    k8s-app: kube-dns
+    kubernetes.io/cluster-service: "true"
+    kubernetes.io/name: "KubeDNS"
+spec:
+  selector:
+    k8s-app: kube-dns
+  clusterIP: {{ cluster_info.dns_service_ip }} 
+  ports:
+  - name: dns
+    port: 53
+    protocol: UDP
+  - name: dns-tcp
+    port: 53
+    protocol: TCP

files/pod_definitionz/kubedns.yaml

@@ -0,0 +1,109 @@
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+  name: kube-dns-v20
+  namespace: kube-system
+  labels:
+    k8s-app: kube-dns
+    version: v20
+    kubernetes.io/cluster-service: "true"
+spec:
+  replicas: 2
+  selector:
+    matchLabels:
+      k8s-app: kube-dns
+      version: v20
+  template:
+    metadata:
+      labels:
+        k8s-app: kube-dns
+        version: v20
+        kubernetes.io/cluster-service: "true"
+      annotations:
+        scheduler.alpha.kubernetes.io/critical-pod: ''
+        scheduler.alpha.kubernetes.io/tolerations: '[{"key":"CriticalAddonsOnly", "operator":"Exists"}]'
+    spec:
+      containers:
+      - name: kubedns
+        image: gcr.io/google_containers/kubedns-amd64:1.8
+        resources:
+          # TODO: Set memory limits when we've profiled the container for large
+          # clusters, then set request = limit to keep this container in
+          # guaranteed class. Currently, this container falls into the
+          # "burstable" category so the kubelet doesn't backoff from restarting it.
+          limits:
+            memory: 170Mi
+          requests:
+            cpu: 100m
+            memory: 70Mi
+        livenessProbe:
+          httpGet:
+            path: /healthz-kubedns
+            port: 8080
+            scheme: HTTP
+          initialDelaySeconds: 60
+          timeoutSeconds: 5
+          successThreshold: 1
+          failureThreshold: 5
+        readinessProbe:
+          httpGet:
+            path: /readiness
+            port: 8081
+            scheme: HTTP
+          # we poll on pod startup for the Kubernetes master service and
+          # only setup the /readiness HTTP server once that's available.
+          initialDelaySeconds: 3
+          timeoutSeconds: 5
+        args:
+        # command = "/kube-dns"
+        - --domain=cluster.local
+        - --dns-port=10053
+        ports:
+        - containerPort: 10053
+          name: dns-local
+          protocol: UDP
+        - containerPort: 10053
+          name: dns-tcp-local
+          protocol: TCP
+      - name: dnsmasq
+        image: gcr.io/google_containers/kube-dnsmasq-amd64:1.4
+        livenessProbe:
+          httpGet:
+            path: /healthz-dnsmasq
+            port: 8080
+            scheme: HTTP
+          initialDelaySeconds: 60
+          timeoutSeconds: 5
+          successThreshold: 1
+          failureThreshold: 5
+        args:
+        - --cache-size=1000
+        - --no-resolv
+        - --server=127.0.0.1#10053
+        - --log-facility=-
+        ports:
+        - containerPort: 53
+          name: dns
+          protocol: UDP
+        - containerPort: 53
+          name: dns-tcp
+          protocol: TCP
+      - name: healthz
+        image: gcr.io/google_containers/exechealthz-amd64:1.2
+        resources:
+          limits:
+            memory: 50Mi
+          requests:
+            cpu: 10m
+            memory: 50Mi
+        args:
+        - --cmd=nslookup kubernetes.default.svc.cluster.local 127.0.0.1 >/dev/null
+        - --url=/healthz-dnsmasq
+        - --cmd=nslookup kubernetes.default.svc.cluster.local 127.0.0.1:10053 >/dev/null
+        - --url=/healthz-kubedns
+        - --port=8080
+        - --quiet
+        ports:
+        - containerPort: 8080
+          protocol: TCP
+      dnsPolicy: Default  # Don't use cluster DNS

files/systemd_templatez/docker.service

@@ -0,0 +1,16 @@
+[Unit]
+Description=Docker Application Container Engine
+Documentation=http://docs.docker.io
+
+[Service]
+ExecStart=/usr/bin/docker daemon \
+  --iptables=false \
+  --ip-masq=false \
+  --host=unix:///var/run/docker.sock \
+  --log-level=error \
+  --storage-driver=overlay
+Restart=on-failure
+RestartSec=5
+
+[Install]
+WantedBy=multi-user.target

files/systemd_templatez/etcd.service

@@ -0,0 +1,25 @@
+[Unit]
+Description=etcd
+Documentation=https://github.com/coreos
+
+[Service]
+ExecStart=/usr/bin/etcd --name etcdclusterz \
+  --cert-file={{ pki_info.cert_path }}/{{ pki_info.cert_name }}.pem \
+  --key-file={{ pki_info.cert_path }}/{{ pki_info.cert_name }}-key.pem \
+  --peer-cert-file={{ pki_info.cert_path }}/{{ pki_info.cert_name }}.pem \
+  --peer-key-file={{ pki_info.cert_path }}/{{ pki_info.cert_name }}-key.pem \
+  --trusted-ca-file={{ pki_info.cert_path }}/ca.pem \
+  --peer-trusted-ca-file={{ pki_info.cert_path }}/ca.pem \
+  --initial-advertise-peer-urls https://{{ansible_default_ipv4.address}}:2380 \
+  --listen-peer-urls https://{{ansible_default_ipv4.address}}:2380 \
+  --listen-client-urls https://{{ansible_default_ipv4.address}}:2379,http://127.0.0.1:2379 \
+  --advertise-client-urls https://{{ansible_default_ipv4.address}}:2379 \
+  --initial-cluster-token etcd-cluster-0 \
+  --initial-cluster etcdclusterz=https://{{ansible_default_ipv4.address}}:2380 \
+  --initial-cluster-state new \
+  --data-dir=/var/lib/etcd
+Restart=on-failure
+RestartSec=5
+
+[Install]
+WantedBy=multi-user.target

files/systemd_templatez/kube-apiserver.service

@@ -0,0 +1,30 @@
+[Unit]
+Description=Kubernetes API Server
+Documentation=https://github.com/GoogleCloudPlatform/kubernetes
+
+[Service]
+ExecStart=/usr/bin/kube-apiserver \
+  --admission-control=NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,ResourceQuota \
+  --advertise-address={{ansible_default_ipv4.address}} \
+  --allow-privileged=true \
+  --apiserver-count=3 \
+  --authorization-mode=ABAC \
+  --authorization-policy-file=/var/lib/kubernetes/authorization-policy.jsonl \
+  --bind-address=0.0.0.0 \
+  --enable-swagger-ui=true \
+  --etcd-cafile={{ pki_info.cert_path }}/ca.pem \
+  --insecure-bind-address=0.0.0.0 \
+  --kubelet-certificate-authority={{ pki_info.cert_path }}/ca.pem \
+  --etcd-servers=https://{{ansible_default_ipv4.address}}:2379 \
+  --service-account-key-file={{ pki_info.cert_path }}/{{ pki_info.cert_name }}-key.pem \
+  --service-cluster-ip-range={{ cluster_info.service_network_cidr }} \
+  --service-node-port-range=30000-32767 \
+  --tls-cert-file={{ pki_info.cert_path }}/kubernetes.pem \
+  --tls-private-key-file={{ pki_info.cert_path }}/{{ pki_info.cert_name }}-key.pem \
+  --token-auth-file=/var/lib/kubernetes/token.csv \
+  --v=2
+Restart=on-failure
+RestartSec=5
+
+[Install]
+WantedBy=multi-user.target

files/systemd_templatez/kube-controller-manager.service

@@ -0,0 +1,20 @@
+[Unit]
+Description=Kubernetes Controller Manager
+Documentation=https://github.com/GoogleCloudPlatform/kubernetes
+
+[Service]
+ExecStart=/usr/bin/kube-controller-manager \
+  --allocate-node-cidrs=true \
+  --cluster-cidr={{ cluster_info.cluster_node_cidr }} \
+  --cluster-name={{ cluster_info.cluster_name }} \
+  --leader-elect=true \
+  --master=http://{{ansible_default_ipv4.address}}:8080 \
+  --root-ca-file={{ pki_info.cert_path }}/ca.pem \
+  --service-account-private-key-file={{ pki_info.cert_path }}/{{ pki_info.cert_name }}-key.pem \
+  --service-cluster-ip-range={{ cluster_info.service_network_cidr }} \
+  --v=2
+Restart=on-failure
+RestartSec=5
+
+[Install]
+WantedBy=multi-user.target

files/systemd_templatez/kube-proxy.service

@@ -0,0 +1,24 @@
+{%- set master = [] -%}
+{%- for node in host_roles -%} 
+  {%- for key, value in node.iteritems() -%} 
+    {%- if "master" in value['type'] -%}
+      {{- master.append(value['ipaddress']) -}}
+    {%- endif -%}
+  {%- endfor -%}
+{%- endfor -%}
+[Unit]
+Description=Kubernetes Kube Proxy
+Documentation=https://github.com/GoogleCloudPlatform/kubernetes
+
+[Service]
+ExecStart=/usr/bin/kube-proxy \
+  --master=https://{{ master | join(",") }}:6443 \
+  --kubeconfig=/var/lib/kubelet/kubeconfig \
+  --proxy-mode=iptables \
+  --v=2
+
+Restart=on-failure
+RestartSec=5
+
+[Install]
+WantedBy=multi-user.target

files/systemd_templatez/kube-scheduler.service

@@ -0,0 +1,14 @@
+[Unit]
+Description=Kubernetes Scheduler
+Documentation=https://github.com/GoogleCloudPlatform/kubernetes
+
+[Service]
+ExecStart=/usr/bin/kube-scheduler \
+  --leader-elect=true \
+  --master=http://{{ansible_default_ipv4.address}}:8080 \
+  --v=2
+Restart=on-failure
+RestartSec=5
+
+[Install]
+WantedBy=multi-user.target

files/systemd_templatez/kubelet.service

@@ -0,0 +1,36 @@
+{%- set master = [] -%}
+{%- for node in host_roles -%} 
+  {%- for key, value in node.iteritems() -%} 
+    {%- if "master" in value['type'] -%}
+      {{- master.append(value['ipaddress']) -}}
+    {%- endif -%}
+  {%- endfor -%}
+{%- endfor -%}
+[Unit]
+Description=Kubernetes Kubelet
+Documentation=https://github.com/GoogleCloudPlatform/kubernetes
+After=docker.service
+Requires=docker.service
+
+[Service]
+ExecStart=/usr/bin/kubelet \
+  --allow-privileged=true \
+  --api-servers=https://{{ master | join(",") }}:6443 \
+  --cloud-provider= \
+  --cluster-dns={{ cluster_info.dns_service_ip }} \
+  --cluster-domain={{ cluster_info.cluster_domain }} \
+  --container-runtime=docker \
+  --docker=unix:///var/run/docker.sock \
+  --network-plugin=kubenet \
+  --kubeconfig=/var/lib/kubelet/kubeconfig \
+  --reconcile-cidr=true \
+  --serialize-image-pulls=false \
+  --tls-cert-file={{ pki_info.cert_path }}/{{ pki_info.cert_name }}.pem \
+  --tls-private-key-file={{ pki_info.cert_path }}/{{ pki_info.cert_name }}-key.pem \
+  --v=2
+
+Restart=on-failure
+RestartSec=5
+
+[Install]
+WantedBy=multi-user.target