Add scale master features (#3946)
* Add scale master features * Add certificate management with kubeadm * Add kubeadm kubeconfig * Fix ymalroles error * fix upgrade cluster fialed * force update cert and keys when you reconfigure clusterpull/3952/head
parent
d156449819
commit
5834e609a6
|
@ -1,3 +1,4 @@
|
||||||
|
---
|
||||||
- name: kubeadm | Create kubeadm config
|
- name: kubeadm | Create kubeadm config
|
||||||
template:
|
template:
|
||||||
src: "kubeadm-images.yaml.j2"
|
src: "kubeadm-images.yaml.j2"
|
||||||
|
|
|
@ -0,0 +1,42 @@
|
||||||
|
---
|
||||||
|
- name: Backup old certs and keys
|
||||||
|
copy:
|
||||||
|
src: "{{ kube_cert_dir }}/{{ item.src }}"
|
||||||
|
dest: "{{ kube_cert_dir }}/{{ item.dest }}"
|
||||||
|
remote_src: yes
|
||||||
|
with_items:
|
||||||
|
- {src: apiserver.crt, dest: apiserver.crt.old}
|
||||||
|
- {src: apiserver.key, dest: apiserver.key.old}
|
||||||
|
- {src: apiserver-kubelet-client.crt, dest: apiserver-kubelet-client.crt.old}
|
||||||
|
- {src: apiserver-kubelet-client.key, dest: apiserver-kubelet-client.key.old}
|
||||||
|
- {src: front-proxy-client.crt, dest: front-proxy-client.crt.old}
|
||||||
|
- {src: front-proxy-client.key, dest: front-proxy-client.key.old}
|
||||||
|
ignore_errors: yes
|
||||||
|
|
||||||
|
- name: Remove old certs and keys
|
||||||
|
file:
|
||||||
|
path: "{{ kube_cert_dir }}/{{ item }}"
|
||||||
|
state: absent
|
||||||
|
with_items:
|
||||||
|
- apiserver.crt
|
||||||
|
- apiserver.key
|
||||||
|
- apiserver-kubelet-client.crt
|
||||||
|
- apiserver-kubelet-client.key
|
||||||
|
- front-proxy-client.crt
|
||||||
|
- front-proxy-client.key
|
||||||
|
|
||||||
|
- name: Generate new certs and keys
|
||||||
|
command: "{{ bin_dir }}/kubeadm init phase certs {{ item }} --config={{ kube_config_dir }}/kubeadm-config.yaml"
|
||||||
|
with_items:
|
||||||
|
- apiserver
|
||||||
|
- apiserver-kubelet-client
|
||||||
|
- front-proxy-client
|
||||||
|
when: inventory_hostname == groups['kube-master']|first and kubeadm_version is version('v1.13.0', '>=')
|
||||||
|
|
||||||
|
- name: Generate new certs and keys
|
||||||
|
command: "{{ bin_dir }}/kubeadm alpha phase certs {{ item }} --config={{ kube_config_dir }}/kubeadm-config.yaml"
|
||||||
|
with_items:
|
||||||
|
- apiserver
|
||||||
|
- apiserver-kubelet-client
|
||||||
|
- front-proxy-client
|
||||||
|
when: inventory_hostname == groups['kube-master']|first and kubeadm_version is version('v1.13.0', '<')
|
|
@ -0,0 +1,32 @@
|
||||||
|
---
|
||||||
|
- name: Backup old configuration files
|
||||||
|
copy:
|
||||||
|
src: "{{ kube_config_dir }}/{{ item.src }}"
|
||||||
|
dest: "{{ kube_config_dir }}/{{ item.dest }}"
|
||||||
|
remote_src: yes
|
||||||
|
with_items:
|
||||||
|
- {src: admin.conf, dest: admin.conf.old}
|
||||||
|
- {src: kubelet.conf, dest: kubelet.conf.old}
|
||||||
|
- {src: controller-manager.conf, dest: controller-manager.conf.old}
|
||||||
|
- {src: scheduler.conf, dest: scheduler.conf.old}
|
||||||
|
ignore_errors: yes
|
||||||
|
|
||||||
|
- name: Remove old configuration files
|
||||||
|
file:
|
||||||
|
path: "{{ kube_config_dir }}/{{ item }}"
|
||||||
|
state: absent
|
||||||
|
with_items:
|
||||||
|
- admin.conf
|
||||||
|
- kubelet.conf
|
||||||
|
- controller-manager.conf
|
||||||
|
- scheduler.conf
|
||||||
|
|
||||||
|
- name: Generate new configuration files
|
||||||
|
command: "{{ bin_dir }}/kubeadm init phase kubeconfig all --config={{ kube_config_dir }}/kubeadm-config.yaml"
|
||||||
|
when: kubeadm_version is version('v1.13.0', '>=')
|
||||||
|
ignore_errors: yes
|
||||||
|
|
||||||
|
- name: Generate new configuration files
|
||||||
|
command: "{{ bin_dir }}/kubeadm alpha phase kubeconfig all --config={{ kube_config_dir }}/kubeadm-config.yaml"
|
||||||
|
when: kubeadm_version is version('v1.13.0', '<')
|
||||||
|
ignore_errors: yes
|
|
@ -10,10 +10,10 @@
|
||||||
import_tasks: kubeadm-migrate-certs.yml
|
import_tasks: kubeadm-migrate-certs.yml
|
||||||
when: old_apiserver_cert.stat.exists
|
when: old_apiserver_cert.stat.exists
|
||||||
|
|
||||||
- name: kubeadm | Check service account key
|
- name: kubeadm | Check apiserver key
|
||||||
stat:
|
stat:
|
||||||
path: "{{ kube_cert_dir }}/sa.key"
|
path: "{{ kube_cert_dir }}/apiserver.key"
|
||||||
register: sa_key_before
|
register: apiserver_key_before
|
||||||
delegate_to: "{{groups['kube-master']|first}}"
|
delegate_to: "{{groups['kube-master']|first}}"
|
||||||
run_once: true
|
run_once: true
|
||||||
|
|
||||||
|
@ -95,6 +95,12 @@
|
||||||
- name: kubeadm | set kubeadm version
|
- name: kubeadm | set kubeadm version
|
||||||
import_tasks: kubeadm-version.yml
|
import_tasks: kubeadm-version.yml
|
||||||
|
|
||||||
|
- name: kubeadm | Certificate management with kubeadm
|
||||||
|
import_tasks: kubeadm-certificate.yml
|
||||||
|
when:
|
||||||
|
- not upgrade_cluster_setup
|
||||||
|
- kubeadm_already_run.stat.exists
|
||||||
|
|
||||||
- name: kubeadm | Initialize first master
|
- name: kubeadm | Initialize first master
|
||||||
command: timeout -k 600s 600s {{ bin_dir }}/kubeadm init --config={{ kube_config_dir }}/kubeadm-config.yaml --ignore-preflight-errors=all
|
command: timeout -k 600s 600s {{ bin_dir }}/kubeadm init --config={{ kube_config_dir }}/kubeadm-config.yaml --ignore-preflight-errors=all
|
||||||
register: kubeadm_init
|
register: kubeadm_init
|
||||||
|
@ -136,6 +142,12 @@
|
||||||
with_items: "{{ kubeadm_certs.results }}"
|
with_items: "{{ kubeadm_certs.results }}"
|
||||||
when: inventory_hostname != groups['kube-master']|first
|
when: inventory_hostname != groups['kube-master']|first
|
||||||
|
|
||||||
|
- name: kubeadm | Kubeconfig management with kubeadm
|
||||||
|
import_tasks: kubeadm-kubeconfig.yml
|
||||||
|
when:
|
||||||
|
- not upgrade_cluster_setup
|
||||||
|
- kubeadm_already_run.stat.exists
|
||||||
|
|
||||||
- name: kubeadm | Init other uninitialized masters
|
- name: kubeadm | Init other uninitialized masters
|
||||||
command: timeout -k 600s 600s {{ bin_dir }}/kubeadm init --config={{ kube_config_dir }}/kubeadm-config.yaml --ignore-preflight-errors=all
|
command: timeout -k 600s 600s {{ bin_dir }}/kubeadm init --config={{ kube_config_dir }}/kubeadm-config.yaml --ignore-preflight-errors=all
|
||||||
register: kubeadm_init
|
register: kubeadm_init
|
||||||
|
@ -149,17 +161,17 @@
|
||||||
import_tasks: kubeadm-upgrade.yml
|
import_tasks: kubeadm-upgrade.yml
|
||||||
when: upgrade_cluster_setup
|
when: upgrade_cluster_setup
|
||||||
|
|
||||||
- name: kubeadm | Check service account key again
|
- name: kubeadm | Check apiserver key again
|
||||||
stat:
|
stat:
|
||||||
path: "{{ kube_cert_dir }}/sa.key"
|
path: "{{ kube_cert_dir }}/apiserver.key"
|
||||||
register: sa_key_after
|
register: apiserver_key_after
|
||||||
delegate_to: "{{groups['kube-master']|first}}"
|
delegate_to: "{{groups['kube-master']|first}}"
|
||||||
run_once: true
|
run_once: true
|
||||||
|
|
||||||
- name: kubeadm | Set secret_changed if service account key was updated
|
- name: kubeadm | Set secret_changed if service account key was updated
|
||||||
command: /bin/true
|
command: /bin/true
|
||||||
notify: Master | set secret_changed
|
notify: Master | set secret_changed
|
||||||
when: sa_key_before.stat.checksum|default("") != sa_key_after.stat.checksum
|
when: apiserver_key_before.stat.checksum|default("") != apiserver_key_after.stat.checksum
|
||||||
|
|
||||||
- name: kubeadm | cleanup old certs if necessary
|
- name: kubeadm | cleanup old certs if necessary
|
||||||
import_tasks: kubeadm-cleanup-old-certs.yml
|
import_tasks: kubeadm-cleanup-old-certs.yml
|
||||||
|
|
Loading…
Reference in New Issue