richard
/
kubespray
mirror of https://github.com/kubernetes-sigs/kubespray.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

Always backup both certs and kubeconfig 

There are no reasons not to backup during upgrade

Signed-off-by: Etienne Champetier <e.champetier@ateme.com>
pull/7071/head
Etienne Champetier 4 years ago
committed by Kubernetes Prow Robot
parent
8800b5c01d
commit
53e5ef6b4e
3 changed files with 33 additions and 21 deletions
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 28
      roles/kubernetes/control-plane/tasks/kubeadm-backup.yml
  2. 15
      roles/kubernetes/control-plane/tasks/kubeadm-certificate.yml
  3. 11
      roles/kubernetes/control-plane/tasks/kubeadm-setup.yml

28
roles/kubernetes/control-plane/tasks/kubeadm-backup.yml
View File

@ -0,0 +1,28 @@
---
- name: Backup old certs and keys
copy:
src: "{{ kube_cert_dir }}/{{ item }}"
dest: "{{ kube_cert_dir }}/{{ item }}.old"
mode: preserve
remote_src: yes
with_items:
- apiserver.crt
- apiserver.key
- apiserver-kubelet-client.crt
- apiserver-kubelet-client.key
- front-proxy-client.crt
- front-proxy-client.key
ignore_errors: yes
- name: Backup old confs
copy:
src: "{{ kube_config_dir }}/{{ item }}"
dest: "{{ kube_config_dir }}/{{ item }}.old"
mode: preserve
remote_src: yes
with_items:
- admin.conf
- controller-manager.conf
- kubelet.conf
- scheduler.conf
ignore_errors: yes

15
roles/kubernetes/control-plane/tasks/kubeadm-certificate.yml
View File

@ -1,15 +0,0 @@
---
- name: Backup old certs and keys
copy:
src: "{{ kube_cert_dir }}/{{ item.src }}"
dest: "{{ kube_cert_dir }}/{{ item.dest }}"
mode: 0640
remote_src: yes
with_items:
- {src: apiserver.crt, dest: apiserver.crt.old}
- {src: apiserver.key, dest: apiserver.key.old}
- {src: apiserver-kubelet-client.crt, dest: apiserver-kubelet-client.crt.old}
- {src: apiserver-kubelet-client.key, dest: apiserver-kubelet-client.key.old}
- {src: front-proxy-client.crt, dest: front-proxy-client.crt.old}
- {src: front-proxy-client.key, dest: front-proxy-client.key.old}
ignore_errors: yes

11
roles/kubernetes/control-plane/tasks/kubeadm-setup.yml
View File

@ -18,6 +18,11 @@
get_mime: no get_mime: no
register: kubeadm_already_run register: kubeadm_already_run
- name: kubeadm | Backup kubeadm certs / kubeconfig
import_tasks: kubeadm-backup.yml
when:
- kubeadm_already_run.stat.exists
- name: kubeadm | aggregate all SANs - name: kubeadm | aggregate all SANs
set_fact: set_fact:
apiserver_sans: "{{ (sans_base + groups['kube-master'] + sans_lb + sans_lb_ip + sans_supp + sans_access_ip + sans_ip + sans_address + sans_override + sans_hostname + sans_fqdn) | unique }}" apiserver_sans: "{{ (sans_base + groups['kube-master'] + sans_lb + sans_lb_ip + sans_supp + sans_access_ip + sans_ip + sans_address + sans_override + sans_hostname + sans_fqdn) | unique }}"
@ -68,12 +73,6 @@
- name: kubeadm | set kubeadm version - name: kubeadm | set kubeadm version
import_tasks: kubeadm-version.yml import_tasks: kubeadm-version.yml
- name: kubeadm | Certificate management with kubeadm
import_tasks: kubeadm-certificate.yml
when:
- not upgrade_cluster_setup
- kubeadm_already_run.stat.exists
- name: kubeadm | Check if apiserver.crt contains all needed SANs - name: kubeadm | Check if apiserver.crt contains all needed SANs
command: openssl x509 -noout -in "{{ kube_cert_dir }}/apiserver.crt" -check{{ item|ipaddr|ternary('ip','host') }} "{{ item }}" command: openssl x509 -noout -in "{{ kube_cert_dir }}/apiserver.crt" -check{{ item|ipaddr|ternary('ip','host') }} "{{ item }}"
with_items: "{{ apiserver_sans }}" with_items: "{{ apiserver_sans }}"

Write Preview
Loading…
Cancel
Save