Julien Le Fur
2 years ago
committed by
GitHub
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with
30 additions and
3 deletions
-
roles/kubernetes/control-plane/tasks/kubeadm-secondary.yml
-
roles/kubernetes/control-plane/tasks/kubeadm-setup.yml
-
roles/kubernetes/preinstall/tasks/0020-verify-settings.yml
-
roles/kubespray-defaults/defaults/main.yaml
|
|
@ -19,6 +19,7 @@ |
|
|
|
register: kubeadm_upload_cert |
|
|
|
when: |
|
|
|
- inventory_hostname == first_kube_control_plane |
|
|
|
- not kube_external_ca_mode |
|
|
|
|
|
|
|
- name: Parse certificate key if not set |
|
|
|
set_fact: |
|
|
@ -49,11 +50,20 @@ |
|
|
|
debug: |
|
|
|
msg: "{{ kubeadm_already_run.stat.exists }}" |
|
|
|
|
|
|
|
- name: Joining control plane node to the cluster. |
|
|
|
- name: Reset cert directory |
|
|
|
shell: >- |
|
|
|
if [ -f /etc/kubernetes/manifests/kube-apiserver.yaml ]; then |
|
|
|
{{ bin_dir }}/kubeadm reset -f --cert-dir {{ kube_cert_dir }}; |
|
|
|
fi && |
|
|
|
fi |
|
|
|
environment: |
|
|
|
PATH: "{{ bin_dir }}:{{ ansible_env.PATH }}" |
|
|
|
when: |
|
|
|
- inventory_hostname != first_kube_control_plane |
|
|
|
- kubeadm_already_run is not defined or not kubeadm_already_run.stat.exists |
|
|
|
- not kube_external_ca_mode |
|
|
|
|
|
|
|
- name: Joining control plane node to the cluster. |
|
|
|
command: >- |
|
|
|
{{ bin_dir }}/kubeadm join |
|
|
|
--config {{ kube_config_dir }}/kubeadm-controlplane.yaml |
|
|
|
--ignore-preflight-errors=all |
|
|
|
|
|
@ -101,6 +101,7 @@ |
|
|
|
changed_when: "'NEED-RENEW' in apiserver_sans_check.stdout" |
|
|
|
when: |
|
|
|
- kubeadm_already_run.stat.exists |
|
|
|
- not kube_external_ca_mode |
|
|
|
|
|
|
|
- name: kubeadm | regenerate apiserver cert 1/2 |
|
|
|
file: |
|
|
@ -112,6 +113,7 @@ |
|
|
|
when: |
|
|
|
- kubeadm_already_run.stat.exists |
|
|
|
- apiserver_sans_check.changed |
|
|
|
- not kube_external_ca_mode |
|
|
|
|
|
|
|
- name: kubeadm | regenerate apiserver cert 2/2 |
|
|
|
command: >- |
|
|
@ -121,6 +123,7 @@ |
|
|
|
when: |
|
|
|
- kubeadm_already_run.stat.exists |
|
|
|
- apiserver_sans_check.changed |
|
|
|
- not kube_external_ca_mode |
|
|
|
|
|
|
|
- name: kubeadm | Initialize first master |
|
|
|
command: >- |
|
|
@ -129,7 +132,7 @@ |
|
|
|
--config={{ kube_config_dir }}/kubeadm-config.yaml |
|
|
|
--ignore-preflight-errors=all |
|
|
|
--skip-phases={{ kubeadm_init_phases_skip | join(',') }} |
|
|
|
--upload-certs |
|
|
|
{{ kube_external_ca_mode | ternary('', '--upload-certs') }} |
|
|
|
register: kubeadm_init |
|
|
|
# Retry is because upload config sometimes fails |
|
|
|
retries: 3 |
|
|
|
|
|
@ -376,3 +376,11 @@ |
|
|
|
when: |
|
|
|
- containerd_config is defined |
|
|
|
- not ignore_assert_errors |
|
|
|
|
|
|
|
- name: Stop if auto_renew_certificates is enabled when certificates are managed externally (kube_external_ca_mode is true) |
|
|
|
assert: |
|
|
|
that: not auto_renew_certificates |
|
|
|
msg: "Variable auto_renew_certificates must be disabled when CA are managed externally: kube_external_ca_mode = true" |
|
|
|
when: |
|
|
|
- kube_external_ca_mode |
|
|
|
- not ignore_assert_errors |
|
|
@ -157,6 +157,12 @@ kube_token_dir: "{{ kube_config_dir }}/tokens" |
|
|
|
# cert files to. Not really changeable... |
|
|
|
kube_cert_group: kube-cert |
|
|
|
|
|
|
|
# Set to true when the CAs are managed externally. |
|
|
|
# When true, disables all tasks manipulating certificates. Ensure before the kubespray run that: |
|
|
|
# - Certificates and CAs are present in kube_cert_dir |
|
|
|
# - Kubeconfig files are present in kube_config_dir |
|
|
|
kube_external_ca_mode: false |
|
|
|
|
|
|
|
# Cluster Loglevel configuration |
|
|
|
kube_log_level: 2 |
|
|
|
|
|
|
|