kubernetes-sigs
/
kubespray
mirror of https://github.com/kubernetes-sigs/kubespray.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #2693 from romaindequidt/sync-certs-tasks-fix 

sync certs tasks (fix #2596 #2667)
pull/2732/head
Chad Swenson 2018-05-02 12:17:23 -05:00 committed by GitHub
parent 223ed98828 80dd230a65
commit 595e96ebf1
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 30 additions and 38 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
roles/kubernetes/secrets/tasks/check-certs.yml
View File

@ -14,27 +14,6 @@
gen_certs: false gen_certs: false
secret_changed: false secret_changed: false
- name: "Check certs | check if a cert already exists on node"
stat:
path: "{{ kube_cert_dir }}/{{ item }}"
register: kubecert_node
with_items:
- ca.pem
- apiserver.pem
- apiserver-key.pem
- kube-scheduler.pem
- kube-scheduler-key.pem
- kube-controller-manager.pem
- kube-controller-manager-key.pem
- front-proxy-client.pem
- front-proxy-client-key.pem
- admin-{{ inventory_hostname }}.pem
- admin-{{ inventory_hostname }}-key.pem
- node-{{ inventory_hostname }}.pem
- node-{{ inventory_hostname }}-key.pem
- kube-proxy-{{ inventory_hostname }}.pem
- kube-proxy-{{ inventory_hostname }}-key.pem
- name: "Check_certs | Set 'gen_certs' to true" - name: "Check_certs | Set 'gen_certs' to true"
set_fact: set_fact:
gen_certs: true gen_certs: true
@ -85,7 +64,6 @@
{{ gen }} {{ gen }}
run_once: true run_once: true
- name: "Check_certs | Set 'gen_node_certs' to true" - name: "Check_certs | Set 'gen_node_certs' to true"
set_fact: set_fact:
gen_node_certs: |- gen_node_certs: |-
@ -102,17 +80,3 @@
{% endfor %} {% endfor %}
} }
run_once: true run_once: true
- name: "Check_certs | Set 'sync_certs' to true"
set_fact:
sync_certs: true
when: |-
{%- set certs = {'sync': False} -%}
{% if gen_node_certs[inventory_hostname] or
(not kubecert_node.results[0].stat.exists|default(False)) or
(not kubecert_node.results[12].stat.exists|default(False)) or
(not kubecert_node.results[8].stat.exists|default(False)) or
(kubecert_node.results[12].stat.checksum|default('') != kubecert_master.files|selectattr("path", "equalto", kubecert_node.results[12].stat.path)|map(attribute="checksum")|first|default('')) -%}
{%- set _ = certs.update({'sync': True}) -%}
{% endif %}
{{ certs.sync }}

32
roles/kubernetes/secrets/tasks/gen_certs_script.yml
View File

@ -111,6 +111,34 @@
tags: tags:
- facts - facts
- name: "Check certs | check if a cert already exists on node"
find:
paths: "{{ kube_cert_dir }}"
patterns: "*.pem"
get_checksum: true
register: kubecert_node
when: inventory_hostname != groups['kube-master'][0]
- name: "Check_certs | Set 'sync_certs' to true on masters"
set_fact:
sync_certs: true
when: inventory_hostname in groups['kube-master'] and
inventory_hostname != groups['kube-master'][0] and
(not item in kubecert_node.files | map(attribute='path') | map("basename") | list or
kubecert_node.files | selectattr("path", "equalto", "{{ kube_cert_dir }}/{{ item }}") | map(attribute="checksum")|first|default('') != kubecert_master.files | selectattr("path", "equalto", "{{ kube_cert_dir }}/{{ item }}") | map(attribute="checksum")|first|default(''))
with_items:
- "{{ my_master_certs + all_node_certs }}"
- name: "Check_certs | Set 'sync_certs' to true on nodes"
set_fact:
sync_certs: true
when: inventory_hostname in groups['kube-node'] and
inventory_hostname != groups['kube-master'][0] and
(not item in kubecert_node.files | map(attribute='path') | map("basename") | list or
kubecert_node.files | selectattr("path", "equalto", "{{ kube_cert_dir }}/{{ item }}") | map(attribute="checksum")|first|default('') != kubecert_master.files | selectattr("path", "equalto", "{{ kube_cert_dir }}/{{ item }}") | map(attribute="checksum")|first|default(''))
with_items:
- "{{ my_node_certs }}"
- name: Gen_certs | Gather master certs - name: Gen_certs | Gather master certs
shell: "tar cfz - -C {{ kube_cert_dir }} -T /dev/stdin <<< {{ my_master_certs|join(' ') }} {{ all_node_certs|join(' ') }} | base64 --wrap=0" shell: "tar cfz - -C {{ kube_cert_dir }} -T /dev/stdin <<< {{ my_master_certs|join(' ') }} {{ all_node_certs|join(' ') }} | base64 --wrap=0"
args: args:
@ -138,7 +166,7 @@
# char limit when using shell command # char limit when using shell command
# FIXME(mattymo): Use tempfile module in ansible 2.3 # FIXME(mattymo): Use tempfile module in ansible 2.3
- name: Gen_certs | Prepare tempfile for unpacking certs - name: Gen_certs | Prepare tempfile for unpacking certs on masters
command: mktemp /tmp/certsXXXXX.tar.gz command: mktemp /tmp/certsXXXXX.tar.gz
register: cert_tempfile register: cert_tempfile
when: inventory_hostname in groups['kube-master'] and sync_certs|default(false) and when: inventory_hostname in groups['kube-master'] and sync_certs|default(false) and
@ -162,7 +190,7 @@
inventory_hostname != groups['kube-master'][0] inventory_hostname != groups['kube-master'][0]
notify: set secret_changed notify: set secret_changed
- name: Gen_certs | Cleanup tempfile - name: Gen_certs | Cleanup tempfile on masters
file: file:
path: "{{cert_tempfile.stdout}}" path: "{{cert_tempfile.stdout}}"
state: absent state: absent