Enable external CA mode for control-plane deployment (#8620)
parent
d7254eead6
commit
30306d6ec7
|
@ -19,6 +19,7 @@
|
|||
register: kubeadm_upload_cert
|
||||
when:
|
||||
- inventory_hostname == first_kube_control_plane
|
||||
- not kube_external_ca_mode
|
||||
|
||||
- name: Parse certificate key if not set
|
||||
set_fact:
|
||||
|
@ -49,11 +50,20 @@
|
|||
debug:
|
||||
msg: "{{ kubeadm_already_run.stat.exists }}"
|
||||
|
||||
- name: Joining control plane node to the cluster.
|
||||
- name: Reset cert directory
|
||||
shell: >-
|
||||
if [ -f /etc/kubernetes/manifests/kube-apiserver.yaml ]; then
|
||||
{{ bin_dir }}/kubeadm reset -f --cert-dir {{ kube_cert_dir }};
|
||||
fi &&
|
||||
fi
|
||||
environment:
|
||||
PATH: "{{ bin_dir }}:{{ ansible_env.PATH }}"
|
||||
when:
|
||||
- inventory_hostname != first_kube_control_plane
|
||||
- kubeadm_already_run is not defined or not kubeadm_already_run.stat.exists
|
||||
- not kube_external_ca_mode
|
||||
|
||||
- name: Joining control plane node to the cluster.
|
||||
command: >-
|
||||
{{ bin_dir }}/kubeadm join
|
||||
--config {{ kube_config_dir }}/kubeadm-controlplane.yaml
|
||||
--ignore-preflight-errors=all
|
||||
|
|
|
@ -101,6 +101,7 @@
|
|||
changed_when: "'NEED-RENEW' in apiserver_sans_check.stdout"
|
||||
when:
|
||||
- kubeadm_already_run.stat.exists
|
||||
- not kube_external_ca_mode
|
||||
|
||||
- name: kubeadm | regenerate apiserver cert 1/2
|
||||
file:
|
||||
|
@ -112,6 +113,7 @@
|
|||
when:
|
||||
- kubeadm_already_run.stat.exists
|
||||
- apiserver_sans_check.changed
|
||||
- not kube_external_ca_mode
|
||||
|
||||
- name: kubeadm | regenerate apiserver cert 2/2
|
||||
command: >-
|
||||
|
@ -121,6 +123,7 @@
|
|||
when:
|
||||
- kubeadm_already_run.stat.exists
|
||||
- apiserver_sans_check.changed
|
||||
- not kube_external_ca_mode
|
||||
|
||||
- name: kubeadm | Initialize first master
|
||||
command: >-
|
||||
|
@ -129,7 +132,7 @@
|
|||
--config={{ kube_config_dir }}/kubeadm-config.yaml
|
||||
--ignore-preflight-errors=all
|
||||
--skip-phases={{ kubeadm_init_phases_skip | join(',') }}
|
||||
--upload-certs
|
||||
{{ kube_external_ca_mode | ternary('', '--upload-certs') }}
|
||||
register: kubeadm_init
|
||||
# Retry is because upload config sometimes fails
|
||||
retries: 3
|
||||
|
|
|
@ -376,3 +376,11 @@
|
|||
when:
|
||||
- containerd_config is defined
|
||||
- not ignore_assert_errors
|
||||
|
||||
- name: Stop if auto_renew_certificates is enabled when certificates are managed externally (kube_external_ca_mode is true)
|
||||
assert:
|
||||
that: not auto_renew_certificates
|
||||
msg: "Variable auto_renew_certificates must be disabled when CA are managed externally: kube_external_ca_mode = true"
|
||||
when:
|
||||
- kube_external_ca_mode
|
||||
- not ignore_assert_errors
|
||||
|
|
|
@ -157,6 +157,12 @@ kube_token_dir: "{{ kube_config_dir }}/tokens"
|
|||
# cert files to. Not really changeable...
|
||||
kube_cert_group: kube-cert
|
||||
|
||||
# Set to true when the CAs are managed externally.
|
||||
# When true, disables all tasks manipulating certificates. Ensure before the kubespray run that:
|
||||
# - Certificates and CAs are present in kube_cert_dir
|
||||
# - Kubeconfig files are present in kube_config_dir
|
||||
kube_external_ca_mode: false
|
||||
|
||||
# Cluster Loglevel configuration
|
||||
kube_log_level: 2
|
||||
|
||||
|
|
Loading…
Reference in New Issue