kubernetes-sigs
/
kubespray
mirror of https://github.com/kubernetes-sigs/kubespray.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

etcd: use dynamic group for certs generation check (#10610) 

We take advantage of group_by to create the list of nodes needing new
certs, instead of manually looping inside a Jinja template.

This should make the role more readable and less susceptible to
white space problems.
pull/10616/head
Max Gautier 2023-12-12 11:22:29 +01:00 committed by GitHub
parent 51069223f5
commit 0fb404c775
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 21 additions and 63 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

53
roles/etcd/tasks/check_certs.yml
View File

@ -88,49 +88,12 @@
- kube_network_plugin != "calico" or calico_datastore == "etcd" - kube_network_plugin != "calico" or calico_datastore == "etcd"
- force_etcd_cert_refresh or not item in etcdcert_master.files | map(attribute='path') | list - force_etcd_cert_refresh or not item in etcdcert_master.files | map(attribute='path') | list
- name: "Check_certs | Set 'gen_master_certs' object to track whether member and admin certs exist on first etcd node" - name: "Check_certs | Set 'gen_*_certs' groups to track which nodes needs to have certs generated on first etcd node"
set_fact: vars:
# noqa: jinja[spacing] existing_certs: etcdcert_master.files | map(attribute='path')
gen_master_certs: |- ansible.builtin.group_by:
{ key: "gen_{{ item.node_type }}_certs_{{ force_etcd_cert_refresh or item.certs is not subset(existing_certs) }}"
{% set etcd_members = groups['etcd'] -%} loop: "{{ cert_files | dict2items(key_name='node_type', value_name='certs') }}"
{% set existing_certs = etcdcert_master.files | map(attribute='path') | list | sort %}
{% for host in etcd_members -%}
{% set member_cert = "%s/member-%s.pem" | format(etcd_cert_dir, host) %}
{% set member_key = "%s/member-%s-key.pem" | format(etcd_cert_dir, host) %}
{% set admin_cert = "%s/admin-%s.pem" | format(etcd_cert_dir, host) %}
{% set admin_key = "%s/admin-%s-key.pem" | format(etcd_cert_dir, host) %}
{% if force_etcd_cert_refresh -%}
"{{ host }}": True,
{% elif member_cert in existing_certs and member_key in existing_certs and admin_cert in existing_certs and admin_key in existing_certs -%}
"{{ host }}": False,
{% else -%}
"{{ host }}": True,
{% endif -%}
{% endfor %}
}
run_once: true
- name: "Check_certs | Set 'gen_node_certs' object to track whether node certs exist on first etcd node"
set_fact:
# noqa: jinja[spacing]
gen_node_certs: |-
{
{% set k8s_nodes = groups['k8s_cluster'] -%}
{% set existing_certs = etcdcert_master.files | map(attribute='path') | list | sort %}
{% for host in k8s_nodes -%}
{% set host_cert = "%s/node-%s.pem" | format(etcd_cert_dir, host) %}
{% set host_key = "%s/node-%s-key.pem" | format(etcd_cert_dir, host) %}
{% if force_etcd_cert_refresh -%}
"{{ host }}": True,
{% elif host_cert in existing_certs and host_key in existing_certs -%}
"{{ host }}": False,
{% else -%}
"{{ host }}": True,
{% endif -%}
{% endfor %}
}
run_once: true
- name: "Check_certs | Set 'etcd_member_requires_sync' to true if ca or member/admin cert and key don't exist on etcd member or checksum doesn't match" - name: "Check_certs | Set 'etcd_member_requires_sync' to true if ca or member/admin cert and key don't exist on etcd member or checksum doesn't match"
set_fact: set_fact:
@ -167,5 +130,5 @@
when: when:
- etcd_member_requires_sync | default(false) or - etcd_member_requires_sync | default(false) or
kubernetes_host_requires_sync | default(false) or kubernetes_host_requires_sync | default(false) or
(inventory_hostname in gen_master_certs and gen_master_certs[inventory_hostname]) or 'gen_master_certs_True' in group_names or
(inventory_hostname in gen_node_certs and gen_node_certs[inventory_hostname]) 'gen_node_certs_True' in group_names

21
roles/etcd/tasks/gen_certs_script.yml
View File

@ -41,18 +41,8 @@
- name: Gen_certs | run cert generation script for etcd and kube control plane nodes - name: Gen_certs | run cert generation script for etcd and kube control plane nodes
command: "bash -x {{ etcd_script_dir }}/make-ssl-etcd.sh -f {{ etcd_config_dir }}/openssl.conf -d {{ etcd_cert_dir }}" command: "bash -x {{ etcd_script_dir }}/make-ssl-etcd.sh -f {{ etcd_config_dir }}/openssl.conf -d {{ etcd_cert_dir }}"
environment: environment:
MASTERS: |- MASTERS: "{{ groups['gen_master_certs_True'] | ansible.builtin.intersect(groups['etcd']) | join(' ') }}"
{% for m in groups['etcd'] %} HOSTS: "{{ groups['gen_node_certs_True'] | ansible.builtin.intersect(groups['kube_control_plane']) | join(' ') }}"
{% if gen_master_certs[m] %}
{{ m }}
{% endif %}
{% endfor %}
HOSTS: |-
{% for h in groups['kube_control_plane'] %}
{% if gen_node_certs[h] %}
{{ h }}
{% endif %}
{% endfor %}
run_once: yes run_once: yes
delegate_to: "{{ groups['etcd'][0] }}" delegate_to: "{{ groups['etcd'][0] }}"
when: gen_certs | default(false) when: gen_certs | default(false)
@ -61,12 +51,7 @@
- name: Gen_certs | run cert generation script for all clients - name: Gen_certs | run cert generation script for all clients
command: "bash -x {{ etcd_script_dir }}/make-ssl-etcd.sh -f {{ etcd_config_dir }}/openssl.conf -d {{ etcd_cert_dir }}" command: "bash -x {{ etcd_script_dir }}/make-ssl-etcd.sh -f {{ etcd_config_dir }}/openssl.conf -d {{ etcd_cert_dir }}"
environment: environment:
HOSTS: |- HOSTS: "{{ groups['gen_node_certs_True'] | ansible.builtin.intersect(groups['k8s_cluster']) | join(' ') }}"
{% for h in groups['k8s_cluster'] %}
{% if gen_node_certs[h] %}
{{ h }}
{% endif %}
{% endfor %}
run_once: yes run_once: yes
delegate_to: "{{ groups['etcd'][0] }}" delegate_to: "{{ groups['etcd'][0] }}"
when: when:

10
roles/etcd/vars/main.yml 100644
View File

@ -0,0 +1,10 @@
---
cert_files:
master:
- "{{ etcd_cert_dir }}/member-{{ inventory_hostname }}.pem"
- "{{ etcd_cert_dir }}/member-{{ inventory_hostname }}-key.pem"
- "{{ etcd_cert_dir }}/admin-{{ inventory_hostname }}.pem"
- "{{ etcd_cert_dir }}/admin-{{ inventory_hostname }}-key.pem"
node:
- "{{ etcd_cert_dir}}/node-{{ inventory_hostname }}.pem"
- "{{ etcd_cert_dir}}/node-{{ inventory_hostname }}-key.pem"