Browse Source

fix graceful upgrade (#1704)

Fix system namespace creation
Only rotate tokens when necessary
pull/1711/head v2.2.1
Matthew Mosesohn 7 years ago
committed by GitHub
parent
commit
3ff5f40bdb
2 changed files with 18 additions and 1 deletions
  1. 17
      roles/kubernetes-apps/rotate_tokens/tasks/main.yml
  2. 2
      roles/kubernetes/master/tasks/static-pod-setup.yml

17
roles/kubernetes-apps/rotate_tokens/tasks/main.yml

@ -1,4 +1,18 @@
---
- name: Rotate Tokens | Test if default certificate is expired
shell: >-
kubectl run -i test-rotate-tokens
--image={{ hyperkube_image_repo }}:{{ hyperkube_image_tag }}
--restart=Never --rm
kubectl get nodes
register: check_secret
failed_when: false
run_once: true
- name: Rotate Tokens | Determine if certificate is expired
set_fact:
needs_rotation: '{{ "You must be logged in" in check_secret.stderr }}'
# FIXME(mattymo): Exclude built in secrets that were automatically rotated,
# instead of filtering manually
- name: Rotate Tokens | Get all serviceaccount tokens to expire
@ -9,12 +23,15 @@
| egrep 'default-token|kube-proxy|kube-dns|dnsmasq|netchecker|weave|calico|canal|flannel|dashboard|cluster-proportional-autoscaler|efk|tiller'
register: tokens_to_delete
run_once: true
when: needs_rotation
- name: Rotate Tokens | Delete expired tokens
command: "{{ bin_dir }}/kubectl delete secrets -n {{ item.split(' ')[0] }} {{ item.split(' ')[1] }}"
with_items: "{{ tokens_to_delete.stdout_lines }}"
run_once: true
when: needs_rotation
- name: Rotate Tokens | Delete pods in system namespace
command: "{{ bin_dir }}/kubectl delete pods -n {{ system_namespace }} --all"
run_once: true
when: needs_rotation

2
roles/kubernetes/master/tasks/static-pod-setup.yml

@ -30,7 +30,7 @@
register: create_system_ns
until: create_system_ns.rc == 0
changed_when: False
when: kubesystem.rc != 0 and inventory_hostname == groups['kube-master'][0]
when: inventory_hostname == groups['kube-master'][0] and kubesystem.rc != 0
tags: apps
- name: Write kube-scheduler kubeconfig

Loading…
Cancel
Save