Add scale master features (#3946)

* Add scale master features * Add certificate management with kubeadm * Add kubeadm kubeconfig * Fix ymalroles error * fix upgrade cluster fialed * force update cert and keys when you reconfigure cluster
5 years ago · 5834e609a6
4 changed files with 94 additions and 7 deletions
--- a/roles/download/tasks/kubeadm_images.yml
+++ b/roles/download/tasks/kubeadm_images.yml
@ -1,3 +1,4 @@
+---
 - name: kubeadm | Create kubeadm config
  template:
    src: "kubeadm-images.yaml.j2"
--- a/roles/kubernetes/master/tasks/kubeadm-certificate.yml
+++ b/roles/kubernetes/master/tasks/kubeadm-certificate.yml
@ -0,0 +1,42 @@
+---
+- name: Backup old certs and keys
+  copy:
+    src: "{{ kube_cert_dir }}/{{ item.src }}"
+    dest: "{{ kube_cert_dir }}/{{ item.dest }}"
+    remote_src: yes
+  with_items:
+    - {src: apiserver.crt, dest: apiserver.crt.old}
+    - {src: apiserver.key, dest: apiserver.key.old}
+    - {src: apiserver-kubelet-client.crt, dest: apiserver-kubelet-client.crt.old}
+    - {src: apiserver-kubelet-client.key, dest: apiserver-kubelet-client.key.old}
+    - {src: front-proxy-client.crt, dest: front-proxy-client.crt.old}
+    - {src: front-proxy-client.key, dest: front-proxy-client.key.old}
+  ignore_errors: yes
+
+- name: Remove old certs and keys
+  file:
+    path: "{{ kube_cert_dir }}/{{ item }}"
+    state: absent
+  with_items:
+    - apiserver.crt
+    - apiserver.key
+    - apiserver-kubelet-client.crt
+    - apiserver-kubelet-client.key
+    - front-proxy-client.crt
+    - front-proxy-client.key
+
+- name: Generate new certs and keys
+  command: "{{ bin_dir }}/kubeadm init phase certs {{ item }} --config={{ kube_config_dir }}/kubeadm-config.yaml"
+  with_items:
+    - apiserver
+    - apiserver-kubelet-client
+    - front-proxy-client
+  when: inventory_hostname == groups['kube-master']|first and kubeadm_version is version('v1.13.0', '>=')
+
+- name: Generate new certs and keys
+  command: "{{ bin_dir }}/kubeadm alpha phase certs {{ item }} --config={{ kube_config_dir }}/kubeadm-config.yaml"
+  with_items:
+    - apiserver
+    - apiserver-kubelet-client
+    - front-proxy-client
+  when: inventory_hostname == groups['kube-master']|first and kubeadm_version is version('v1.13.0', '<')
--- a/roles/kubernetes/master/tasks/kubeadm-kubeconfig.yml
+++ b/roles/kubernetes/master/tasks/kubeadm-kubeconfig.yml
@ -0,0 +1,32 @@
+---
+- name: Backup old configuration files
+  copy:
+    src: "{{ kube_config_dir }}/{{ item.src }}"
+    dest: "{{ kube_config_dir }}/{{ item.dest }}"
+    remote_src: yes
+  with_items:
+    - {src: admin.conf, dest: admin.conf.old}
+    - {src: kubelet.conf, dest: kubelet.conf.old}
+    - {src: controller-manager.conf, dest: controller-manager.conf.old}
+    - {src: scheduler.conf, dest: scheduler.conf.old}
+  ignore_errors: yes
+
+- name: Remove old configuration files
+  file:
+    path: "{{ kube_config_dir }}/{{ item }}"
+    state: absent
+  with_items:
+    - admin.conf
+    - kubelet.conf
+    - controller-manager.conf
+    - scheduler.conf
+
+- name: Generate new configuration files
+  command: "{{ bin_dir }}/kubeadm init phase kubeconfig all --config={{ kube_config_dir }}/kubeadm-config.yaml"
+  when: kubeadm_version is version('v1.13.0', '>=')
+  ignore_errors: yes
+
+- name: Generate new configuration files
+  command: "{{ bin_dir }}/kubeadm alpha phase kubeconfig all --config={{ kube_config_dir }}/kubeadm-config.yaml"
+  when: kubeadm_version is version('v1.13.0', '<')
+  ignore_errors: yes
--- a/roles/kubernetes/master/tasks/kubeadm-setup.yml
+++ b/roles/kubernetes/master/tasks/kubeadm-setup.yml
@ -10,10 +10,10 @@
  import_tasks: kubeadm-migrate-certs.yml
  when: old_apiserver_cert.stat.exists

- name: kubeadm | Check service account key
+- name: kubeadm | Check apiserver key
  stat:
-    path: "{{ kube_cert_dir }}/sa.key"
-  register: sa_key_before
+    path: "{{ kube_cert_dir }}/apiserver.key"
+  register: apiserver_key_before
  delegate_to: "{{groups['kube-master']|first}}"
  run_once: true

@ -95,6 +95,12 @@
 - name: kubeadm | set kubeadm version
  import_tasks: kubeadm-version.yml

+- name: kubeadm | Certificate management with kubeadm
+  import_tasks: kubeadm-certificate.yml
+  when:
+    - not upgrade_cluster_setup
+    - kubeadm_already_run.stat.exists
+
 - name: kubeadm | Initialize first master
  command: timeout -k 600s 600s {{ bin_dir }}/kubeadm init --config={{ kube_config_dir }}/kubeadm-config.yaml --ignore-preflight-errors=all
  register: kubeadm_init
@ -136,6 +142,12 @@
  with_items: "{{ kubeadm_certs.results }}"
  when: inventory_hostname != groups['kube-master']|first

+- name: kubeadm | Kubeconfig management with kubeadm
+  import_tasks: kubeadm-kubeconfig.yml
+  when:
+    - not upgrade_cluster_setup
+    - kubeadm_already_run.stat.exists
+
 - name: kubeadm | Init other uninitialized masters
  command: timeout -k 600s 600s {{ bin_dir }}/kubeadm init --config={{ kube_config_dir }}/kubeadm-config.yaml --ignore-preflight-errors=all
  register: kubeadm_init
@ -149,17 +161,17 @@
  import_tasks: kubeadm-upgrade.yml
  when: upgrade_cluster_setup

- name: kubeadm | Check service account key again
+- name: kubeadm | Check apiserver key again
  stat:
-    path: "{{ kube_cert_dir }}/sa.key"
-  register: sa_key_after
+    path: "{{ kube_cert_dir }}/apiserver.key"
+  register: apiserver_key_after
  delegate_to: "{{groups['kube-master']|first}}"
  run_once: true

 - name: kubeadm | Set secret_changed if service account key was updated
  command: /bin/true
  notify: Master | set secret_changed
-  when: sa_key_before.stat.checksum|default("") != sa_key_after.stat.checksum
+  when: apiserver_key_before.stat.checksum|default("") != apiserver_key_after.stat.checksum

 - name: kubeadm | cleanup old certs if necessary
  import_tasks: kubeadm-cleanup-old-certs.yml