richard
/
kubespray
mirror of https://github.com/kubernetes-sigs/kubespray.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
5763 Commits
33 Branches
82 Tags
153 MiB
Tree: ae3a1d7c01
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'ae3a1d7c01'
${ noResults }
kubespray/roles/etcd/tasks/check_certs.yml

145 lines
7.2 KiB
Raw Normal View History

Add etcd TLS support
8 years ago
Updated etcd cert check tasks to detect when new cert gen is required (#7219) * Added force_etcd_cert_refresh var to maintain existing functionality. Broke out etcd node cert syncing from member and admin cert sync logic. Now first etcd will sync node certs to other etcd members on every run to keep all etcds up to date after adding additional worker nodes to the cluster * Updated etcd cert check tasks to better detect when new certificates need to be generated * Move usage of force_etcd_cert_refresh var to gen_certs fact set * Force etcd cert generation per server if force_etcd_cert_refresh is set to true * Include gathering of node certs even if k8s-cluster member and in etcd group. * Removed run_once due to when statement
4 years ago
Use find module for checking for certificates Also generate certs only when absent on master (rather than when absent on target node)
8 years ago
Updated etcd cert check tasks to detect when new cert gen is required (#7219) * Added force_etcd_cert_refresh var to maintain existing functionality. Broke out etcd node cert syncing from member and admin cert sync logic. Now first etcd will sync node certs to other etcd members on every run to keep all etcds up to date after adding additional worker nodes to the cluster * Updated etcd cert check tasks to better detect when new certificates need to be generated * Move usage of force_etcd_cert_refresh var to gen_certs fact set * Force etcd cert generation per server if force_etcd_cert_refresh is set to true * Include gathering of node certs even if k8s-cluster member and in etcd group. * Removed run_once due to when statement
4 years ago
More idempotency fixes Fixed sync_tokens fact Fixed sync_certs for k8s tokens fact Disabled register docker images changability Fixed CNI dir permission Fix idempotency for etcd pre upgrade checks
8 years ago
ansible-lint: add spaces around variables [E206] (#4699)
5 years ago
Add etcd TLS support
8 years ago
Individual etcd ssl certs Includes hooks for triggering calico, kubelet, and kube-apiserver restarts if etcd certs changed.
8 years ago
Add etcd TLS support
8 years ago
Individual etcd ssl certs Includes hooks for triggering calico, kubelet, and kube-apiserver restarts if etcd certs changed.
8 years ago
Add etcd TLS support
8 years ago
Updated etcd cert check tasks to detect when new cert gen is required (#7219) * Added force_etcd_cert_refresh var to maintain existing functionality. Broke out etcd node cert syncing from member and admin cert sync logic. Now first etcd will sync node certs to other etcd members on every run to keep all etcds up to date after adding additional worker nodes to the cluster * Updated etcd cert check tasks to better detect when new certificates need to be generated * Move usage of force_etcd_cert_refresh var to gen_certs fact set * Force etcd cert generation per server if force_etcd_cert_refresh is set to true * Include gathering of node certs even if k8s-cluster member and in etcd group. * Removed run_once due to when statement
4 years ago
Add etcd TLS support
8 years ago
Fix creation and sync of etcd certs Admin certs only go to etcd nodes Only generate cert-data for nodes that need sync
8 years ago
Only use stat get_checksum: yes when needed (#7270) By default Ansible stat module compute checksum, list extended attributes and find mime type To find all stat invocations that really use one of those: git grep -F stat. | grep -vE 'stat.(islnk|exists|lnk_source|writeable)' Signed-off-by: Etienne Champetier <e.champetier@ateme.com>
4 years ago
Updated etcd cert check tasks to detect when new cert gen is required (#7219) * Added force_etcd_cert_refresh var to maintain existing functionality. Broke out etcd node cert syncing from member and admin cert sync logic. Now first etcd will sync node certs to other etcd members on every run to keep all etcds up to date after adding additional worker nodes to the cluster * Updated etcd cert check tasks to better detect when new certificates need to be generated * Move usage of force_etcd_cert_refresh var to gen_certs fact set * Force etcd cert generation per server if force_etcd_cert_refresh is set to true * Include gathering of node certs even if k8s-cluster member and in etcd group. * Removed run_once due to when statement
4 years ago
Individual etcd ssl certs Includes hooks for triggering calico, kubelet, and kube-apiserver restarts if etcd certs changed.
8 years ago
Updated etcd cert check tasks to detect when new cert gen is required (#7219) * Added force_etcd_cert_refresh var to maintain existing functionality. Broke out etcd node cert syncing from member and admin cert sync logic. Now first etcd will sync node certs to other etcd members on every run to keep all etcds up to date after adding additional worker nodes to the cluster * Updated etcd cert check tasks to better detect when new certificates need to be generated * Move usage of force_etcd_cert_refresh var to gen_certs fact set * Force etcd cert generation per server if force_etcd_cert_refresh is set to true * Include gathering of node certs even if k8s-cluster member and in etcd group. * Removed run_once due to when statement
4 years ago
Individual etcd ssl certs Includes hooks for triggering calico, kubelet, and kube-apiserver restarts if etcd certs changed.
8 years ago
Add etcd TLS support
8 years ago
Updated etcd cert check tasks to detect when new cert gen is required (#7219) * Added force_etcd_cert_refresh var to maintain existing functionality. Broke out etcd node cert syncing from member and admin cert sync logic. Now first etcd will sync node certs to other etcd members on every run to keep all etcds up to date after adding additional worker nodes to the cluster * Updated etcd cert check tasks to better detect when new certificates need to be generated * Move usage of force_etcd_cert_refresh var to gen_certs fact set * Force etcd cert generation per server if force_etcd_cert_refresh is set to true * Include gathering of node certs even if k8s-cluster member and in etcd group. * Removed run_once due to when statement
4 years ago
Use find module for checking for certificates Also generate certs only when absent on master (rather than when absent on target node)
8 years ago
Updated etcd cert check tasks to detect when new cert gen is required (#7219) * Added force_etcd_cert_refresh var to maintain existing functionality. Broke out etcd node cert syncing from member and admin cert sync logic. Now first etcd will sync node certs to other etcd members on every run to keep all etcds up to date after adding additional worker nodes to the cluster * Updated etcd cert check tasks to better detect when new certificates need to be generated * Move usage of force_etcd_cert_refresh var to gen_certs fact set * Force etcd cert generation per server if force_etcd_cert_refresh is set to true * Include gathering of node certs even if k8s-cluster member and in etcd group. * Removed run_once due to when statement
4 years ago
Use find module for checking for certificates Also generate certs only when absent on master (rather than when absent on target node)
8 years ago
ansible-lint: Don't use bare variables (#4608) Circumvented one false positive from ansible-lint Moved a block of jinja magic into its own variable
5 years ago
Add .editorconfig file (#6307)
4 years ago
Updated etcd cert check tasks to detect when new cert gen is required (#7219) * Added force_etcd_cert_refresh var to maintain existing functionality. Broke out etcd node cert syncing from member and admin cert sync logic. Now first etcd will sync node certs to other etcd members on every run to keep all etcds up to date after adding additional worker nodes to the cluster * Updated etcd cert check tasks to better detect when new certificates need to be generated * Move usage of force_etcd_cert_refresh var to gen_certs fact set * Force etcd cert generation per server if force_etcd_cert_refresh is set to true * Include gathering of node certs even if k8s-cluster member and in etcd group. * Removed run_once due to when statement
4 years ago
Add .editorconfig file (#6307)
4 years ago
Updated etcd cert check tasks to detect when new cert gen is required (#7219) * Added force_etcd_cert_refresh var to maintain existing functionality. Broke out etcd node cert syncing from member and admin cert sync logic. Now first etcd will sync node certs to other etcd members on every run to keep all etcds up to date after adding additional worker nodes to the cluster * Updated etcd cert check tasks to better detect when new certificates need to be generated * Move usage of force_etcd_cert_refresh var to gen_certs fact set * Force etcd cert generation per server if force_etcd_cert_refresh is set to true * Include gathering of node certs even if k8s-cluster member and in etcd group. * Removed run_once due to when statement
4 years ago
Add .editorconfig file (#6307)
4 years ago
Use find module for checking for certificates Also generate certs only when absent on master (rather than when absent on target node)
8 years ago
Updated etcd cert check tasks to detect when new cert gen is required (#7219) * Added force_etcd_cert_refresh var to maintain existing functionality. Broke out etcd node cert syncing from member and admin cert sync logic. Now first etcd will sync node certs to other etcd members on every run to keep all etcds up to date after adding additional worker nodes to the cluster * Updated etcd cert check tasks to better detect when new certificates need to be generated * Move usage of force_etcd_cert_refresh var to gen_certs fact set * Force etcd cert generation per server if force_etcd_cert_refresh is set to true * Include gathering of node certs even if k8s-cluster member and in etcd group. * Removed run_once due to when statement
4 years ago
Fix certificates checking when adding etcd node to existing k8s node (#5807) Co-authored-by: alexkomrakov <alexkomrakov@gmail.com>
4 years ago
Updated etcd cert check tasks to detect when new cert gen is required (#7219) * Added force_etcd_cert_refresh var to maintain existing functionality. Broke out etcd node cert syncing from member and admin cert sync logic. Now first etcd will sync node certs to other etcd members on every run to keep all etcds up to date after adding additional worker nodes to the cluster * Updated etcd cert check tasks to better detect when new certificates need to be generated * Move usage of force_etcd_cert_refresh var to gen_certs fact set * Force etcd cert generation per server if force_etcd_cert_refresh is set to true * Include gathering of node certs even if k8s-cluster member and in etcd group. * Removed run_once due to when statement
4 years ago
Fix certificates checking when adding etcd node to existing k8s node (#5807) Co-authored-by: alexkomrakov <alexkomrakov@gmail.com>
4 years ago
Updated etcd cert check tasks to detect when new cert gen is required (#7219) * Added force_etcd_cert_refresh var to maintain existing functionality. Broke out etcd node cert syncing from member and admin cert sync logic. Now first etcd will sync node certs to other etcd members on every run to keep all etcds up to date after adding additional worker nodes to the cluster * Updated etcd cert check tasks to better detect when new certificates need to be generated * Move usage of force_etcd_cert_refresh var to gen_certs fact set * Force etcd cert generation per server if force_etcd_cert_refresh is set to true * Include gathering of node certs even if k8s-cluster member and in etcd group. * Removed run_once due to when statement
4 years ago
Fix certificates checking when adding etcd node to existing k8s node (#5807) Co-authored-by: alexkomrakov <alexkomrakov@gmail.com>
4 years ago
Updated etcd cert check tasks to detect when new cert gen is required (#7219) * Added force_etcd_cert_refresh var to maintain existing functionality. Broke out etcd node cert syncing from member and admin cert sync logic. Now first etcd will sync node certs to other etcd members on every run to keep all etcds up to date after adding additional worker nodes to the cluster * Updated etcd cert check tasks to better detect when new certificates need to be generated * Move usage of force_etcd_cert_refresh var to gen_certs fact set * Force etcd cert generation per server if force_etcd_cert_refresh is set to true * Include gathering of node certs even if k8s-cluster member and in etcd group. * Removed run_once due to when statement
4 years ago
Use find module for checking for certificates Also generate certs only when absent on master (rather than when absent on target node)
8 years ago
Updated etcd cert check tasks to detect when new cert gen is required (#7219) * Added force_etcd_cert_refresh var to maintain existing functionality. Broke out etcd node cert syncing from member and admin cert sync logic. Now first etcd will sync node certs to other etcd members on every run to keep all etcds up to date after adding additional worker nodes to the cluster * Updated etcd cert check tasks to better detect when new certificates need to be generated * Move usage of force_etcd_cert_refresh var to gen_certs fact set * Force etcd cert generation per server if force_etcd_cert_refresh is set to true * Include gathering of node certs even if k8s-cluster member and in etcd group. * Removed run_once due to when statement
4 years ago
Use find module for checking for certificates Also generate certs only when absent on master (rather than when absent on target node)
8 years ago
Updated etcd cert check tasks to detect when new cert gen is required (#7219) * Added force_etcd_cert_refresh var to maintain existing functionality. Broke out etcd node cert syncing from member and admin cert sync logic. Now first etcd will sync node certs to other etcd members on every run to keep all etcds up to date after adding additional worker nodes to the cluster * Updated etcd cert check tasks to better detect when new certificates need to be generated * Move usage of force_etcd_cert_refresh var to gen_certs fact set * Force etcd cert generation per server if force_etcd_cert_refresh is set to true * Include gathering of node certs even if k8s-cluster member and in etcd group. * Removed run_once due to when statement
4 years ago
Use find module for checking for certificates Also generate certs only when absent on master (rather than when absent on target node)
8 years ago
Updated etcd cert check tasks to detect when new cert gen is required (#7219) * Added force_etcd_cert_refresh var to maintain existing functionality. Broke out etcd node cert syncing from member and admin cert sync logic. Now first etcd will sync node certs to other etcd members on every run to keep all etcds up to date after adding additional worker nodes to the cluster * Updated etcd cert check tasks to better detect when new certificates need to be generated * Move usage of force_etcd_cert_refresh var to gen_certs fact set * Force etcd cert generation per server if force_etcd_cert_refresh is set to true * Include gathering of node certs even if k8s-cluster member and in etcd group. * Removed run_once due to when statement
4 years ago
Add etcd TLS support
8 years ago
Fix ansible syntax to avoid ansible warnings (again) (#3509) * Fix ansible syntax to avoid ansible warnings (again) * warn: false on tar -cfz * wrong placement of warn:false
6 years ago
Updated etcd cert check tasks to detect when new cert gen is required (#7219) * Added force_etcd_cert_refresh var to maintain existing functionality. Broke out etcd node cert syncing from member and admin cert sync logic. Now first etcd will sync node certs to other etcd members on every run to keep all etcds up to date after adding additional worker nodes to the cluster * Updated etcd cert check tasks to better detect when new certificates need to be generated * Move usage of force_etcd_cert_refresh var to gen_certs fact set * Force etcd cert generation per server if force_etcd_cert_refresh is set to true * Include gathering of node certs even if k8s-cluster member and in etcd group. * Removed run_once due to when statement
4 years ago
  1. ---
  2. - name: "Check_certs | Register certs that have already been generated on first etcd node"
  3. find:
  4. paths: "{{ etcd_cert_dir }}"
  5. patterns: "ca.pem,node*.pem,member*.pem,admin*.pem"
  6. get_checksum: true
  7. delegate_to: "{{ groups['etcd'][0] }}"
  8. register: etcdcert_master
  9. run_once: true
  11. - name: "Check_certs | Set default value for 'sync_certs', 'gen_certs' and 'etcd_secret_changed' to false"
  12. set_fact:
  13. sync_certs: false
  14. gen_certs: false
  15. etcd_secret_changed: false
  17. - name: "Check certs | Register ca and etcd admin/member certs on etcd hosts"
  18. stat:
  19. path: "{{ etcd_cert_dir }}/{{ item }}"
  20. get_attributes: no
  21. get_checksum: yes
  22. get_mime: no
  23. register: etcd_member_certs
  24. when: inventory_hostname in groups['etcd']
  25. with_items:
  26. - ca.pem
  27. - member-{{ inventory_hostname }}.pem
  28. - member-{{ inventory_hostname }}-key.pem
  29. - admin-{{ inventory_hostname }}.pem
  30. - admin-{{ inventory_hostname }}-key.pem
  32. - name: "Check certs | Register ca and etcd node certs on kubernetes hosts"
  33. stat:
  34. path: "{{ etcd_cert_dir }}/{{ item }}"
  35. register: etcd_node_certs
  36. when: (('calico-rr' in groups and inventory_hostname in groups['calico-rr']) or
  37. inventory_hostname in groups['k8s-cluster'])
  38. with_items:
  39. - ca.pem
  40. - node-{{ inventory_hostname }}.pem
  41. - node-{{ inventory_hostname }}-key.pem
  43. - name: "Check_certs | Set 'gen_certs' to true if expected certificates are not on the first etcd node"
  44. set_fact:
  45. gen_certs: true
  46. when: force_etcd_cert_refresh or not item in etcdcert_master.files|map(attribute='path') | list
  47. run_once: true
  48. with_items: "{{ expected_files }}"
  49. vars:
  50. expected_files: >-
  51. ['{{ etcd_cert_dir }}/ca.pem',
  52. {% set etcd_members = groups['etcd'] %}
  53. {% for host in etcd_members %}
  54. '{{ etcd_cert_dir }}/admin-{{ host }}.pem',
  55. '{{ etcd_cert_dir }}/admin-{{ host }}-key.pem',
  56. '{{ etcd_cert_dir }}/member-{{ host }}.pem',
  57. '{{ etcd_cert_dir }}/member-{{ host }}-key.pem',
  58. {% endfor %}
  59. {% set k8s_nodes = groups['k8s-cluster']|union(groups['calico-rr']|default([]))|unique|sort %}
  60. {% for host in k8s_nodes %}
  61. '{{ etcd_cert_dir }}/node-{{ host }}.pem',
  62. '{{ etcd_cert_dir }}/node-{{ host }}-key.pem'
  63. {% if not loop.last %}{{','}}{% endif %}
  64. {% endfor %}]
  66. - name: "Check_certs | Set 'gen_master_certs' object to track whether member and admin certs exist on first etcd node"
  67. set_fact:
  68. gen_master_certs: |-
  69. {
  70. {% set etcd_members = groups['etcd'] -%}
  71. {% set existing_certs = etcdcert_master.files|map(attribute='path')|list|sort %}
  72. {% for host in etcd_members -%}
  73. {% set member_cert = "%s/member-%s.pem"|format(etcd_cert_dir, host) %}
  74. {% set member_key = "%s/member-%s-key.pem"|format(etcd_cert_dir, host) %}
  75. {% set admin_cert = "%s/admin-%s.pem"|format(etcd_cert_dir, host) %}
  76. {% set admin_key = "%s/admin-%s-key.pem"|format(etcd_cert_dir, host) %}
  77. {% if force_etcd_cert_refresh -%}
  78. "{{ host }}": True,
  79. {% elif member_cert in existing_certs and member_key in existing_certs and admin_cert in existing_certs and admin_key in existing_certs -%}
  80. "{{ host }}": False,
  81. {% else -%}
  82. "{{ host }}": True,
  83. {% endif -%}
  84. {% endfor %}
  85. }
  86. run_once: true
  88. - name: "Check_certs | Set 'gen_node_certs' object to track whether node certs exist on first etcd node"
  89. set_fact:
  90. gen_node_certs: |-
  91. {
  92. {% set k8s_nodes = groups['k8s-cluster']|union(groups['calico-rr']|default([]))|unique|sort -%}
  93. {% set existing_certs = etcdcert_master.files|map(attribute='path')|list|sort %}
  94. {% for host in k8s_nodes -%}
  95. {% set host_cert = "%s/node-%s.pem"|format(etcd_cert_dir, host) %}
  96. {% set host_key = "%s/node-%s-key.pem"|format(etcd_cert_dir, host) %}
  97. {% if force_etcd_cert_refresh -%}
  98. "{{ host }}": True,
  99. {% elif host_cert in existing_certs and host_key in existing_certs -%}
  100. "{{ host }}": False,
  101. {% else -%}
  102. "{{ host }}": True,
  103. {% endif -%}
  104. {% endfor %}
  105. }
  106. run_once: true
  108. - name: "Check_certs | Set 'etcd_member_requires_sync' to true if ca or member/admin cert and key don't exist on etcd member or checksum doesn't match"
  109. set_fact:
  110. etcd_member_requires_sync: true
  111. when:
  112. - inventory_hostname in groups['etcd']
  113. - (not etcd_member_certs.results[0].stat.exists|default(false)) or
  114. (not etcd_member_certs.results[1].stat.exists|default(false)) or
  115. (not etcd_member_certs.results[2].stat.exists|default(false)) or
  116. (not etcd_member_certs.results[3].stat.exists|default(false)) or
  117. (not etcd_member_certs.results[4].stat.exists|default(false)) or
  118. (etcd_member_certs.results[0].stat.checksum|default('') != etcdcert_master.files|selectattr("path", "equalto", etcd_member_certs.results[0].stat.path)|map(attribute="checksum")|first|default('')) or
  119. (etcd_member_certs.results[1].stat.checksum|default('') != etcdcert_master.files|selectattr("path", "equalto", etcd_member_certs.results[1].stat.path)|map(attribute="checksum")|first|default('')) or
  120. (etcd_member_certs.results[2].stat.checksum|default('') != etcdcert_master.files|selectattr("path", "equalto", etcd_member_certs.results[2].stat.path)|map(attribute="checksum")|first|default('')) or
  121. (etcd_member_certs.results[3].stat.checksum|default('') != etcdcert_master.files|selectattr("path", "equalto", etcd_member_certs.results[3].stat.path)|map(attribute="checksum")|first|default('')) or
  122. (etcd_member_certs.results[4].stat.checksum|default('') != etcdcert_master.files|selectattr("path", "equalto", etcd_member_certs.results[4].stat.path)|map(attribute="checksum")|first|default(''))
  124. - name: "Check_certs | Set 'kubernetes_host_requires_sync' to true if ca or node cert and key don't exist on kubernetes host or checksum doesn't match"
  125. set_fact:
  126. kubernetes_host_requires_sync: true
  127. when:
  128. - (('calico-rr' in groups and inventory_hostname in groups['calico-rr']) or
  129. inventory_hostname in groups['k8s-cluster']) and
  130. inventory_hostname not in groups['etcd']
  131. - (not etcd_node_certs.results[0].stat.exists|default(false)) or
  132. (not etcd_node_certs.results[1].stat.exists|default(false)) or
  133. (not etcd_node_certs.results[2].stat.exists|default(false)) or
  134. (etcd_node_certs.results[0].stat.checksum|default('') != etcdcert_master.files|selectattr("path", "equalto", etcd_node_certs.results[0].stat.path)|map(attribute="checksum")|first|default('')) or
  135. (etcd_node_certs.results[1].stat.checksum|default('') != etcdcert_master.files|selectattr("path", "equalto", etcd_node_certs.results[1].stat.path)|map(attribute="checksum")|first|default('')) or
  136. (etcd_node_certs.results[2].stat.checksum|default('') != etcdcert_master.files|selectattr("path", "equalto", etcd_node_certs.results[2].stat.path)|map(attribute="checksum")|first|default(''))
  138. - name: "Check_certs | Set 'sync_certs' to true"
  139. set_fact:
  140. sync_certs: true
  141. when:
  142. - etcd_member_requires_sync|default(false) or
  143. kubernetes_host_requires_sync|default(false) or
  144. (inventory_hostname in gen_master_certs and gen_master_certs[inventory_hostname]) or
  145. (inventory_hostname in gen_node_certs and gen_node_certs[inventory_hostname])