richard
/
kubespray
mirror of https://github.com/kubernetes-sigs/kubespray.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
5373 Commits
29 Branches
81 Tags
147 MiB
Tree: 109391031b
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '109391031b'
${ noResults }
kubespray/roles/kubernetes/kubeadm/tasks/kubeadm_etcd_node.yml

72 lines
2.4 KiB
Raw Normal View History

Enable kubeadm etcd mode (#4818) * Enable kubeadm etcd mode Uses cert commands from kubeadm experimental control plane to enable non-master nodes to obtain etcd certs. Related story: PROD-29434 Change-Id: Idafa1d223e5c6ceadf819b6f9c06adf4c4f74178 * Add validation checks and exclude calico kdd mode Change-Id: Ic234f5e71261d33191376e70d438f9f6d35f358c * Move etcd mode test to ubuntu flannel HA job Change-Id: I9af6fd80a1bbb1692ab10d6da095eb368f6bc732 * rename etcd_mode to etcd_kubeadm_enabled Change-Id: Ib196d6c8a52f48cae370b026f7687ff9ca69c172
5 years ago
Fix commands for using experimental kubeadm control plane (#5006)
5 years ago
Enable kubeadm etcd mode (#4818) * Enable kubeadm etcd mode Uses cert commands from kubeadm experimental control plane to enable non-master nodes to obtain etcd certs. Related story: PROD-29434 Change-Id: Idafa1d223e5c6ceadf819b6f9c06adf4c4f74178 * Add validation checks and exclude calico kdd mode Change-Id: Ic234f5e71261d33191376e70d438f9f6d35f358c * Move etcd mode test to ubuntu flannel HA job Change-Id: I9af6fd80a1bbb1692ab10d6da095eb368f6bc732 * rename etcd_mode to etcd_kubeadm_enabled Change-Id: Ib196d6c8a52f48cae370b026f7687ff9ca69c172
5 years ago
Switch to Kubernetes v1.16.0 (#5189) * Switch to Kubernetes v1.16.0 Change-Id: I5d6a9528b2d443750fc5e031aff15ad3ffead158 * Fix download localhost cached file path Change-Id: I65e79b70e3d1b37265ebc60f41b460cf4b0a0d47 * fix kubeadm etcd for v1.16 Change-Id: I6888a00fd48b530a38b0b31c4095492476af42d2 * disable tf packet jobs Change-Id: I075c4666547fdea4c50ec04864f38e2cfaa79154 * Disable contiv packet jobs. Fix kube-router Change-Id: I3170e8789e60711d4cee8faf65f2094480b79b8d * bump sonobuoy version Change-Id: Ib946905629c7c53ed88f08fb2f41c454457a0097
5 years ago
Enable kubeadm etcd mode (#4818) * Enable kubeadm etcd mode Uses cert commands from kubeadm experimental control plane to enable non-master nodes to obtain etcd certs. Related story: PROD-29434 Change-Id: Idafa1d223e5c6ceadf819b6f9c06adf4c4f74178 * Add validation checks and exclude calico kdd mode Change-Id: Ic234f5e71261d33191376e70d438f9f6d35f358c * Move etcd mode test to ubuntu flannel HA job Change-Id: I9af6fd80a1bbb1692ab10d6da095eb368f6bc732 * rename etcd_mode to etcd_kubeadm_enabled Change-Id: Ib196d6c8a52f48cae370b026f7687ff9ca69c172
5 years ago
Switch to Kubernetes v1.16.0 (#5189) * Switch to Kubernetes v1.16.0 Change-Id: I5d6a9528b2d443750fc5e031aff15ad3ffead158 * Fix download localhost cached file path Change-Id: I65e79b70e3d1b37265ebc60f41b460cf4b0a0d47 * fix kubeadm etcd for v1.16 Change-Id: I6888a00fd48b530a38b0b31c4095492476af42d2 * disable tf packet jobs Change-Id: I075c4666547fdea4c50ec04864f38e2cfaa79154 * Disable contiv packet jobs. Fix kube-router Change-Id: I3170e8789e60711d4cee8faf65f2094480b79b8d * bump sonobuoy version Change-Id: Ib946905629c7c53ed88f08fb2f41c454457a0097
5 years ago
Enable kubeadm etcd mode (#4818) * Enable kubeadm etcd mode Uses cert commands from kubeadm experimental control plane to enable non-master nodes to obtain etcd certs. Related story: PROD-29434 Change-Id: Idafa1d223e5c6ceadf819b6f9c06adf4c4f74178 * Add validation checks and exclude calico kdd mode Change-Id: Ic234f5e71261d33191376e70d438f9f6d35f358c * Move etcd mode test to ubuntu flannel HA job Change-Id: I9af6fd80a1bbb1692ab10d6da095eb368f6bc732 * rename etcd_mode to etcd_kubeadm_enabled Change-Id: Ib196d6c8a52f48cae370b026f7687ff9ca69c172
5 years ago
  1. ---
  2. - name: Refresh certificates so they are fresh and not expired
  3. command: >-
  4. {{ bin_dir }}/kubeadm init phase
  5. --config {{ kube_config_dir }}/kubeadm-config.yaml
  6. upload-certs
  7. --upload-certs
  8. register: kubeadm_upload_cert
  9. delegate_to: "{{ groups['kube-master'][0] }}"
  10. when: kubeadm_etcd_refresh_cert_key
  11. run_once: yes
  13. - name: Parse certificate key if not set
  14. set_fact:
  15. kubeadm_certificate_key: "{{ hostvars[groups['kube-master'][0]]['kubeadm_upload_cert'].stdout_lines[-1] | trim }}"
  16. when: kubeadm_certificate_key is undefined
  18. - name: Pull control plane certs down
  19. shell: >-
  20. {{ bin_dir }}/kubeadm join phase
  21. control-plane-prepare download-certs
  22. --certificate-key {{ kubeadm_certificate_key }}
  23. --control-plane
  24. --token {{ kubeadm_token }}
  25. --discovery-token-unsafe-skip-ca-verification
  26. {{ kubeadm_discovery_address }}
  27. &&
  28. {{ bin_dir }}/kubeadm join phase
  29. control-plane-prepare certs
  30. --control-plane
  31. --token {{ kubeadm_token }}
  32. --discovery-token-unsafe-skip-ca-verification
  33. {{ kubeadm_discovery_address }}
  34. args:
  35. creates: "{{ kube_cert_dir }}/apiserver-etcd-client.key"
  37. - name: Delete unneeded certificates
  38. file:
  39. path: "{{ item }}"
  40. state: absent
  41. with_items:
  42. - "{{ kube_cert_dir }}/apiserver.crt"
  43. - "{{ kube_cert_dir }}/apiserver.key"
  44. - "{{ kube_cert_dir }}/ca.key"
  45. - "{{ kube_cert_dir }}/etcd/ca.key"
  46. - "{{ kube_cert_dir }}/etcd/healthcheck-client.crt"
  47. - "{{ kube_cert_dir }}/etcd/healthcheck-client.key"
  48. - "{{ kube_cert_dir }}/etcd/peer.crt"
  49. - "{{ kube_cert_dir }}/etcd/peer.key"
  50. - "{{ kube_cert_dir }}/etcd/server.crt"
  51. - "{{ kube_cert_dir }}/etcd/server.key"
  52. - "{{ kube_cert_dir }}/front-proxy-ca.crt"
  53. - "{{ kube_cert_dir }}/front-proxy-ca.key"
  54. - "{{ kube_cert_dir }}/front-proxy-client.crt"
  55. - "{{ kube_cert_dir }}/front-proxy-client.key"
  56. - "{{ kube_cert_dir }}/sa.key"
  57. - "{{ kube_cert_dir }}/sa.pub"
  59. - name: Calculate etcd cert serial
  60. command: "openssl x509 -in {{ kube_cert_dir }}/apiserver-etcd-client.crt -noout -serial"
  61. register: "etcd_client_cert_serial_result"
  62. changed_when: false
  63. when:
  64. - inventory_hostname in groups['k8s-cluster']|union(groups['calico-rr']|default([]))|unique|sort
  65. tags:
  66. - network
  68. - name: Set etcd_client_cert_serial
  69. set_fact:
  70. etcd_client_cert_serial: "{{ etcd_client_cert_serial_result.stdout.split('=')[1] }}"
  71. tags:
  72. - network