fix add nodes to the cluster

8 years ago · 5c22133492
4 changed files with 76 additions and 23 deletions
--- a/README.md
+++ b/README.md
@ -10,6 +10,6 @@
 - **Continuous integration tests**

 For an easy way to use it, check out [**kargo-cli**](https://github.com/kubespray/kargo-cli) </br>
-A complete **documentation** can be found [THERE](https://docs.kubespray.io)
+A complete **documentation** can be found [**here**](https://docs.kubespray.io)

 [![Build Status](https://travis-ci.org/kubespray/kargo.svg)](https://travis-ci.org/kubespray/kargo)
--- a/roles/kubernetes/secrets/tasks/check-certs.yml
+++ b/roles/kubernetes/secrets/tasks/check-certs.yml
@ -0,0 +1,36 @@
+---
+- name: "Check certs | check if the certs have already been generated on first master"
+  stat:
+    path: "{{ kube_cert_dir }}/ca.pem"
+  delegate_to: groups['kube-master'][0]
+  register: kubecert_master
+  run_once: true
+
+- name: "Check_certs | Set default value for 'sync_certs' and 'gen_certs' to false"
+  set_fact:
+    sync_certs: false
+    gen_certs: false
+
+- name: "Check_certs | Set 'sync_certs' and 'gen_certs' to true"
+  set_fact:
+    gen_certs: true
+  when: not kubecert_master.stat.exists
+  run_once: true
+
+- name: "Check certs | check if a cert already exists"
+  stat:
+    path: "{{ kube_cert_dir }}/ca.pem"
+  register: kubecert 
+
+- name: "Check_certs | Set 'sync_certs' to true"
+  set_fact:
+    sync_certs: true
+  when: >-
+      {%- set certs = {'sync': False} -%}
+      {%- for server in play_hosts
+         if (not hostvars[server].kubecert.stat.exists) or
+         (hostvars[server].kubecert.stat.checksum != kubecert_master.stat.checksum|default('')) -%}
+         {%- set _ = certs.update({'sync': True}) -%}
+      {%- endfor -%}
+      {{ certs.sync }}
+  run_once: true
--- a/roles/kubernetes/secrets/tasks/gen_certs.yml
+++ b/roles/kubernetes/secrets/tasks/gen_certs.yml
@ -3,6 +3,7 @@
  become: False
  local_action: template src="openssl.conf.j2" dest="{{ role_path }}/files/openssl.conf"
  run_once: yes
+  when: gen_certs|default(false)

 - name: certs | run cert generation script
  become: False
@ -11,28 +12,47 @@
    -f {{ role_path }}/files/openssl.conf
    -d {{ role_path }}/files/certs/
  run_once: yes
+  when: gen_certs|default(false)
+  notify: set secret_changed

- name: certs | Copy certs on nodes
+- set_fact:
+    master_certs: ['ca-key.pem', 'admin.pem', 'admin-key.pem', 'apiserver-key.pem', 'apiserver.pem']
+    node_certs: ['ca.pem', 'node.pem', 'node-key.pem']
+
+- name: certs | Copy certs on first master
  copy:
    src: "certs/{{ item }}"
    dest: "{{ kube_cert_dir }}"
-  with_items:
-    - ca.pem
-    - node.pem
-    - node-key.pem
-  when: inventory_hostname in "{{ groups['k8s-cluster'] }}"
+  with_items: '{{ master_certs + node_certs }}'
+  when: inventory_hostname == "{{ groups['kube-master'][0] }}" and gen_certs|default(false)

- name: certs | Copy certs on master
+- name: certs | Get the certs from first master
+  slurp:
+    src: "{{ kube_cert_dir }}/{{ item }}"
+  delegate_to: "{{groups['kube-master'][0]}}"
+  register: slurp_certs
+  with_items: '{{ master_certs + node_certs }}'
+  when: sync_certs|default(false)
+  run_once: true
+  notify: set secret_changed
+
+- name: certs | Copy certs on masters
  copy:
-    src: "certs/{{ item }}"
-    dest: "{{ kube_cert_dir }}"
-  with_items:
-    - ca-key.pem
-    - admin.pem
-    - admin-key.pem
-    - apiserver-key.pem
-    - apiserver.pem
-  when: inventory_hostname in "{{ groups['kube-master'] }}"
+    content: "{{ item.content|b64decode }}"
+    dest: "{{ item.source }}"
+  with_items: '{{slurp_certs.results}}'
+  when: item.item in master_certs and
+        inventory_hostname in groups['kube-master'] and sync_certs|default(false) and
+        inventory_hostname != groups['kube-master'][0]
+
+- name: certs | Copy certs on nodes
+  copy:
+    content: "{{ item.content|b64decode }}"
+    dest: "{{ item.source }}"
+  with_items: '{{slurp_certs.results}}'
+  when: item.item in node_certs and
+        inventory_hostname in groups['kube-node'] and sync_certs|default(false) and
+        inventory_hostname != groups['kube-master'][0]

 - name: certs | check certificate permissions
  file:
@ -43,6 +63,7 @@

 - shell: ls {{ kube_cert_dir}}/*key.pem
  register: keyfiles
+  changed_when: false

 - name: certs | set permissions on keys
  file:
--- a/roles/kubernetes/secrets/tasks/main.yml
+++ b/roles/kubernetes/secrets/tasks/main.yml
@ -1,4 +1,6 @@
 ---
+- include: check-certs.yml
+
 - name: Make sure the certificate directory exits
  file:
    path={{ kube_cert_dir }}
@ -30,12 +32,6 @@
  when: inventory_hostname in "{{ groups['kube-master'] }}"
  notify: set secret_changed

- name: Check if a certificate already exists
-  stat:
-    path: "{{ kube_cert_dir }}/ca.pem"
-  register: kubecert
-
 - include: gen_certs.yml
-  when: not kubecert.stat.exists

 - include: gen_tokens.yml